[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 298e2ea: [cff, truetype] Integer overflows.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 298e2ea: [cff, truetype] Integer overflows. |
|
Date: |
Thu, 22 Jun 2017 05:53:01 -0400 (EDT) |
branch: master
commit 298e2ea5a6c2e3264f8abaa8b1d2371fb4c77f4d
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.
* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
---
ChangeLog | 14 ++++++++++++++
src/cff/cf2blues.c | 9 +++++----
src/truetype/ttinterp.c | 24 ++++++++++++------------
3 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3c95165..f40f4db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2017-06-22 Werner Lemberg <address@hidden>
+
+ [cff, truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
+
+ * src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
+ SUB_INT32.
+
+ * src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
+
2017-06-21 Alexei Podtelezhnikov <address@hidden>
[sfnt] Synthesize a Unicode charmap if one is missing.
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index f5b44b2..f9f5bbb 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -515,7 +515,7 @@
dsNew = cf2_fixedRound( bottomHintEdge->dsCoord );
}
- dsMove = dsNew - bottomHintEdge->dsCoord;
+ dsMove = SUB_INT32( dsNew, bottomHintEdge->dsCoord );
captured = TRUE;
break;
@@ -549,7 +549,7 @@
dsNew = cf2_fixedRound( topHintEdge->dsCoord );
}
- dsMove = dsNew - topHintEdge->dsCoord;
+ dsMove = SUB_INT32( dsNew, topHintEdge->dsCoord );
captured = TRUE;
break;
@@ -562,13 +562,14 @@
/* move both edges and flag them `locked' */
if ( cf2_hint_isValid( bottomHintEdge ) )
{
- bottomHintEdge->dsCoord += dsMove;
+ bottomHintEdge->dsCoord = ADD_INT32( bottomHintEdge->dsCoord,
+ dsMove );
cf2_hint_lock( bottomHintEdge );
}
if ( cf2_hint_isValid( topHintEdge ) )
{
- topHintEdge->dsCoord += dsMove;
+ topHintEdge->dsCoord = ADD_INT32( topHintEdge->dsCoord, dsMove );
cf2_hint_lock( topHintEdge );
}
}
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index c6605bb..a032923 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4927,12 +4927,12 @@
}
{
- FT_Vector* v1 = exc->zp1.org + p2;
- FT_Vector* v2 = exc->zp2.org + p1;
+ FT_Vector* v1 = exc->zp1.org + p2;
+ FT_Vector* v2 = exc->zp2.org + p1;
- A = v1->x - v2->x;
- B = v1->y - v2->y;
+ A = SUB_LONG( v1->x, v2->x );
+ B = SUB_LONG( v1->y, v2->y );
/* If v1 == v2, SDPvTL behaves the same as */
/* SVTCA[X], respectively. */
@@ -4948,9 +4948,9 @@
if ( ( opcode & 1 ) != 0 )
{
- C = B; /* counter clockwise rotation */
- B = A;
- A = -C;
+ C = B; /* counter clockwise rotation */
+ B = A;
+ A = NEG_LONG( C );
}
Normalize( A, B, &exc->GS.dualVector );
@@ -4960,8 +4960,8 @@
FT_Vector* v2 = exc->zp2.cur + p1;
- A = v1->x - v2->x;
- B = v1->y - v2->y;
+ A = SUB_LONG( v1->x, v2->x );
+ B = SUB_LONG( v1->y, v2->y );
if ( A == 0 && B == 0 )
{
@@ -4972,9 +4972,9 @@
if ( ( opcode & 1 ) != 0 )
{
- C = B; /* counter clockwise rotation */
- B = A;
- A = -C;
+ C = B; /* counter clockwise rotation */
+ B = A;
+ A = NEG_LONG( C );
}
Normalize( A, B, &exc->GS.projVector );
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 298e2ea: [cff, truetype] Integer overflows.,
Werner LEMBERG <=