From b460a50610320c425292518cb5f6341af234e2f9 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 19 Jun 2021 07:03:40 +0200 Subject: [PATCH] [truetype] Fix integer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35312 * src/truetype/ttinterp.c (Ins_JMPR): Use `ADD_LONG`. --- ChangeLog | 10 ++++++++++ src/truetype/ttinterp.c | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 522d084da..aaec6b1c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2021-06-19 Werner Lemberg + + [truetype] Fix integer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35312 + + * src/truetype/ttinterp.c (Ins_JMPR): Use `ADD_LONG`. + 2021-06-19 Werner Lemberg [autofit] Prevent hinting if there are too many segments. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 6747f940d..96b48a003 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -3593,7 +3593,7 @@ return; } - exc->IP += args[0]; + exc->IP = ADD_LONG( exc->IP, args[0] ); if ( exc->IP < 0 || ( exc->callTop > 0 && exc->IP > exc->callStack[exc->callTop - 1].Def->end ) )