From eaa9adf325e1612bdc7134648205597d055cb99c Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 20 Sep 2017 08:00:05 +0200 Subject: [PATCH] [truetype] Integer overflows. Changes triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3429 * src/truetype/ttinterp.c (Ins_SHPIX, Ins_DELTAP): Use NEG_LONG. (Ins_MIAP): Use SUB_LONG. --- ChangeLog | 11 +++++++++++ src/truetype/ttinterp.c | 12 ++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0aff98ff5..f08b56a28 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2017-09-20 Werner Lemberg + + [truetype] Integer overflows. + + Changes triggered by + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3429 + + * src/truetype/ttinterp.c (Ins_SHPIX, Ins_DELTAP): Use NEG_LONG. + (Ins_MIAP): Use SUB_LONG. + 2017-09-19 Alexei Podtelezhnikov [build] Fix DLL builds in Visual C++ project. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index ddcc839bb..c3d710359 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -5690,7 +5690,11 @@ ( B1 & 63 ) != 0 && ( B2 & 63 ) != 0 && B1 != B2 ) - Move_Zp2_Point( exc, point, -dx, -dy, TRUE ); + Move_Zp2_Point( exc, + point, + NEG_LONG( dx ), + NEG_LONG( dy ), + TRUE ); } } else if ( exc->face->sph_compatibility_mode ) @@ -5722,7 +5726,7 @@ if ( ( B1 & 63 ) == 0 && ( B2 & 63 ) != 0 && B1 != B2 ) - Move_Zp2_Point( exc, point, 0, -dy, TRUE ); + Move_Zp2_Point( exc, point, 0, NEG_LONG( dy ), TRUE ); } } else if ( exc->sph_in_func_flags & SPH_FDEF_TYPEMAN_DIAGENDCTRL ) @@ -5991,7 +5995,7 @@ exc->tt_metrics.compensations[0] ); } - exc->func_move( exc, &exc->zp0, point, distance - org_dist ); + exc->func_move( exc, &exc->zp0, point, SUB_LONG( distance, org_dist ) ); Fail: exc->GS.rp0 = point; @@ -7153,7 +7157,7 @@ SPH_TWEAK_SKIP_NONPIXEL_Y_MOVES_DELTAP ) && ( B1 & 63 ) != 0 && ( B2 & 63 ) != 0 ) ) ) - exc->func_move( exc, &exc->zp0, A, -B ); + exc->func_move( exc, &exc->zp0, A, NEG_LONG( B ) ); } } else