[cff, truetype] Integer overflows.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218 * src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32. * src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
2017-06-13 06:56:48 +02:00 · 2017-06-13 06:56:48 +02:00 · 5c402d97af
parent 3ed3a96181
commit 5c402d97af
3 changed files with 23 additions and 6 deletions
--- a/13
+++ b/13
@ -1,3 +1,16 @@
+2017-06-13  Werner Lemberg  <wl@gnu.org>
+
+	[cff, truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
+
+	* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
+
+	* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
+
 2017-06-11  Werner Lemberg  <wl@gnu.org>

 	[cff] Integer overflows.
--- a/src/cff/cf2fixed.h
+++ b/src/cff/cf2fixed.h
@ -66,7 +66,7 @@ FT_BEGIN_HEADER
 #define cf2_doubleToFixed( f )                                           \
          ( (CF2_Fixed)( (f) * 65536.0 + 0.5 ) )
 #define cf2_fixedAbs( x )                                                \
-          ( (x) < 0 ? -(x) : (x) )
+          ( (x) < 0 ? NEG_INT32( x ) : (x) )
 #define cf2_fixedFloor( x )                                              \
          ( (CF2_Fixed)( (FT_UInt32)(x) & 0xFFFF0000UL ) )
 #define cf2_fixedFraction( x )                                           \
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -6627,9 +6627,11 @@
        FT_Vector  vec;


-        vec.x = FT_MulFix( exc->zp1.orus[exc->GS.rp2].x - orus_base->x,
+        vec.x = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].x,
+                                     orus_base->x ),
                           exc->metrics.x_scale );
-        vec.y = FT_MulFix( exc->zp1.orus[exc->GS.rp2].y - orus_base->y,
+        vec.y = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].y,
+                                     orus_base->y ),
                           exc->metrics.y_scale );

        old_range = FAST_DUALPROJ( &vec );
@ -6664,9 +6666,11 @@
        FT_Vector  vec;


-        vec.x = FT_MulFix( exc->zp2.orus[point].x - orus_base->x,
+        vec.x = FT_MulFix( SUB_LONG( exc->zp2.orus[point].x,
+                                     orus_base->x ),
                           exc->metrics.x_scale );
-        vec.y = FT_MulFix( exc->zp2.orus[point].y - orus_base->y,
+        vec.y = FT_MulFix( SUB_LONG( exc->zp2.orus[point].y,
+                                     orus_base->y ),
                           exc->metrics.y_scale );

        org_dist = FAST_DUALPROJ( &vec );
@ -6705,7 +6709,7 @@
      exc->func_move( exc,
                      &exc->zp2,
                      (FT_UShort)point,
-                      new_dist - cur_dist );
+                      SUB_LONG( new_dist, cur_dist ) );
    }

  Fail: