diff options
author | Werner Lemberg <wl@gnu.org> | 2019-12-14 00:04:01 +0100 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2019-12-14 00:04:01 +0100 |
commit | 0c14a3adb08ca5aaac3188a63246361c50b069d4 (patch) | |
tree | fae778369e7bd0ce84e362fc6d1107efb3dbf9c7 | |
parent | 2c9a2d58ca9c8e58cae1d0b63f17e291297484eb (diff) | |
download | freetype2-0c14a3adb08ca5aaac3188a63246361c50b069d4.tar.gz |
[truetype] Fix integer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
* src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/truetype/ttinterp.c | 14 |
2 files changed, 18 insertions, 6 deletions
@@ -1,3 +1,13 @@ +2019-12-14 Werner Lemberg <wl@gnu.org> + + [truetype] Fix integer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305 + + * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'. + 2019-12-13 Werner Lemberg <wl@gnu.org> Another bunch of UBSan warnings on adding offsets to nullptr. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index cedc4a522..7d021eb7c 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -6346,12 +6346,14 @@ /* twilight points (confirmed by Greg Hitchcock) */ if ( exc->GS.gep1 == 0 ) { - exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x + - TT_MulFix14( cvt_dist, - exc->GS.freeVector.x ); - exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y + - TT_MulFix14( cvt_dist, - exc->GS.freeVector.y ); + exc->zp1.org[point].x = ADD_LONG( + exc->zp0.org[exc->GS.rp0].x, + TT_MulFix14( cvt_dist, + exc->GS.freeVector.x ) ); + exc->zp1.org[point].y = ADD_LONG( + exc->zp0.org[exc->GS.rp0].y, + TT_MulFix14( cvt_dist, + exc->GS.freeVector.y ) ); exc->zp1.cur[point] = exc->zp1.org[point]; } |