diff --git a/ChangeLog b/ChangeLog index 6194a2fe6..1b7335db6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2017-06-02 Werner Lemberg + + [cff] More integer overflows. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2032 + + * src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32. + 2017-06-02 Werner Lemberg [bdf] Don't left-shift negative numbers. diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c index 141d0fcae..950c71473 100644 --- a/src/cff/cf2blues.c +++ b/src/cff/cf2blues.c @@ -301,7 +301,8 @@ /* top edge */ flatFamilyEdge = cf2_blueToFixed( familyOtherBlues[j + 1] ); - diff = cf2_fixedAbs( flatEdge - flatFamilyEdge ); + diff = cf2_fixedAbs( OVERFLOW_SUB_INT32( flatEdge, + flatFamilyEdge ) ); if ( diff < minDiff && diff < csUnitsPerPixel ) { @@ -319,7 +320,8 @@ /* top edge */ flatFamilyEdge = cf2_blueToFixed( familyBlues[1] ); - diff = cf2_fixedAbs( flatEdge - flatFamilyEdge ); + diff = cf2_fixedAbs( OVERFLOW_SUB_INT32( flatEdge, + flatFamilyEdge ) ); if ( diff < minDiff && diff < csUnitsPerPixel ) blues->zone[i].csFlatEdge = flatFamilyEdge; @@ -342,7 +344,8 @@ /* adjust edges of top zone upward by twice darkening amount */ flatFamilyEdge += 2 * font->darkenY; /* bottom edge */ - diff = cf2_fixedAbs( flatEdge - flatFamilyEdge ); + diff = cf2_fixedAbs( OVERFLOW_SUB_INT32( flatEdge, + flatFamilyEdge ) ); if ( diff < minDiff && diff < csUnitsPerPixel ) {