[truetype] Integer overflow.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2868 * src/truetype/ttinterp.c (Ins_ALIGNRP): Use NEG_LONG.
author: Werner Lemberg <wl@gnu.org> 2017-08-05 18:58:34 +0200
committer: Werner Lemberg <wl@gnu.org> 2017-08-05 18:58:34 +0200
commit: 17196b7c747cf8a7309efda54c99a89d456f0512 (patch)
tree: 6d3e0521427abaa102aeb5424fd3069a8cae359a
parent: f43b3094ef9eec177caafdbc4e73a14be000d127 (diff)
download: freetype2-17196b7c747cf8a7309efda54c99a89d456f0512.tar.gz
2 files changed, 11 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 30f18b73c..987d5734c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-06-27  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2868
+
+	* src/truetype/ttinterp.c (Ins_ALIGNRP): Use NEG_LONG.
+
 2017-08-05  Werner Lemberg  <wl@gnu.org>
 
 	[base, truetype] New function `FT_Get_Var_Axis_Flags'.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 8636d5e3f..bc201554e 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6421,7 +6421,7 @@
         distance = PROJECT( exc->zp1.cur + point,
                             exc->zp0.cur + exc->GS.rp0 );
 
-        exc->func_move( exc, &exc->zp1, point, -distance );
+        exc->func_move( exc, &exc->zp1, point, NEG_LONG( distance ) );
       }
 
       exc->GS.loop--;
author	Werner Lemberg <wl@gnu.org>	2017-08-05 18:58:34 +0200
committer	Werner Lemberg <wl@gnu.org>	2017-08-05 18:58:34 +0200
commit	17196b7c747cf8a7309efda54c99a89d456f0512 (patch)
tree	6d3e0521427abaa102aeb5424fd3069a8cae359a
parent	f43b3094ef9eec177caafdbc4e73a14be000d127 (diff)
download	freetype2-17196b7c747cf8a7309efda54c99a89d456f0512.tar.gz