forked from minhngoc25a/freetype2
[bdf] Fix integer scanning routines.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2029 * src/bdf/bdflib.c (_bdf_atoul, _bdf_atol, _bdf_atous, _bdf_atos): Stop scanning if result would overflow.
This commit is contained in:
parent
3802ca8b64
commit
47a03e9b23
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
|||
2017-06-02 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[bdf] Fix integer scanning routines.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2029
|
||||
|
||||
* src/bdf/bdflib.c (_bdf_atoul, _bdf_atol, _bdf_atous, _bdf_atos):
|
||||
Stop scanning if result would overflow.
|
||||
|
||||
2017-06-02 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[cff] Fix integer overflows.
|
||||
|
|
|
@ -704,7 +704,15 @@
|
|||
return 0;
|
||||
|
||||
for ( v = 0; sbitset( ddigits, *s ); s++ )
|
||||
v = v * 10 + a2i[(int)*s];
|
||||
{
|
||||
if ( v < ( ULONG_MAX - 9 ) / 10 )
|
||||
v = v * 10 + a2i[(int)*s];
|
||||
else
|
||||
{
|
||||
v = ULONG_MAX;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return v;
|
||||
}
|
||||
|
@ -729,7 +737,15 @@
|
|||
}
|
||||
|
||||
for ( v = 0; sbitset( ddigits, *s ); s++ )
|
||||
v = v * 10 + a2i[(int)*s];
|
||||
{
|
||||
if ( v < ( LONG_MAX - 9 ) / 10 )
|
||||
v = v * 10 + a2i[(int)*s];
|
||||
else
|
||||
{
|
||||
v = LONG_MAX;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return ( !neg ) ? v : -v;
|
||||
}
|
||||
|
@ -746,7 +762,15 @@
|
|||
return 0;
|
||||
|
||||
for ( v = 0; sbitset( ddigits, *s ); s++ )
|
||||
v = (unsigned short)( v * 10 + a2i[(int)*s] );
|
||||
{
|
||||
if ( v < ( USHRT_MAX - 9 ) / 10 )
|
||||
v = (unsigned short)( v * 10 + a2i[(int)*s] );
|
||||
else
|
||||
{
|
||||
v = USHRT_MAX;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return v;
|
||||
}
|
||||
|
@ -771,7 +795,15 @@
|
|||
}
|
||||
|
||||
for ( v = 0; sbitset( ddigits, *s ); s++ )
|
||||
v = (short)( v * 10 + a2i[(int)*s] );
|
||||
{
|
||||
if ( v < ( SHRT_MAX - 9 ) / 10 )
|
||||
v = (short)( v * 10 + a2i[(int)*s] );
|
||||
else
|
||||
{
|
||||
v = SHRT_MAX;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return (short)( ( !neg ) ? v : -v );
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue