diff options
| author | Werner Lemberg <wl@gnu.org> | 2017-06-03 21:05:42 +0200 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2017-06-03 21:05:42 +0200 |
| commit | addb2dddb6fd4be32ea16b44831e4cc99bbc9693 (patch) | |
| tree | 2f574f7725ba9d71991543db71ff6e2e47982c3a /src/truetype | |
| parent | c9a9cf59159e65c43843f4a2e5966ff486058ace (diff) | |
| download | freetype2-addb2dddb6fd4be32ea16b44831e4cc99bbc9693.tar.gz | |
[base, cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068
* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
* src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c
(cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32.
* src/truetype/ttgload.c (compute_glyph_metrics): User
OVERFLOW_SUB_LONG.
* src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig,
Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X,
Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
Diffstat (limited to 'src/truetype')
| -rw-r--r-- | src/truetype/ttgload.c | 7 | ||||
| -rw-r--r-- | src/truetype/ttinterp.c | 56 |
2 files changed, 41 insertions, 22 deletions
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c index e5a3da37a..66e8228d3 100644 --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -2100,8 +2100,8 @@ } /* set glyph dimensions */ - glyph->metrics.width = bbox.xMax - bbox.xMin; - glyph->metrics.height = bbox.yMax - bbox.yMin; + glyph->metrics.width = OVERFLOW_SUB_LONG( bbox.xMax, bbox.xMin ); + glyph->metrics.height = OVERFLOW_SUB_LONG( bbox.yMax, bbox.yMin ); /* Now take care of vertical metrics. In the case where there is */ /* no vertical information within the font (relatively common), */ @@ -2137,7 +2137,8 @@ /* table in the font. Otherwise, we use the */ /* values defined in the horizontal header. */ - height = (FT_Short)FT_DivFix( bbox.yMax - bbox.yMin, + height = (FT_Short)FT_DivFix( OVERFLOW_SUB_LONG( bbox.yMax, + bbox.yMin ), y_scale ); if ( face->os2.version != 0xFFFFU ) advance = (FT_Pos)( face->os2.sTypoAscender - diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index cbb754094..85e9e0823 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -1676,7 +1676,9 @@ if ( SUBPIXEL_HINTING_INFINALITY && ( !exc->ignore_x_mode || ( exc->sph_tweak_flags & SPH_TWEAK_ALLOW_X_DMOVE ) ) ) - zone->cur[point].x += FT_MulDiv( distance, v, exc->F_dot_P ); + zone->cur[point].x = OVERFLOW_ADD_LONG( + zone->cur[point].x, + FT_MulDiv( distance, v, exc->F_dot_P ) ); else #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ @@ -1685,12 +1687,16 @@ /* diagonal moves, but only post-IUP. DejaVu tries to adjust */ /* diagonal stems like on `Z' and `z' post-IUP. */ if ( SUBPIXEL_HINTING_MINIMAL && !exc->backward_compatibility ) - zone->cur[point].x += FT_MulDiv( distance, v, exc->F_dot_P ); + zone->cur[point].x = OVERFLOW_ADD_LONG( + zone->cur[point].x, + FT_MulDiv( distance, v, exc->F_dot_P ) ); else #endif if ( NO_SUBPIXEL_HINTING ) - zone->cur[point].x += FT_MulDiv( distance, v, exc->F_dot_P ); + zone->cur[point].x = OVERFLOW_ADD_LONG( + zone->cur[point].x, + FT_MulDiv( distance, v, exc->F_dot_P ) ); zone->tags[point] |= FT_CURVE_TAG_TOUCH_X; } @@ -1705,7 +1711,9 @@ exc->iupx_called && exc->iupy_called ) ) #endif - zone->cur[point].y += FT_MulDiv( distance, v, exc->F_dot_P ); + zone->cur[point].y = OVERFLOW_ADD_LONG( + zone->cur[point].y, + FT_MulDiv( distance, v, exc->F_dot_P ) ); zone->tags[point] |= FT_CURVE_TAG_TOUCH_Y; } @@ -1741,12 +1749,16 @@ v = exc->GS.freeVector.x; if ( v != 0 ) - zone->org[point].x += FT_MulDiv( distance, v, exc->F_dot_P ); + zone->org[point].x = OVERFLOW_ADD_LONG( + zone->org[point].x, + FT_MulDiv( distance, v, exc->F_dot_P ) ); v = exc->GS.freeVector.y; if ( v != 0 ) - zone->org[point].y += FT_MulDiv( distance, v, exc->F_dot_P ); + zone->org[point].y = OVERFLOW_ADD_LONG( + zone->org[point].y, + FT_MulDiv( distance, v, exc->F_dot_P ) ); } @@ -1769,18 +1781,18 @@ { #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY if ( SUBPIXEL_HINTING_INFINALITY && !exc->ignore_x_mode ) - zone->cur[point].x += distance; + zone->cur[point].x = OVERFLOW_ADD_LONG( zone->cur[point].x, distance ); else #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ #ifdef TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL if ( SUBPIXEL_HINTING_MINIMAL && !exc->backward_compatibility ) - zone->cur[point].x += distance; + zone->cur[point].x = OVERFLOW_ADD_LONG( zone->cur[point].x, distance ); else #endif if ( NO_SUBPIXEL_HINTING ) - zone->cur[point].x += distance; + zone->cur[point].x = OVERFLOW_ADD_LONG( zone->cur[point].x, distance ); zone->tags[point] |= FT_CURVE_TAG_TOUCH_X; } @@ -1799,7 +1811,7 @@ exc->backward_compatibility && exc->iupx_called && exc->iupy_called ) ) #endif - zone->cur[point].y += distance; + zone->cur[point].y = OVERFLOW_ADD_LONG( zone->cur[point].y, distance ); zone->tags[point] |= FT_CURVE_TAG_TOUCH_Y; } @@ -1823,7 +1835,7 @@ { FT_UNUSED( exc ); - zone->org[point].x += distance; + zone->org[point].x = OVERFLOW_ADD_LONG( zone->org[point].x, distance ); } @@ -1835,7 +1847,7 @@ { FT_UNUSED( exc ); - zone->org[point].y += distance; + zone->org[point].y = OVERFLOW_ADD_LONG( zone->org[point].y, distance ); } @@ -5392,7 +5404,8 @@ if ( !( SUBPIXEL_HINTING_MINIMAL && exc->backward_compatibility ) ) #endif - exc->zp2.cur[point].x += dx; + exc->zp2.cur[point].x = OVERFLOW_ADD_LONG( exc->zp2.cur[point].x, + dx ); if ( touch ) exc->zp2.tags[point] |= FT_CURVE_TAG_TOUCH_X; @@ -5406,7 +5419,8 @@ exc->iupx_called && exc->iupy_called ) ) #endif - exc->zp2.cur[point].y += dy; + exc->zp2.cur[point].y = OVERFLOW_ADD_LONG( exc->zp2.cur[point].y, + dy ); if ( touch ) exc->zp2.tags[point] |= FT_CURVE_TAG_TOUCH_Y; @@ -5781,14 +5795,18 @@ #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY /* subpixel hinting - make MSIRP respect CVT cut-in; */ - if ( SUBPIXEL_HINTING_INFINALITY && - exc->ignore_x_mode && - exc->GS.freeVector.x != 0 && - FT_ABS( distance - args[1] ) >= control_value_cutin ) + if ( SUBPIXEL_HINTING_INFINALITY && + exc->ignore_x_mode && + exc->GS.freeVector.x != 0 && + FT_ABS( OVERFLOW_SUB_LONG( distance, + args[1] ) ) >= control_value_cutin ) distance = args[1]; #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ - exc->func_move( exc, &exc->zp1, point, args[1] - distance ); + exc->func_move( exc, + &exc->zp1, + point, + OVERFLOW_SUB_LONG( args[1], distance ) ); exc->GS.rp1 = exc->GS.rp0; exc->GS.rp2 = point; |