diff options
author | Werner Lemberg <wl@gnu.org> | 2017-06-13 06:56:48 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2017-06-13 06:56:48 +0200 |
commit | 5c402d97afcc98cbb8d8e049409533f747c4c514 (patch) | |
tree | cd55a8ab4ed8b0f489ebaae6c60017562ecbf514 | |
parent | 3ed3a96181625286f5899118f884fb4b125ebda2 (diff) | |
download | freetype2-5c402d97afcc98cbb8d8e049409533f747c4c514.tar.gz |
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
-rw-r--r-- | ChangeLog | 13 | ||||
-rw-r--r-- | src/cff/cf2fixed.h | 2 | ||||
-rw-r--r-- | src/truetype/ttinterp.c | 14 |
3 files changed, 23 insertions, 6 deletions
@@ -1,3 +1,16 @@ +2017-06-13 Werner Lemberg <wl@gnu.org> + + [cff, truetype] Integer overflows. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218 + + * src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32. + + * src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG. + 2017-06-11 Werner Lemberg <wl@gnu.org> [cff] Integer overflows. diff --git a/src/cff/cf2fixed.h b/src/cff/cf2fixed.h index d8e695b15..a041184bd 100644 --- a/src/cff/cf2fixed.h +++ b/src/cff/cf2fixed.h @@ -66,7 +66,7 @@ FT_BEGIN_HEADER #define cf2_doubleToFixed( f ) \ ( (CF2_Fixed)( (f) * 65536.0 + 0.5 ) ) #define cf2_fixedAbs( x ) \ - ( (x) < 0 ? -(x) : (x) ) + ( (x) < 0 ? NEG_INT32( x ) : (x) ) #define cf2_fixedFloor( x ) \ ( (CF2_Fixed)( (FT_UInt32)(x) & 0xFFFF0000UL ) ) #define cf2_fixedFraction( x ) \ diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index e527dfdf4..4e1167afb 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -6627,9 +6627,11 @@ FT_Vector vec; - vec.x = FT_MulFix( exc->zp1.orus[exc->GS.rp2].x - orus_base->x, + vec.x = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].x, + orus_base->x ), exc->metrics.x_scale ); - vec.y = FT_MulFix( exc->zp1.orus[exc->GS.rp2].y - orus_base->y, + vec.y = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].y, + orus_base->y ), exc->metrics.y_scale ); old_range = FAST_DUALPROJ( &vec ); @@ -6664,9 +6666,11 @@ FT_Vector vec; - vec.x = FT_MulFix( exc->zp2.orus[point].x - orus_base->x, + vec.x = FT_MulFix( SUB_LONG( exc->zp2.orus[point].x, + orus_base->x ), exc->metrics.x_scale ); - vec.y = FT_MulFix( exc->zp2.orus[point].y - orus_base->y, + vec.y = FT_MulFix( SUB_LONG( exc->zp2.orus[point].y, + orus_base->y ), exc->metrics.y_scale ); org_dist = FAST_DUALPROJ( &vec ); @@ -6705,7 +6709,7 @@ exc->func_move( exc, &exc->zp2, (FT_UShort)point, - new_dist - cur_dist ); + SUB_LONG( new_dist, cur_dist ) ); } Fail: |