rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[truetype] Integer overflows. 

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364

* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
This commit is contained in:
Werner Lemberg 2017-06-24 20:17:46 +02:00
parent 298e2ea5a6
commit b27cef27ff
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
2017-06-24 Werner Lemberg <wl@gnu.org>
[truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364
* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
2017-06-22 Werner Lemberg <wl@gnu.org>
[cff, truetype] Integer overflows.

4
src/truetype/ttinterp.c
View File

@ -6487,7 +6487,7 @@
dx = SUB_LONG( exc->zp0.cur[b0].x, exc->zp1.cur[a0].x );
dy = SUB_LONG( exc->zp0.cur[b0].y, exc->zp1.cur[a0].y );
discriminant = ADD_LONG( FT_MulDiv( dax, -dby, 0x40 ),
discriminant = ADD_LONG( FT_MulDiv( dax, NEG_LONG( dby ), 0x40 ),
FT_MulDiv( day, dbx, 0x40 ) );
dotproduct = ADD_LONG( FT_MulDiv( dax, dbx, 0x40 ),
FT_MulDiv( day, dby, 0x40 ) );
@ -6502,7 +6502,7 @@
/* thresholding abs(tan(angle)) at 1/19, corresponding to 3 degrees. */
if ( MUL_LONG( 19, FT_ABS( discriminant ) ) > FT_ABS( dotproduct ) )
{
val = ADD_LONG( FT_MulDiv( dx, -dby, 0x40 ),
val = ADD_LONG( FT_MulDiv( dx, NEG_LONG( dby ), 0x40 ),
FT_MulDiv( dy, dbx, 0x40 ) );
R.x = FT_MulDiv( val, dax, discriminant );