diff options
author | Werner Lemberg <wl@gnu.org> | 2018-10-27 00:07:53 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2018-10-27 00:07:53 +0200 |
commit | bfe53294757b03873b1432b7c1cd3e027802c634 (patch) | |
tree | 41ec6f8f5e4b5eb94dfa9bf74ef262e7fbefb4dc | |
parent | f56830ed406f90f6f53ee6367f2068a0f27bf90b (diff) | |
download | freetype2-bfe53294757b03873b1432b7c1cd3e027802c634.tar.gz |
[psaux] Fix numeric overflow.
Triggered by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11157
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_blend>
[CFF_CONFIG_OPTION_OLD_ENGINE]: Fix integer overflow.
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | src/psaux/cffdecode.c | 3 |
2 files changed, 13 insertions, 1 deletions
@@ -1,3 +1,14 @@ +2018-10-27 Werner Lemberg <wl@gnu.org> + + [psaux] Fix numeric overflow. + + Triggered by + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11157 + + * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_blend> + [CFF_CONFIG_OPTION_OLD_ENGINE]: Fix integer overflow. + 2018-10-20 Werner Lemberg <wl@gnu.org> Avoid endless loop while tracing (#54858). diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c index 58a516fb2..ac1bc1fe2 100644 --- a/src/psaux/cffdecode.c +++ b/src/psaux/cffdecode.c @@ -1950,7 +1950,8 @@ if ( num_results < 0 ) goto Syntax_Error; - if ( num_results * (FT_Int)num_designs > num_args ) + if ( num_results > num_args || + num_results * (FT_Int)num_designs > num_args ) goto Stack_Underflow; /* since we currently don't handle interpolation of multiple */ |