[cff] Even more integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046

* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.

2 files changed, 19 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index 1b7335db6..77446ec4a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2017-06-02  Werner Lemberg  <wl@gnu.org>
 
+	[cff] Even more integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
+
+	* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
+	OVERFLOW_ADD_INT32.
+
+2017-06-02  Werner Lemberg  <wl@gnu.org>
+
 	[cff] More integer overflows.
 
 	Reported as
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 463b7e89b..356475828 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -304,10 +304,12 @@
       CF2_StemHintRec  stemhint;
 
 
-      stemhint.min  =
-        position   += cf2_stack_getReal( opStack, i );
-      stemhint.max  =
-        position   += cf2_stack_getReal( opStack, i + 1 );
+      stemhint.min =
+      position     = OVERFLOW_ADD_INT32( position,
+                                         cf2_stack_getReal( opStack, i ) );
+      stemhint.max =
+      position     = OVERFLOW_ADD_INT32( position,
+                                         cf2_stack_getReal( opStack, i + 1 ) );
 
       stemhint.used  = FALSE;
       stemhint.maxDS =
@@ -1617,8 +1619,8 @@
         if ( font->decoder->width_only )
           goto exit;
 
-        curY += cf2_stack_popFixed( opStack );
-        curX += cf2_stack_popFixed( opStack );
+        curY = OVERFLOW_ADD_INT32( curY, cf2_stack_popFixed( opStack ) );
+        curX = OVERFLOW_ADD_INT32( curX, cf2_stack_popFixed( opStack ) );
 
         cf2_glyphpath_moveTo( &glyphPath, curX, curY );