From 3915a18b8c0f4e2090bf9496a49c38986ab18d70 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 29 Aug 2018 06:53:54 +0200 Subject: [PATCH] [cff] Fix handling of `roll' op in old engine. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10080 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Use modulo for loop count, as documented in the specification. --- ChangeLog | 12 ++++++++++++ src/psaux/cffdecode.c | 5 +++++ src/psaux/psstack.c | 3 +++ 3 files changed, 20 insertions(+) diff --git a/ChangeLog b/ChangeLog index 110e68750..60da292fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2018-08-29 Werner Lemberg + + [cff] Fix handling of `roll' op in old engine. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10080 + + * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) + [CFF_CONFIG_OPTION_OLD_ENGINE]: Use modulo for loop count, as + documented in the specification. + 2018-08-26 Werner Lemberg * src/truetype/ttobjs.c (tt_size_read_bytecode): Trace CVT values. diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c index 3f4cfd42b..1641ccd71 100644 --- a/src/psaux/cffdecode.c +++ b/src/psaux/cffdecode.c @@ -1821,6 +1821,7 @@ if ( idx >= 0 ) { + idx = idx % count; while ( idx > 0 ) { FT_Fixed tmp = args[count - 1]; @@ -1835,6 +1836,10 @@ } else { + /* before C99 it is implementation-defined whether */ + /* the result of `%' is negative if the first operand */ + /* is negative */ + idx = -( ( -idx ) % count ); while ( idx < 0 ) { FT_Fixed tmp = args[0]; diff --git a/src/psaux/psstack.c b/src/psaux/psstack.c index d49cf25b6..665906800 100644 --- a/src/psaux/psstack.c +++ b/src/psaux/psstack.c @@ -258,6 +258,9 @@ return; } + /* before C99 it is implementation-defined whether */ + /* the result of `%' is negative if the first operand */ + /* is negative */ if ( shift < 0 ) shift = -( ( -shift ) % count ); else