[cff] Integer overflow.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517 * src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
2017-07-07 17:09:43 +02:00 · 2017-07-07 17:09:43 +02:00 · 9ea83c7889
parent 762de5e285
commit 9ea83c7889
2 changed files with 15 additions and 4 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2017-07-07  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517
+
+	* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
+
 2017-07-05  Werner Lemberg  <wl@gnu.org>

 	* src/sfnt/ttcmap.c (tt_cmap_unicode_class_rec): Fix warning.
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@ -524,17 +524,18 @@

      if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) )
      {
-        if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <=
-               topHintEdge->csCoord                                  &&
+        if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <=
+               topHintEdge->csCoord                              &&
             topHintEdge->csCoord <=
-               ADD_INT32( blues->zone[i].csTopEdge, csFuzz )         )
+               ADD_INT32( blues->zone[i].csTopEdge, csFuzz )     )
        {
          /* top edge captured by top zone */

          if ( blues->suppressOvershoot )
            dsNew = blues->zone[i].dsFlatEdge;

-          else if ( ( topHintEdge->csCoord - blues->zone[i].csBottomEdge ) >=
+          else if ( SUB_INT32( topHintEdge->csCoord,
+                               blues->zone[i].csBottomEdge ) >=
                      blues->blueShift )
          {
            /* guarantee minimum of 1 pixel overshoot */