[base, cff, truetype] Integer overflows.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068 * src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG. * src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32. * src/truetype/ttgload.c (compute_glyph_metrics): User OVERFLOW_SUB_LONG. * src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig, Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X, Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
author: Werner Lemberg <wl@gnu.org> 2017-06-03 21:05:42 +0200
committer: Werner Lemberg <wl@gnu.org> 2017-06-03 21:05:42 +0200
commit: addb2dddb6fd4be32ea16b44831e4cc99bbc9693 (patch)
tree: 2f574f7725ba9d71991543db71ff6e2e47982c3a /src/cff/cf2hints.c
parent: c9a9cf59159e65c43843f4a2e5966ff486058ace (diff)
download: freetype2-addb2dddb6fd4be32ea16b44831e4cc99bbc9693.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 89af2ff7a..d7938c9c6 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -512,8 +512,10 @@
         if ( hintmap->edge[i].csCoord != hintmap->edge[i - 1].csCoord )
           hintmap->edge[i - 1].scale =
             FT_DivFix(
-              hintmap->edge[i].dsCoord - hintmap->edge[i - 1].dsCoord,
-              hintmap->edge[i].csCoord - hintmap->edge[i - 1].csCoord );
+              OVERFLOW_SUB_INT32( hintmap->edge[i].dsCoord,
+                                  hintmap->edge[i - 1].dsCoord ),
+              OVERFLOW_SUB_INT32( hintmap->edge[i].csCoord,
+                                  hintmap->edge[i - 1].csCoord ) );
       }
 
       if ( isPair )
@@ -521,8 +523,10 @@
         if ( hintmap->edge[j].csCoord != hintmap->edge[j - 1].csCoord )
           hintmap->edge[j - 1].scale =
             FT_DivFix(
-              hintmap->edge[j].dsCoord - hintmap->edge[j - 1].dsCoord,
-              hintmap->edge[j].csCoord - hintmap->edge[j - 1].csCoord );
+              OVERFLOW_SUB_INT32( hintmap->edge[j].dsCoord,
+                                  hintmap->edge[j - 1].dsCoord ),
+              OVERFLOW_SUB_INT32( hintmap->edge[j].csCoord,
+                                  hintmap->edge[j - 1].csCoord ) );
 
         i += 1;     /* skip upper edge on next loop */
       }
author	Werner Lemberg <wl@gnu.org>	2017-06-03 21:05:42 +0200
committer	Werner Lemberg <wl@gnu.org>	2017-06-03 21:05:42 +0200
commit	addb2dddb6fd4be32ea16b44831e4cc99bbc9693 (patch)
tree	2f574f7725ba9d71991543db71ff6e2e47982c3a /src/cff/cf2hints.c
parent	c9a9cf59159e65c43843f4a2e5966ff486058ace (diff)
download	freetype2-addb2dddb6fd4be32ea16b44831e4cc99bbc9693.tar.gz