From 933f4cbe792b777b826282dba9e55edb7b22a14d Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 26 Jul 2017 23:32:32 +0200 Subject: [PATCH] [cff] Integer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2738 * src/cff/cf2hints.c (cf2_glyphpath_computeOffset, cf2_glyphpath_curveTo): Use ADD_INT32. --- ChangeLog | 11 +++++++++++ src/cff/cf2hints.c | 10 ++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 56168da4c..375975eae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2017-07-26 Werner Lemberg + + [cff] Integer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2738 + + * src/cff/cf2hints.c (cf2_glyphpath_computeOffset, + cf2_glyphpath_curveTo): Use ADD_INT32. + 2017-07-13 Werner Lemberg [base] Fix memory leak. diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c index e0f2cc91c..656eb2cff 100644 --- a/src/cff/cf2hints.c +++ b/src/cff/cf2hints.c @@ -1489,8 +1489,9 @@ return; /* add momentum for this path element */ - glyphpath->callbacks->windingMomentum += - cf2_getWindingMomentum( x1, y1, x2, y2 ); + glyphpath->callbacks->windingMomentum = + ADD_INT32( glyphpath->callbacks->windingMomentum, + cf2_getWindingMomentum( x1, y1, x2, y2 ) ); /* note: allow mixed integer and fixed multiplication here */ if ( dx >= 0 ) @@ -1778,8 +1779,9 @@ &yOffset3 ); /* add momentum from the middle segment */ - glyphpath->callbacks->windingMomentum += - cf2_getWindingMomentum( x1, y1, x2, y2 ); + glyphpath->callbacks->windingMomentum = + ADD_INT32( glyphpath->callbacks->windingMomentum, + cf2_getWindingMomentum( x1, y1, x2, y2 ) ); /* construct offset points */ P0.x = ADD_INT32( glyphpath->currentCS.x, xOffset1 );