[cff, truetype] Integer overflows.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057 * src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32. * src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG. (Ins_SUB): Use OVERFLOW_SUB_LONG. (Ins_NEG): Use NEG_LONG.
This commit is contained in:
parent
c5a225413f
commit
1ea343228d
15
ChangeLog
15
ChangeLog
|
@ -1,3 +1,18 @@
|
||||||
|
2017-06-03 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[cff, truetype] Integer overflows.
|
||||||
|
|
||||||
|
Reported as
|
||||||
|
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
|
||||||
|
|
||||||
|
* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
|
||||||
|
|
||||||
|
* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
|
||||||
|
(Ins_SUB): Use OVERFLOW_SUB_LONG.
|
||||||
|
(Ins_NEG): Use NEG_LONG.
|
||||||
|
|
||||||
2017-06-03 Werner Lemberg <wl@gnu.org>
|
2017-06-03 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
ftcalc.h: Avoid left-shift of negative numbers.
|
ftcalc.h: Avoid left-shift of negative numbers.
|
||||||
|
|
|
@ -343,7 +343,8 @@
|
||||||
* Use edge[i], the highest entry where csCoord >= entry[i].csCoord
|
* Use edge[i], the highest entry where csCoord >= entry[i].csCoord
|
||||||
*/
|
*/
|
||||||
return OVERFLOW_ADD_INT32(
|
return OVERFLOW_ADD_INT32(
|
||||||
FT_MulFix( csCoord - hintmap->edge[i].csCoord,
|
FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
|
||||||
|
hintmap->edge[i].csCoord ),
|
||||||
hintmap->edge[i].scale ),
|
hintmap->edge[i].scale ),
|
||||||
hintmap->edge[i].dsCoord );
|
hintmap->edge[i].dsCoord );
|
||||||
}
|
}
|
||||||
|
|
|
@ -2826,7 +2826,7 @@
|
||||||
static void
|
static void
|
||||||
Ins_ADD( FT_Long* args )
|
Ins_ADD( FT_Long* args )
|
||||||
{
|
{
|
||||||
args[0] += args[1];
|
args[0] = OVERFLOW_ADD_LONG( args[0], args[1] );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -2839,7 +2839,7 @@
|
||||||
static void
|
static void
|
||||||
Ins_SUB( FT_Long* args )
|
Ins_SUB( FT_Long* args )
|
||||||
{
|
{
|
||||||
args[0] -= args[1];
|
args[0] = OVERFLOW_SUB_LONG( args[0], args[1] );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -2895,7 +2895,7 @@
|
||||||
static void
|
static void
|
||||||
Ins_NEG( FT_Long* args )
|
Ins_NEG( FT_Long* args )
|
||||||
{
|
{
|
||||||
args[0] = -args[0];
|
args[0] = NEG_LONG( args[0] );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -329,8 +329,8 @@
|
||||||
for ( i = 0; i < mmaster.num_axis; i++ )
|
for ( i = 0; i < mmaster.num_axis; i++ )
|
||||||
{
|
{
|
||||||
mmvar->axis[i].name = mmaster.axis[i].name;
|
mmvar->axis[i].name = mmaster.axis[i].name;
|
||||||
mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum);
|
mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum );
|
||||||
mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum);
|
mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum );
|
||||||
mmvar->axis[i].def = ( mmvar->axis[i].minimum +
|
mmvar->axis[i].def = ( mmvar->axis[i].minimum +
|
||||||
mmvar->axis[i].maximum ) / 2;
|
mmvar->axis[i].maximum ) / 2;
|
||||||
/* Does not apply. But this value is in range */
|
/* Does not apply. But this value is in range */
|
||||||
|
|
Loading…
Reference in New Issue