[truetype] Integer overflow issues.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7652

* src/truetype/ttinterp.c (Ins_MDAP): Use SUB_LONG.

2 files changed, 20 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 1a338bb61..b92980121 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
 2018-04-14  Werner Lemberg  <wl@gnu.org>
 
+	[truetype] Integer overflow issues.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7652
+
+	* src/truetype/ttinterp.c (Ins_MDAP): Use SUB_LONG.
+
+2018-04-14  Werner Lemberg  <wl@gnu.org>
+
 	[autofit] Update to Unicode 11.0.0.
 
 	But no support new scripts (volunteers welcomed).
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 6a5b82314..d9865d4af 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5874,16 +5874,18 @@
       if ( SUBPIXEL_HINTING_INFINALITY &&
            exc->ignore_x_mode          &&
            exc->GS.freeVector.x != 0   )
-        distance = Round_None(
-                     exc,
-                     cur_dist,
-                     exc->tt_metrics.compensations[0] ) - cur_dist;
+        distance = SUB_LONG(
+                     Round_None( exc,
+                                 cur_dist,
+                                 exc->tt_metrics.compensations[0] ),
+                     cur_dist );
       else
 #endif
-        distance = exc->func_round(
-                     exc,
-                     cur_dist,
-                     exc->tt_metrics.compensations[0] ) - cur_dist;
+        distance = SUB_LONG(
+                     exc->func_round( exc,
+                                      cur_dist,
+                                      exc->tt_metrics.compensations[0] ),
+                     cur_dist );
     }
     else
       distance = 0;