[truetype] Integer overflow issues.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7453 * src/truetype/ttinterp.c (Round_Super, Round_Super_45): Use ADD_LONG and SUB_LONG.
author: Werner Lemberg <wl@gnu.org> 2018-04-09 21:28:37 +0200
committer: Werner Lemberg <wl@gnu.org> 2018-04-09 21:28:37 +0200
commit: bd9400bd464f6cd7c74f52ece1c1065fe2a87aab (patch)
tree: 43808372b68418127006c724f9767acf5768e10b
parent: cdddeff02fff209e602d4dff97aa94fbbdab2904 (diff)
download: freetype2-bd9400bd464f6cd7c74f52ece1c1065fe2a87aab.tar.gz
2 files changed, 15 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 57540b423..01ed40e74 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-04-09  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Integer overflow issues.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7453
+
+	* src/truetype/ttinterp.c (Round_Super, Round_Super_45): Use
+	ADD_LONG and SUB_LONG.
+
 2018-04-06  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[windows, wince] Clean up legacy project files.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 240dae946..6a5b82314 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -2165,7 +2165,7 @@
       val = ADD_LONG( distance,
                       exc->threshold - exc->phase + compensation ) &
               -exc->period;
-      val += exc->phase;
+      val = ADD_LONG( val, exc->phase );
       if ( val < 0 )
         val = exc->phase;
     }
@@ -2174,7 +2174,7 @@
       val = NEG_LONG( SUB_LONG( exc->threshold - exc->phase + compensation,
                                 distance ) &
                         -exc->period );
-      val -= exc->phase;
+      val = SUB_LONG( val, exc->phase );
       if ( val > 0 )
         val = -exc->phase;
     }
@@ -2216,7 +2216,7 @@
       val = ( ADD_LONG( distance,
                         exc->threshold - exc->phase + compensation ) /
                 exc->period ) * exc->period;
-      val += exc->phase;
+      val = ADD_LONG( val, exc->phase );
       if ( val < 0 )
         val = exc->phase;
     }
@@ -2225,7 +2225,7 @@
       val = NEG_LONG( ( SUB_LONG( exc->threshold - exc->phase + compensation,
                                   distance ) /
                           exc->period ) * exc->period );
-      val -= exc->phase;
+      val = SUB_LONG( val, exc->phase );
       if ( val > 0 )
         val = -exc->phase;
     }
author	Werner Lemberg <wl@gnu.org>	2018-04-09 21:28:37 +0200
committer	Werner Lemberg <wl@gnu.org>	2018-04-09 21:28:37 +0200
commit	bd9400bd464f6cd7c74f52ece1c1065fe2a87aab (patch)
tree	43808372b68418127006c724f9767acf5768e10b
parent	cdddeff02fff209e602d4dff97aa94fbbdab2904 (diff)
download	freetype2-bd9400bd464f6cd7c74f52ece1c1065fe2a87aab.tar.gz