[freetype2] master 24848a3: [cff] Integer overflow.

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 24848a3: [cff] Integer overflow.

From:	Werner LEMBERG
Subject:	[freetype2] master 24848a3: [cff] Integer overflow.
Date:	Tue, 6 Jun 2017 06:05:24 -0400 (EDT)

branch: master
commit 24848a3d58cdd3ffd40ef3ddd68407d18f678b52
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [cff] Integer overflow.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122
    
    * src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
    
    * src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
    branches.
---
 ChangeLog          | 15 +++++++++++++++
 src/cff/cf2blues.c |  5 +++--
 src/cff/cf2hints.c |  3 ++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6442e87..8d4e316 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2017-06-06  Werner Lemberg  <address@hidden>
+
+       [cff] Integer overflow.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122
+
+       * src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
+
+       * src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
+       branches.
+
 2017-06-05  Werner Lemberg  <address@hidden>
 
        [cff] Integer overflow.
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index a94254d..262be83 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -194,8 +194,9 @@
       blues->zone[blues->count].csTopEdge =
         cf2_blueToFixed( blueValues[i + 1] );
 
-      zoneHeight = blues->zone[blues->count].csTopEdge -
-                   blues->zone[blues->count].csBottomEdge;
+      zoneHeight = OVERFLOW_SUB_INT32(
+                     blues->zone[blues->count].csTopEdge,
+                     blues->zone[blues->count].csBottomEdge );
 
       if ( zoneHeight < 0 )
       {
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index d7938c9..e326c1b 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -332,7 +332,8 @@
       {
         /* special case for points below first edge: use uniform scale */
         return OVERFLOW_ADD_INT32(
-                 FT_MulFix( csCoord - hintmap->edge[0].csCoord,
+                 FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
+                                                hintmap->edge[0].csCoord ),
                             hintmap->scale ),
                  hintmap->edge[0].dsCoord );
       }

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 24848a3: [cff] Integer overflow., Werner LEMBERG <=

Prev by Date: [freetype2] ewaldhew-refactor-cf2 b6baf12 2/8: Moved decoder and builder
Next by Date: [freetype2] master 7bffeac: [cff, truetype] Integer overflows.
Previous by thread: [freetype2] ewaldhew-refactor-cf2 b6baf12 2/8: Moved decoder and builder
Next by thread: [freetype2] master 7bffeac: [cff, truetype] Integer overflows.
Index(es):
- Date
- Thread