minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

[cff] Even more integer overflows. 

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046

* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.
This commit is contained in:
Werner Lemberg 2017-06-02 19:24:03 +02:00
parent 7a4276fb90
commit 0716c6ab7a
2 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2017-06-02 Werner Lemberg <wl@gnu.org>
[cff] Even more integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.
2017-06-02 Werner Lemberg <wl@gnu.org>
[cff] More integer overflows.

14
src/cff/cf2intrp.c
View File

@ -304,10 +304,12 @@
CF2_StemHintRec stemhint;
stemhint.min =
position += cf2_stack_getReal( opStack, i );
stemhint.max =
position += cf2_stack_getReal( opStack, i + 1 );
stemhint.min =
position = OVERFLOW_ADD_INT32( position,
cf2_stack_getReal( opStack, i ) );
stemhint.max =
position = OVERFLOW_ADD_INT32( position,
cf2_stack_getReal( opStack, i + 1 ) );
stemhint.used = FALSE;
stemhint.maxDS =
@ -1617,8 +1619,8 @@
if ( font->decoder->width_only )
goto exit;
curY += cf2_stack_popFixed( opStack );
curX += cf2_stack_popFixed( opStack );
curY = OVERFLOW_ADD_INT32( curY, cf2_stack_popFixed( opStack ) );
curX = OVERFLOW_ADD_INT32( curX, cf2_stack_popFixed( opStack ) );
cf2_glyphpath_moveTo( &glyphPath, curX, curY );