[truetype] Integer overflow issues.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7453 * src/truetype/ttinterp.c (Round_Super, Round_Super_45): Use ADD_LONG and SUB_LONG.
2018-04-09 21:28:37 +02:00 · 2018-04-09 21:28:37 +02:00 · bd9400bd46
parent cdddeff02f
commit bd9400bd46
2 changed files with 15 additions and 4 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2018-04-09  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Integer overflow issues.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7453
+
+	* src/truetype/ttinterp.c (Round_Super, Round_Super_45): Use
+	ADD_LONG and SUB_LONG.
+
 2018-04-06  Alexei Podtelezhnikov  <apodtele@gmail.com>

 	[windows, wince] Clean up legacy project files.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -2165,7 +2165,7 @@
      val = ADD_LONG( distance,
                      exc->threshold - exc->phase + compensation ) &
              -exc->period;
-      val += exc->phase;
+      val = ADD_LONG( val, exc->phase );
      if ( val < 0 )
        val = exc->phase;
    }
@ -2174,7 +2174,7 @@
      val = NEG_LONG( SUB_LONG( exc->threshold - exc->phase + compensation,
                                distance ) &
                        -exc->period );
-      val -= exc->phase;
+      val = SUB_LONG( val, exc->phase );
      if ( val > 0 )
        val = -exc->phase;
    }
@ -2216,7 +2216,7 @@
      val = ( ADD_LONG( distance,
                        exc->threshold - exc->phase + compensation ) /
                exc->period ) * exc->period;
-      val += exc->phase;
+      val = ADD_LONG( val, exc->phase );
      if ( val < 0 )
        val = exc->phase;
    }
@ -2225,7 +2225,7 @@
      val = NEG_LONG( ( SUB_LONG( exc->threshold - exc->phase + compensation,
                                  distance ) /
                          exc->period ) * exc->period );
-      val -= exc->phase;
+      val = SUB_LONG( val, exc->phase );
      if ( val > 0 )
        val = -exc->phase;
    }