diff options
| author | Werner Lemberg <wl@gnu.org> | 2017-06-06 12:05:04 +0200 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2017-06-06 12:05:04 +0200 |
| commit | 24848a3d58cdd3ffd40ef3ddd68407d18f678b52 (patch) | |
| tree | d75cb3f4051b3a81caf5b97c087f2ef2b57cf9ab | |
| parent | 8667042997cb9095d3c925417b29f5a3163ab352 (diff) | |
| download | freetype2-24848a3d58cdd3ffd40ef3ddd68407d18f678b52.tar.gz | |
[cff] Integer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122
* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
* src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
branches.
| -rw-r--r-- | ChangeLog | 15 | ||||
| -rw-r--r-- | src/cff/cf2blues.c | 5 | ||||
| -rw-r--r-- | src/cff/cf2hints.c | 3 |
3 files changed, 20 insertions, 3 deletions
@@ -1,3 +1,18 @@ +2017-06-06 Werner Lemberg <wl@gnu.org> + + [cff] Integer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122 + + * src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32. + + * src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else + branches. + 2017-06-05 Werner Lemberg <wl@gnu.org> [cff] Integer overflow. diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c index a94254d82..262be8322 100644 --- a/src/cff/cf2blues.c +++ b/src/cff/cf2blues.c @@ -194,8 +194,9 @@ blues->zone[blues->count].csTopEdge = cf2_blueToFixed( blueValues[i + 1] ); - zoneHeight = blues->zone[blues->count].csTopEdge - - blues->zone[blues->count].csBottomEdge; + zoneHeight = OVERFLOW_SUB_INT32( + blues->zone[blues->count].csTopEdge, + blues->zone[blues->count].csBottomEdge ); if ( zoneHeight < 0 ) { diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c index d7938c9c6..e326c1b66 100644 --- a/src/cff/cf2hints.c +++ b/src/cff/cf2hints.c @@ -332,7 +332,8 @@ { /* special case for points below first edge: use uniform scale */ return OVERFLOW_ADD_INT32( - FT_MulFix( csCoord - hintmap->edge[0].csCoord, + FT_MulFix( OVERFLOW_SUB_INT32( csCoord, + hintmap->edge[0].csCoord ), hintmap->scale ), hintmap->edge[0].dsCoord ); } |