[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 0716c6a: [cff] Even more integer overflows.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 0716c6a: [cff] Even more integer overflows. |
|
Date: |
Fri, 2 Jun 2017 13:24:24 -0400 (EDT) |
branch: master
commit 0716c6ab7a1c43ba88192498d23e84178e216820
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[cff] Even more integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.
---
ChangeLog | 11 +++++++++++
src/cff/cf2intrp.c | 14 ++++++++------
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 1b7335d..77446ec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2017-06-02 Werner Lemberg <address@hidden>
+ [cff] Even more integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
+
+ * src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
+ OVERFLOW_ADD_INT32.
+
+2017-06-02 Werner Lemberg <address@hidden>
+
[cff] More integer overflows.
Reported as
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 463b7e8..3564758 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -304,10 +304,12 @@
CF2_StemHintRec stemhint;
- stemhint.min =
- position += cf2_stack_getReal( opStack, i );
- stemhint.max =
- position += cf2_stack_getReal( opStack, i + 1 );
+ stemhint.min =
+ position = OVERFLOW_ADD_INT32( position,
+ cf2_stack_getReal( opStack, i ) );
+ stemhint.max =
+ position = OVERFLOW_ADD_INT32( position,
+ cf2_stack_getReal( opStack, i + 1 ) );
stemhint.used = FALSE;
stemhint.maxDS =
@@ -1617,8 +1619,8 @@
if ( font->decoder->width_only )
goto exit;
- curY += cf2_stack_popFixed( opStack );
- curX += cf2_stack_popFixed( opStack );
+ curY = OVERFLOW_ADD_INT32( curY, cf2_stack_popFixed( opStack ) );
+ curX = OVERFLOW_ADD_INT32( curX, cf2_stack_popFixed( opStack ) );
cf2_glyphpath_moveTo( &glyphPath, curX, curY );
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 0716c6a: [cff] Even more integer overflows.,
Werner LEMBERG <=