* include/freetype/internal/ftcalc.h: Add macros for handling

harmless over-/underflowing `FT_Int' values.

* src/sfnt/sfdriver.c (fixed2float): Fix negation of
`(int)(-2147483648)'.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9423

3 files changed, 22 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 9ce63689c..da80b1391 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2018-07-16  Armin Hasitzka  <prince.cherusker@gmail.com>
+
+	* include/freetype/internal/ftcalc.h: Add macros for handling
+	harmless over-/underflowing `FT_Int' values.
+
+	* src/sfnt/sfdriver.c (fixed2float): Fix negation of
+	`(int)(-2147483648)'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9423
+
 2018-07-16  Werner Lemberg  <wl@gnu.org>
 
 	* src/truetype/ttgxvar.c (tt_set_mm_blend): Fix off-by-one error.
diff --git a/include/freetype/internal/ftcalc.h b/include/freetype/internal/ftcalc.h
index 02467e983..733b67438 100644
--- a/include/freetype/internal/ftcalc.h
+++ b/include/freetype/internal/ftcalc.h
@@ -462,6 +462,15 @@ FT_BEGIN_HEADER
    *
    * Use with care!
    */
+#define ADD_INT( a, b )                           \
+          (FT_Int)( (FT_UInt)(a) + (FT_UInt)(b) )
+#define SUB_INT( a, b )                           \
+          (FT_Int)( (FT_UInt)(a) - (FT_UInt)(b) )
+#define MUL_INT( a, b )                           \
+          (FT_Int)( (FT_UInt)(a) * (FT_UInt)(b) )
+#define NEG_INT( a )                              \
+          (FT_Int)( (FT_UInt)0 - (FT_UInt)(a) )
+
 #define ADD_LONG( a, b )                             \
           (FT_Long)( (FT_ULong)(a) + (FT_ULong)(b) )
 #define SUB_LONG( a, b )                             \
diff --git a/src/sfnt/sfdriver.c b/src/sfnt/sfdriver.c
index cd2d8091b..ae6d6cdbc 100644
--- a/src/sfnt/sfdriver.c
+++ b/src/sfnt/sfdriver.c
@@ -677,7 +677,7 @@
     if ( fixed < 0 )
     {
       *p++ = '-';
-      fixed = -fixed;
+      fixed = NEG_INT( fixed );
     }
 
     int_part  = ( fixed >> 16 ) & 0xFFFF;