[cff, truetype] Integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057

* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
This commit is contained in:
Werner Lemberg 2017-06-03 06:52:13 +02:00
parent c5a225413f
commit 1ea343228d
4 changed files with 22 additions and 6 deletions

View File

@ -1,3 +1,18 @@
2017-06-03 Werner Lemberg <wl@gnu.org>
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
2017-06-03 Werner Lemberg <wl@gnu.org> 2017-06-03 Werner Lemberg <wl@gnu.org>
ftcalc.h: Avoid left-shift of negative numbers. ftcalc.h: Avoid left-shift of negative numbers.

View File

@ -343,7 +343,8 @@
* Use edge[i], the highest entry where csCoord >= entry[i].csCoord * Use edge[i], the highest entry where csCoord >= entry[i].csCoord
*/ */
return OVERFLOW_ADD_INT32( return OVERFLOW_ADD_INT32(
FT_MulFix( csCoord - hintmap->edge[i].csCoord, FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
hintmap->edge[i].csCoord ),
hintmap->edge[i].scale ), hintmap->edge[i].scale ),
hintmap->edge[i].dsCoord ); hintmap->edge[i].dsCoord );
} }

View File

@ -2826,7 +2826,7 @@
static void static void
Ins_ADD( FT_Long* args ) Ins_ADD( FT_Long* args )
{ {
args[0] += args[1]; args[0] = OVERFLOW_ADD_LONG( args[0], args[1] );
} }
@ -2839,7 +2839,7 @@
static void static void
Ins_SUB( FT_Long* args ) Ins_SUB( FT_Long* args )
{ {
args[0] -= args[1]; args[0] = OVERFLOW_SUB_LONG( args[0], args[1] );
} }
@ -2895,7 +2895,7 @@
static void static void
Ins_NEG( FT_Long* args ) Ins_NEG( FT_Long* args )
{ {
args[0] = -args[0]; args[0] = NEG_LONG( args[0] );
} }

View File

@ -329,8 +329,8 @@
for ( i = 0; i < mmaster.num_axis; i++ ) for ( i = 0; i < mmaster.num_axis; i++ )
{ {
mmvar->axis[i].name = mmaster.axis[i].name; mmvar->axis[i].name = mmaster.axis[i].name;
mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum); mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum );
mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum); mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum );
mmvar->axis[i].def = ( mmvar->axis[i].minimum + mmvar->axis[i].def = ( mmvar->axis[i].minimum +
mmvar->axis[i].maximum ) / 2; mmvar->axis[i].maximum ) / 2;
/* Does not apply. But this value is in range */ /* Does not apply. But this value is in range */