diff options
-rw-r--r-- | ChangeLog | 15 | ||||
-rw-r--r-- | src/cff/cf2hints.c | 6 | ||||
-rw-r--r-- | src/cff/cf2intrp.c | 3 |
3 files changed, 20 insertions, 4 deletions
@@ -1,3 +1,18 @@ +2017-06-11 Werner Lemberg <wl@gnu.org> + + [cff] Integer overflows. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2200 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2210 + + * src/cff/cf2hints.c (cf2_hintmap_insertHint): Use SUB_INT32 and + ADD_INT32. + + * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdVMOVETO>: Use + ADD_INT32. + 2017-06-10 Werner Lemberg <wl@gnu.org> [truetype] Fix TT_Set_Var_Design. diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c index 9643bd470..0951e1e7a 100644 --- a/src/cff/cf2hints.c +++ b/src/cff/cf2hints.c @@ -651,8 +651,8 @@ hintmap->scale ); - firstHintEdge->dsCoord = midpoint - halfWidth; - secondHintEdge->dsCoord = midpoint + halfWidth; + firstHintEdge->dsCoord = SUB_INT32( midpoint, halfWidth ); + secondHintEdge->dsCoord = ADD_INT32( midpoint, halfWidth ); } else firstHintEdge->dsCoord = cf2_hintmap_map( hintmap->initialHintMap, @@ -721,7 +721,7 @@ /* insert first edge */ hintmap->edge[indexInsert] = *firstHintEdge; /* copy struct */ - hintmap->count += 1; + hintmap->count += 1; if ( isPair ) { diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c index a43d33ecd..a81628074 100644 --- a/src/cff/cf2intrp.c +++ b/src/cff/cf2intrp.c @@ -768,7 +768,8 @@ FT_TRACE4(( " vmoveto\n" )); if ( cf2_stack_count( opStack ) > 1 && !haveWidth ) - *width = cf2_stack_getReal( opStack, 0 ) + nominalWidthX; + *width = ADD_INT32( cf2_stack_getReal( opStack, 0 ), + nominalWidthX ); /* width is defined or default after this */ haveWidth = TRUE; |