[cff] Integer overflow.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517

* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
This commit is contained in:
Werner Lemberg 2017-07-07 17:09:43 +02:00
parent 762de5e285
commit 9ea83c7889
2 changed files with 15 additions and 4 deletions

View File

@ -1,3 +1,13 @@
2017-07-07 Werner Lemberg <wl@gnu.org>
[cff] Integer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517
* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
2017-07-05 Werner Lemberg <wl@gnu.org>
* src/sfnt/ttcmap.c (tt_cmap_unicode_class_rec): Fix warning.

View File

@ -524,17 +524,18 @@
if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) )
{
if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <=
topHintEdge->csCoord &&
if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <=
topHintEdge->csCoord &&
topHintEdge->csCoord <=
ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) )
ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) )
{
/* top edge captured by top zone */
if ( blues->suppressOvershoot )
dsNew = blues->zone[i].dsFlatEdge;
else if ( ( topHintEdge->csCoord - blues->zone[i].csBottomEdge ) >=
else if ( SUB_INT32( topHintEdge->csCoord,
blues->zone[i].csBottomEdge ) >=
blues->blueShift )
{
/* guarantee minimum of 1 pixel overshoot */