[truetype] Integer overflow issues.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7652 * src/truetype/ttinterp.c (Ins_MDAP): Use SUB_LONG.
2018-04-14 07:20:31 +02:00 · 2018-04-14 07:20:31 +02:00 · 827ca3bcf2
parent 576670b779
commit 827ca3bcf2
2 changed files with 20 additions and 8 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2018-04-14  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Integer overflow issues.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7652
+
+	* src/truetype/ttinterp.c (Ins_MDAP): Use SUB_LONG.
+
 2018-04-14  Werner Lemberg  <wl@gnu.org>

 	[autofit] Update to Unicode 11.0.0.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -5874,16 +5874,18 @@
      if ( SUBPIXEL_HINTING_INFINALITY &&
           exc->ignore_x_mode          &&
           exc->GS.freeVector.x != 0   )
-        distance = Round_None(
-                     exc,
-                     cur_dist,
-                     exc->tt_metrics.compensations[0] ) - cur_dist;
+        distance = SUB_LONG(
+                     Round_None( exc,
+                                 cur_dist,
+                                 exc->tt_metrics.compensations[0] ),
+                     cur_dist );
      else
 #endif
-        distance = exc->func_round(
-                     exc,
-                     cur_dist,
-                     exc->tt_metrics.compensations[0] ) - cur_dist;
+        distance = SUB_LONG(
+                     exc->func_round( exc,
+                                      cur_dist,
+                                      exc->tt_metrics.compensations[0] ),
+                     cur_dist );
    }
    else
      distance = 0;