minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

[truetype] Integer overflows. 

Changes triggered by

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3429

* src/truetype/ttinterp.c (Ins_SHPIX, Ins_DELTAP): Use NEG_LONG.
(Ins_MIAP): Use SUB_LONG.
This commit is contained in:
Werner Lemberg 2017-09-20 08:00:05 +02:00
parent 74f442394f
commit eaa9adf325
2 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2017-09-20 Werner Lemberg <wl@gnu.org>
[truetype] Integer overflows.
Changes triggered by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3429
* src/truetype/ttinterp.c (Ins_SHPIX, Ins_DELTAP): Use NEG_LONG.
(Ins_MIAP): Use SUB_LONG.
2017-09-19 Alexei Podtelezhnikov <apodtele@gmail.com>
[build] Fix DLL builds in Visual C++ project.

12
src/truetype/ttinterp.c
View File

@ -5690,7 +5690,11 @@
( B1 & 63 ) != 0 &&
( B2 & 63 ) != 0 &&
B1 != B2 )
Move_Zp2_Point( exc, point, -dx, -dy, TRUE );
Move_Zp2_Point( exc,
point,
NEG_LONG( dx ),
NEG_LONG( dy ),
TRUE );
}
}
else if ( exc->face->sph_compatibility_mode )
@ -5722,7 +5726,7 @@
if ( ( B1 & 63 ) == 0 &&
( B2 & 63 ) != 0 &&
B1 != B2 )
Move_Zp2_Point( exc, point, 0, -dy, TRUE );
Move_Zp2_Point( exc, point, 0, NEG_LONG( dy ), TRUE );
}
}
else if ( exc->sph_in_func_flags & SPH_FDEF_TYPEMAN_DIAGENDCTRL )
@ -5991,7 +5995,7 @@
exc->tt_metrics.compensations[0] );
}
exc->func_move( exc, &exc->zp0, point, distance - org_dist );
exc->func_move( exc, &exc->zp0, point, SUB_LONG( distance, org_dist ) );
Fail:
exc->GS.rp0 = point;
@ -7153,7 +7157,7 @@
SPH_TWEAK_SKIP_NONPIXEL_Y_MOVES_DELTAP ) &&
( B1 & 63 ) != 0 &&
( B2 & 63 ) != 0 ) ) )
exc->func_move( exc, &exc->zp0, A, -B );
exc->func_move( exc, &exc->zp0, A, NEG_LONG( B ) );
}
}
else