rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[cff, truetype] Integer overflows. 

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2133
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2137

* src/cff/cf2hints.c (cf2_hint_init): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (PROJECT, DUALPROJ): Use
OVERFLOW_SUB_LONG.
This commit is contained in:
Werner Lemberg 2017-06-07 17:08:01 +02:00
parent 24848a3d58
commit 7bffeacd7e
3 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ChangeLog
View File

@ -1,6 +1,20 @@
2017-06-07 Werner Lemberg <wl@gnu.org>
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2133
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2137
* src/cff/cf2hints.c (cf2_hint_init): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (PROJECT, DUALPROJ): Use
OVERFLOW_SUB_LONG.
2017-06-06 Werner Lemberg <wl@gnu.org>
[cff] Integer overflow.
[cff] Integer overflows.
Reported as

2
src/cff/cf2hints.c
View File

@ -105,7 +105,7 @@
stemHintArray,
indexStemHint );
width = stemHint->max - stemHint->min;
width = OVERFLOW_SUB_INT32( stemHint->max, stemHint->min );
if ( width == cf2_intToFixed( -21 ) )
{

12
src/truetype/ttinterp.c
View File

@ -65,11 +65,15 @@
TT_INTERPRETER_VERSION_40 )
#endif
#define PROJECT( v1, v2 ) \
exc->func_project( exc, (v1)->x - (v2)->x, (v1)->y - (v2)->y )
#define PROJECT( v1, v2 ) \
exc->func_project( exc, \
OVERFLOW_SUB_LONG( (v1)->x, (v2)->x ), \
OVERFLOW_SUB_LONG( (v1)->y, (v2)->y ) )
#define DUALPROJ( v1, v2 ) \
exc->func_dualproj( exc, (v1)->x - (v2)->x, (v1)->y - (v2)->y )
#define DUALPROJ( v1, v2 ) \
exc->func_dualproj( exc, \
OVERFLOW_SUB_LONG( (v1)->x, (v2)->x ), \
OVERFLOW_SUB_LONG( (v1)->y, (v2)->y ) )
#define FAST_PROJECT( v ) \
exc->func_project( exc, (v)->x, (v)->y )