[cff] Fix integer overflows.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028 * src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c (cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
author: Werner Lemberg <wl@gnu.org> 2017-06-02 08:44:20 +0200
committer: Werner Lemberg <wl@gnu.org> 2017-06-02 08:44:20 +0200
commit: 3802ca8b643dbc966d12ef11ed8e2e5893cabef2 (patch)
tree: 2ea7a11970b43fbe531744d0e93bc0df2da5a56c
parent: cd02d359a6d0455e9d16b87bf9665961c4699538 (diff)
download: freetype2-3802ca8b643dbc966d12ef11ed8e2e5893cabef2.tar.gz
3 files changed, 27 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 04d70a39d..15b77ab39 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-06-02  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
+
+	* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
+	(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
+
 2017-06-01  Werner Lemberg  <wl@gnu.org>
 
 	[smooth] Some 32bit integer overflow run-time errors.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 5efb180dc..dbd3c8864 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -638,14 +638,16 @@
       {
         /* Use hint map to position the center of stem, and nominal scale */
         /* to position the two edges.  This preserves the stem width.     */
-        CF2_Fixed  midpoint  = cf2_hintmap_map(
-                                 hintmap->initialHintMap,
-                                 ( secondHintEdge->csCoord +
-                                   firstHintEdge->csCoord ) / 2 );
-        CF2_Fixed  halfWidth = FT_MulFix(
-                                 ( secondHintEdge->csCoord -
-                                   firstHintEdge->csCoord ) / 2,
-                                 hintmap->scale );
+        CF2_Fixed  midpoint =
+                     cf2_hintmap_map(
+                       hintmap->initialHintMap,
+                       OVERFLOW_ADD_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2 );
+        CF2_Fixed  halfWidth =
+                     FT_MulFix(
+                       OVERFLOW_SUB_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2,
+                       hintmap->scale );
 
 
         firstHintEdge->dsCoord  = midpoint - halfWidth;
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 8f0785d59..463b7e89b 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -358,8 +358,11 @@
 
     if ( doConditionalLastRead )
     {
-      FT_Bool    lastIsX = (FT_Bool)( cf2_fixedAbs( vals[10] - *curX ) >
-                                        cf2_fixedAbs( vals[11] - *curY ) );
+      FT_Bool    lastIsX = (FT_Bool)(
+                             cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[10],
+                                                               *curX ) ) >
+                               cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[11],
+                                                                 *curY ) ) );
       CF2_Fixed  lastVal = cf2_stack_getReal( opStack, idx );
author	Werner Lemberg <wl@gnu.org>	2017-06-02 08:44:20 +0200
committer	Werner Lemberg <wl@gnu.org>	2017-06-02 08:44:20 +0200
commit	3802ca8b643dbc966d12ef11ed8e2e5893cabef2 (patch)
tree	2ea7a11970b43fbe531744d0e93bc0df2da5a56c
parent	cd02d359a6d0455e9d16b87bf9665961c4699538 (diff)
download	freetype2-3802ca8b643dbc966d12ef11ed8e2e5893cabef2.tar.gz