diff options
author | Werner Lemberg <wl@gnu.org> | 2017-07-07 17:09:43 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2017-07-07 17:09:43 +0200 |
commit | 9ea83c788923f9d9ab966e77cb570a3f2be6a8d9 (patch) | |
tree | 56acf46e72425ff899faf857e5afcc60c322b233 | |
parent | 762de5e2850d16ab0ef671e3e307b99df1956eb9 (diff) | |
download | freetype2-9ea83c788923f9d9ab966e77cb570a3f2be6a8d9.tar.gz |
[cff] Integer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517
* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/cff/cf2blues.c | 9 |
2 files changed, 15 insertions, 4 deletions
@@ -1,3 +1,13 @@ +2017-07-07 Werner Lemberg <wl@gnu.org> + + [cff] Integer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517 + + * src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32. + 2017-07-05 Werner Lemberg <wl@gnu.org> * src/sfnt/ttcmap.c (tt_cmap_unicode_class_rec): Fix warning. diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c index f9f5bbb8f..c491f2f9e 100644 --- a/src/cff/cf2blues.c +++ b/src/cff/cf2blues.c @@ -524,17 +524,18 @@ if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) ) { - if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <= - topHintEdge->csCoord && + if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <= + topHintEdge->csCoord && topHintEdge->csCoord <= - ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) ) + ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) ) { /* top edge captured by top zone */ if ( blues->suppressOvershoot ) dsNew = blues->zone[i].dsFlatEdge; - else if ( ( topHintEdge->csCoord - blues->zone[i].csBottomEdge ) >= + else if ( SUB_INT32( topHintEdge->csCoord, + blues->zone[i].csBottomEdge ) >= blues->blueShift ) { /* guarantee minimum of 1 pixel overshoot */ |