ReceiveTempSMS
/
Al-Qurtas-Islamic-bank-The-Best-Bank-in-Iraq
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[cff, truetype] Integer overflows. 

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328

* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.

* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
This commit is contained in:
Werner Lemberg 2017-06-22 11:52:43 +02:00
parent 75cb071b3f
commit 298e2ea5a6
3 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ChangeLog
View File

@ -1,3 +1,17 @@
2017-06-22 Werner Lemberg <wl@gnu.org>
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.
* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
2017-06-21 Alexei Podtelezhnikov <apodtele@gmail.com> 2017-06-21 Alexei Podtelezhnikov <apodtele@gmail.com>
[sfnt] Synthesize a Unicode charmap if one is missing. [sfnt] Synthesize a Unicode charmap if one is missing.

9
src/cff/cf2blues.c
View File

@ -515,7 +515,7 @@
dsNew = cf2_fixedRound( bottomHintEdge->dsCoord ); dsNew = cf2_fixedRound( bottomHintEdge->dsCoord );
} }
dsMove = dsNew - bottomHintEdge->dsCoord; dsMove = SUB_INT32( dsNew, bottomHintEdge->dsCoord );
captured = TRUE; captured = TRUE;
break; break;
@ -549,7 +549,7 @@
dsNew = cf2_fixedRound( topHintEdge->dsCoord ); dsNew = cf2_fixedRound( topHintEdge->dsCoord );
} }
dsMove = dsNew - topHintEdge->dsCoord; dsMove = SUB_INT32( dsNew, topHintEdge->dsCoord );
captured = TRUE; captured = TRUE;
break; break;
@ -562,13 +562,14 @@
/* move both edges and flag them `locked' */ /* move both edges and flag them `locked' */
if ( cf2_hint_isValid( bottomHintEdge ) ) if ( cf2_hint_isValid( bottomHintEdge ) )
{ {
bottomHintEdge->dsCoord += dsMove; bottomHintEdge->dsCoord = ADD_INT32( bottomHintEdge->dsCoord,
dsMove );
cf2_hint_lock( bottomHintEdge ); cf2_hint_lock( bottomHintEdge );
} }
if ( cf2_hint_isValid( topHintEdge ) ) if ( cf2_hint_isValid( topHintEdge ) )
{ {
topHintEdge->dsCoord += dsMove; topHintEdge->dsCoord = ADD_INT32( topHintEdge->dsCoord, dsMove );
cf2_hint_lock( topHintEdge ); cf2_hint_lock( topHintEdge );
} }
} }

24
src/truetype/ttinterp.c
View File

@ -4927,12 +4927,12 @@
} }
{ {
FT_Vector* v1 = exc->zp1.org + p2; FT_Vector* v1 = exc->zp1.org + p2;
FT_Vector* v2 = exc->zp2.org + p1; FT_Vector* v2 = exc->zp2.org + p1;
A = v1->x - v2->x; A = SUB_LONG( v1->x, v2->x );
B = v1->y - v2->y; B = SUB_LONG( v1->y, v2->y );
/* If v1 == v2, SDPvTL behaves the same as */ /* If v1 == v2, SDPvTL behaves the same as */
/* SVTCA[X], respectively. */ /* SVTCA[X], respectively. */
@ -4948,9 +4948,9 @@
if ( ( opcode & 1 ) != 0 ) if ( ( opcode & 1 ) != 0 )
{ {
C = B; /* counter clockwise rotation */ C = B; /* counter clockwise rotation */
B = A; B = A;
A = -C; A = NEG_LONG( C );
} }
Normalize( A, B, &exc->GS.dualVector ); Normalize( A, B, &exc->GS.dualVector );
@ -4960,8 +4960,8 @@
FT_Vector* v2 = exc->zp2.cur + p1; FT_Vector* v2 = exc->zp2.cur + p1;
A = v1->x - v2->x; A = SUB_LONG( v1->x, v2->x );
B = v1->y - v2->y; B = SUB_LONG( v1->y, v2->y );
if ( A == 0 && B == 0 ) if ( A == 0 && B == 0 )
{ {
@ -4972,9 +4972,9 @@
if ( ( opcode & 1 ) != 0 ) if ( ( opcode & 1 ) != 0 )
{ {
C = B; /* counter clockwise rotation */ C = B; /* counter clockwise rotation */
B = A; B = A;
A = -C; A = NEG_LONG( C );
} }
Normalize( A, B, &exc->GS.projVector ); Normalize( A, B, &exc->GS.projVector );