forked from minhngoc25a/freetype2
[truetype] Fix integer overflow.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305 * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
This commit is contained in:
parent
2c9a2d58ca
commit
0c14a3adb0
10
ChangeLog
10
ChangeLog
|
@ -1,3 +1,13 @@
|
||||||
|
2019-12-14 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[truetype] Fix integer overflow.
|
||||||
|
|
||||||
|
Reported as
|
||||||
|
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
|
||||||
|
|
||||||
|
* src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
|
||||||
|
|
||||||
2019-12-13 Werner Lemberg <wl@gnu.org>
|
2019-12-13 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
Another bunch of UBSan warnings on adding offsets to nullptr.
|
Another bunch of UBSan warnings on adding offsets to nullptr.
|
||||||
|
|
|
@ -6346,12 +6346,14 @@
|
||||||
/* twilight points (confirmed by Greg Hitchcock) */
|
/* twilight points (confirmed by Greg Hitchcock) */
|
||||||
if ( exc->GS.gep1 == 0 )
|
if ( exc->GS.gep1 == 0 )
|
||||||
{
|
{
|
||||||
exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x +
|
exc->zp1.org[point].x = ADD_LONG(
|
||||||
|
exc->zp0.org[exc->GS.rp0].x,
|
||||||
TT_MulFix14( cvt_dist,
|
TT_MulFix14( cvt_dist,
|
||||||
exc->GS.freeVector.x );
|
exc->GS.freeVector.x ) );
|
||||||
exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y +
|
exc->zp1.org[point].y = ADD_LONG(
|
||||||
|
exc->zp0.org[exc->GS.rp0].y,
|
||||||
TT_MulFix14( cvt_dist,
|
TT_MulFix14( cvt_dist,
|
||||||
exc->GS.freeVector.y );
|
exc->GS.freeVector.y ) );
|
||||||
exc->zp1.cur[point] = exc->zp1.org[point];
|
exc->zp1.cur[point] = exc->zp1.org[point];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue