[cff] Integer overflow.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2738

* src/cff/cf2hints.c (cf2_glyphpath_computeOffset,
cf2_glyphpath_curveTo): Use ADD_INT32.

2 files changed, 17 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 56168da4c..375975eae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2017-07-26  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2738
+
+	* src/cff/cf2hints.c (cf2_glyphpath_computeOffset,
+	cf2_glyphpath_curveTo): Use ADD_INT32.
+
 2017-07-13  Werner Lemberg  <wl@gnu.org>
 
 	[base] Fix memory leak.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index e0f2cc91c..656eb2cff 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -1489,8 +1489,9 @@
         return;
 
     /* add momentum for this path element */
-    glyphpath->callbacks->windingMomentum +=
-      cf2_getWindingMomentum( x1, y1, x2, y2 );
+    glyphpath->callbacks->windingMomentum =
+      ADD_INT32( glyphpath->callbacks->windingMomentum,
+                 cf2_getWindingMomentum( x1, y1, x2, y2 ) );
 
     /* note: allow mixed integer and fixed multiplication here */
     if ( dx >= 0 )
@@ -1778,8 +1779,9 @@
                                  &yOffset3 );
 
     /* add momentum from the middle segment */
-    glyphpath->callbacks->windingMomentum +=
-      cf2_getWindingMomentum( x1, y1, x2, y2 );
+    glyphpath->callbacks->windingMomentum =
+      ADD_INT32( glyphpath->callbacks->windingMomentum,
+                 cf2_getWindingMomentum( x1, y1, x2, y2 ) );
 
     /* construct offset points */
     P0.x = ADD_INT32( glyphpath->currentCS.x, xOffset1 );