[cff, truetype] Integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218

* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.

* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.

3 files changed, 23 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index ef882374a..fe0f79507 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2017-06-13  Werner Lemberg  <wl@gnu.org>
+
+	[cff, truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
+
+	* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
+
+	* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
+
 2017-06-11  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Integer overflows.
diff --git a/src/cff/cf2fixed.h b/src/cff/cf2fixed.h
index d8e695b15..a041184bd 100644
--- a/src/cff/cf2fixed.h
+++ b/src/cff/cf2fixed.h
@@ -66,7 +66,7 @@ FT_BEGIN_HEADER
 #define cf2_doubleToFixed( f )                                           \
           ( (CF2_Fixed)( (f) * 65536.0 + 0.5 ) )
 #define cf2_fixedAbs( x )                                                \
-          ( (x) < 0 ? -(x) : (x) )
+          ( (x) < 0 ? NEG_INT32( x ) : (x) )
 #define cf2_fixedFloor( x )                                              \
           ( (CF2_Fixed)( (FT_UInt32)(x) & 0xFFFF0000UL ) )
 #define cf2_fixedFraction( x )                                           \
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index e527dfdf4..4e1167afb 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6627,9 +6627,11 @@
         FT_Vector  vec;
 
 
-        vec.x = FT_MulFix( exc->zp1.orus[exc->GS.rp2].x - orus_base->x,
+        vec.x = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].x,
+                                     orus_base->x ),
                            exc->metrics.x_scale );
-        vec.y = FT_MulFix( exc->zp1.orus[exc->GS.rp2].y - orus_base->y,
+        vec.y = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].y,
+                                     orus_base->y ),
                            exc->metrics.y_scale );
 
         old_range = FAST_DUALPROJ( &vec );
@@ -6664,9 +6666,11 @@
         FT_Vector  vec;
 
 
-        vec.x = FT_MulFix( exc->zp2.orus[point].x - orus_base->x,
+        vec.x = FT_MulFix( SUB_LONG( exc->zp2.orus[point].x,
+                                     orus_base->x ),
                            exc->metrics.x_scale );
-        vec.y = FT_MulFix( exc->zp2.orus[point].y - orus_base->y,
+        vec.y = FT_MulFix( SUB_LONG( exc->zp2.orus[point].y,
+                                     orus_base->y ),
                            exc->metrics.y_scale );
 
         org_dist = FAST_DUALPROJ( &vec );
@@ -6705,7 +6709,7 @@
       exc->func_move( exc,
                       &exc->zp2,
                       (FT_UShort)point,
-                      new_dist - cur_dist );
+                      SUB_LONG( new_dist, cur_dist ) );
     }
 
   Fail: