[cff] More integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2032

* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.

2 files changed, 16 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 6194a2fe6..1b7335db6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
 2017-06-02  Werner Lemberg  <wl@gnu.org>
 
+	[cff] More integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2032
+
+	* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
+
+2017-06-02  Werner Lemberg  <wl@gnu.org>
+
 	[bdf] Don't left-shift negative numbers.
 
 	Reported as
diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c
index 141d0fcae..950c71473 100644
--- a/src/cff/cf2blues.c
+++ b/src/cff/cf2blues.c
@@ -301,7 +301,8 @@
           /* top edge */
           flatFamilyEdge = cf2_blueToFixed( familyOtherBlues[j + 1] );
 
-          diff = cf2_fixedAbs( flatEdge - flatFamilyEdge );
+          diff = cf2_fixedAbs( OVERFLOW_SUB_INT32( flatEdge,
+                                                   flatFamilyEdge ) );
 
           if ( diff < minDiff && diff < csUnitsPerPixel )
           {
@@ -319,7 +320,8 @@
           /* top edge */
           flatFamilyEdge = cf2_blueToFixed( familyBlues[1] );
 
-          diff = cf2_fixedAbs( flatEdge - flatFamilyEdge );
+          diff = cf2_fixedAbs( OVERFLOW_SUB_INT32( flatEdge,
+                                                   flatFamilyEdge ) );
 
           if ( diff < minDiff && diff < csUnitsPerPixel )
             blues->zone[i].csFlatEdge = flatFamilyEdge;
@@ -342,7 +344,8 @@
           /* adjust edges of top zone upward by twice darkening amount */
           flatFamilyEdge += 2 * font->darkenY;      /* bottom edge */
 
-          diff = cf2_fixedAbs( flatEdge - flatFamilyEdge );
+          diff = cf2_fixedAbs( OVERFLOW_SUB_INT32( flatEdge,
+                                                   flatFamilyEdge ) );
 
           if ( diff < minDiff && diff < csUnitsPerPixel )
           {