freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master dbeb7bc: [bdf, cff] Integer overflows.

From: Werner LEMBERG
Subject: [freetype2] master dbeb7bc: [bdf, cff] Integer overflows.
Date: Thu, 15 Jun 2017 13:40:08 -0400 (EDT) 
branch: master
commit dbeb7bce7f76cdd786ce4022e0b45a653f68db5d
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [bdf, cff] Integer overflows.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261
    
    * src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with
    direct code to avoid value negation.
    
    * src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and
    ADD_INT32.
---
 ChangeLog          | 15 +++++++++++++++
 src/bdf/bdfdrivr.c | 16 +++++++++-------
 src/cff/cf2blues.c | 12 ++++++------
 3 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 74dc50f..e4a4db9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2017-06-15  Werner Lemberg  <address@hidden>
+
+       [bdf, cff] Integer overflows.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261
+
+       * src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with
+       direct code to avoid value negation.
+
+       * src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and
+       ADD_INT32.
+
 2017-06-13  Werner Lemberg  <address@hidden>
 
        * src/winfonts/winfnt.c (FNT_Face_Init): Don't set active encoding.
diff --git a/src/bdf/bdfdrivr.c b/src/bdf/bdfdrivr.c
index 09cb489..37e6eea 100644
--- a/src/bdf/bdfdrivr.c
+++ b/src/bdf/bdfdrivr.c
@@ -442,13 +442,13 @@ THE SOFTWARE.
         FT_ZERO( bsize );
 
         /* sanity checks */
-        if ( FT_ABS( font->font_ascent ) > 0x7FFF )
+        if ( font->font_ascent > 0x7FFF || font->font_ascent < -0x7FFF )
         {
           font->font_ascent = font->font_ascent < 0 ? -0x7FFF : 0x7FFF;
           FT_TRACE0(( "BDF_Face_Init: clamping font ascent to value %d\n",
                       font->font_ascent ));
         }
-        if ( FT_ABS( font->font_descent ) > 0x7FFF )
+        if ( font->font_descent > 0x7FFF || font->font_descent < -0x7FFF )
         {
           font->font_descent = font->font_descent < 0 ? -0x7FFF : 0x7FFF;
           FT_TRACE0(( "BDF_Face_Init: clamping font descent to value %d\n",
@@ -464,7 +464,8 @@ THE SOFTWARE.
           if ( prop->value.l < 0 )
             FT_TRACE0(( "BDF_Face_Init: negative average width\n" ));
 #endif
-          if ( ( FT_ABS( prop->value.l ) > 0x7FFFL * 10 - 5 ) )
+          if ( prop->value.l >    0x7FFFL * 10 - 5   ||
+               prop->value.l < -( 0x7FFFL * 10 - 5 ) )
           {
             bsize->width = 0x7FFF;
             FT_TRACE0(( "BDF_Face_Init: clamping average width to value %d\n",
@@ -487,7 +488,8 @@ THE SOFTWARE.
             FT_TRACE0(( "BDF_Face_Init: negative point size\n" ));
 #endif
           /* convert from 722.7 decipoints to 72 points per inch */
-          if ( FT_ABS( prop->value.l ) > 0x504C2L ) /* 0x7FFF * 72270/7200 */
+          if ( prop->value.l >  0x504C2L || /* 0x7FFF * 72270/7200 */
+               prop->value.l < -0x504C2L )
           {
             bsize->size = 0x7FFF;
             FT_TRACE0(( "BDF_Face_Init: clamping point size to value %d\n",
@@ -511,7 +513,7 @@ THE SOFTWARE.
           if ( prop->value.l < 0 )
             FT_TRACE0(( "BDF_Face_Init: negative pixel size\n" ));
 #endif
-          if ( FT_ABS( prop->value.l ) > 0x7FFF )
+          if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF )
           {
             bsize->y_ppem = 0x7FFF << 6;
             FT_TRACE0(( "BDF_Face_Init: clamping pixel size to value %d\n",
@@ -528,7 +530,7 @@ THE SOFTWARE.
           if ( prop->value.l < 0 )
             FT_TRACE0(( "BDF_Face_Init: negative X resolution\n" ));
 #endif
-          if ( FT_ABS( prop->value.l ) > 0x7FFF )
+          if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF )
           {
             resolution_x = 0x7FFF;
             FT_TRACE0(( "BDF_Face_Init: clamping X resolution to value %d\n",
@@ -545,7 +547,7 @@ THE SOFTWARE.
           if ( prop->value.l < 0 )
             FT_TRACE0(( "BDF_Face_Init: negative Y resolution\n" ));
 #endif
-          if ( FT_ABS( prop->value.l ) > 0x7FFF )
+          if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF )
           {
             resolution_y = 0x7FFF;
             FT_TRACE0(( "BDF_Face_Init: clamping Y resolution to value %d\n",
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index 5ba5f9c..f5b44b2 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -489,10 +489,10 @@
       if ( blues->zone[i].bottomZone           &&
            cf2_hint_isBottom( bottomHintEdge ) )
       {
-        if ( ( blues->zone[i].csBottomEdge - csFuzz ) <=
-               bottomHintEdge->csCoord                   &&
+        if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <=
+               bottomHintEdge->csCoord                           &&
              bottomHintEdge->csCoord <=
-               ( blues->zone[i].csTopEdge + csFuzz )     )
+               ADD_INT32( blues->zone[i].csTopEdge, csFuzz )     )
         {
           /* bottom edge captured by bottom zone */
 
@@ -524,10 +524,10 @@
 
       if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) )
       {
-        if ( ( blues->zone[i].csBottomEdge - csFuzz ) <=
-               topHintEdge->csCoord                      &&
+        if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <=
+               topHintEdge->csCoord                                  &&
              topHintEdge->csCoord <=
-               ( blues->zone[i].csTopEdge + csFuzz )     )
+               ADD_INT32( blues->zone[i].csTopEdge, csFuzz )         )
         {
           /* top edge captured by top zone */
reply via email to
[Prev in Thread] Current Thread [Next in Thread]