[truetype] Integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364

* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.

2 files changed, 12 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index f40f4db38..f992e068a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-06-24  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364
+
+	* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
+
 2017-06-22  Werner Lemberg  <wl@gnu.org>
 
 	[cff, truetype] Integer overflows.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index a032923ed..8e7809a7d 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6487,7 +6487,7 @@
     dx = SUB_LONG( exc->zp0.cur[b0].x, exc->zp1.cur[a0].x );
     dy = SUB_LONG( exc->zp0.cur[b0].y, exc->zp1.cur[a0].y );
 
-    discriminant = ADD_LONG( FT_MulDiv( dax, -dby, 0x40 ),
+    discriminant = ADD_LONG( FT_MulDiv( dax, NEG_LONG( dby ), 0x40 ),
                              FT_MulDiv( day, dbx, 0x40 ) );
     dotproduct   = ADD_LONG( FT_MulDiv( dax, dbx, 0x40 ),
                              FT_MulDiv( day, dby, 0x40 ) );
@@ -6502,7 +6502,7 @@
     /* thresholding abs(tan(angle)) at 1/19, corresponding to 3 degrees. */
     if ( MUL_LONG( 19, FT_ABS( discriminant ) ) > FT_ABS( dotproduct ) )
     {
-      val = ADD_LONG( FT_MulDiv( dx, -dby, 0x40 ),
+      val = ADD_LONG( FT_MulDiv( dx, NEG_LONG( dby ), 0x40 ),
                       FT_MulDiv( dy, dbx, 0x40 ) );
 
       R.x = FT_MulDiv( val, dax, discriminant );