2 files changed, 18 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 950c19c5a..c7c936480 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2020-06-19  Werner Lemberg  <wl@gnu.org>
 
+	[base] Fix UBSAN error.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23166
+
+	* src/base/ftoutln.c (FT_Outline_Get_Orientation): Avoid values
+	larger than 32 bits.
+
+2020-06-19  Werner Lemberg  <wl@gnu.org>
+
 	[woff2] Fix segfault.
 
 	Reported as
diff --git a/src/base/ftoutln.c b/src/base/ftoutln.c
index 9935e058b..6009bc314 100644
--- a/src/base/ftoutln.c
+++ b/src/base/ftoutln.c
@@ -1060,6 +1060,13 @@
     if ( cbox.xMin == cbox.xMax || cbox.yMin == cbox.yMax )
       return FT_ORIENTATION_NONE;
 
+    /* Reject values larger than 32bit. */
+    if ( (unsigned long)cbox.xMin > 0xFFFFFFFFUL ||
+         (unsigned long)cbox.xMax > 0xFFFFFFFFUL ||
+         (unsigned long)cbox.yMin > 0xFFFFFFFFUL ||
+         (unsigned long)cbox.yMax > 0xFFFFFFFFUL )
+      return FT_ORIENTATION_NONE;
+
     xshift = FT_MSB( (FT_UInt32)( FT_ABS( cbox.xMax ) |
                                   FT_ABS( cbox.xMin ) ) ) - 14;
     xshift = FT_MAX( xshift, 0 );