From 1ea343228d8987afae5f58908581c1e59e26e9ad Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 3 Jun 2017 06:52:13 +0200
Subject: [cff, truetype] Integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057

* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
---
 ChangeLog               | 15 +++++++++++++++
 src/cff/cf2hints.c      |  3 ++-
 src/truetype/ttinterp.c |  6 +++---
 src/type1/t1load.c      |  4 ++--
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5976f0ea0..83a239af1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2017-06-03  Werner Lemberg  <wl@gnu.org>
+
+	[cff, truetype] Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
+
+	* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
+
+	* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
+	(Ins_SUB): Use OVERFLOW_SUB_LONG.
+	(Ins_NEG): Use NEG_LONG.
+
 2017-06-03  Werner Lemberg  <wl@gnu.org>
 
 	ftcalc.h: Avoid left-shift of negative numbers.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index dbd3c8864..89af2ff7a 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -343,7 +343,8 @@
          * Use edge[i], the highest entry where csCoord >= entry[i].csCoord
          */
         return OVERFLOW_ADD_INT32(
-                 FT_MulFix( csCoord - hintmap->edge[i].csCoord,
+                 FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
+                                                hintmap->edge[i].csCoord ),
                             hintmap->edge[i].scale ),
                  hintmap->edge[i].dsCoord );
       }
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 775d11047..cbb754094 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -2826,7 +2826,7 @@
   static void
   Ins_ADD( FT_Long*  args )
   {
-    args[0] += args[1];
+    args[0] = OVERFLOW_ADD_LONG( args[0], args[1] );
   }
 
 
@@ -2839,7 +2839,7 @@
   static void
   Ins_SUB( FT_Long*  args )
   {
-    args[0] -= args[1];
+    args[0] = OVERFLOW_SUB_LONG( args[0], args[1] );
   }
 
 
@@ -2895,7 +2895,7 @@
   static void
   Ins_NEG( FT_Long*  args )
   {
-    args[0] = -args[0];
+    args[0] = NEG_LONG( args[0] );
   }
 
 
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index f5c661f7d..f569d6bec 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -329,8 +329,8 @@
     for ( i = 0; i < mmaster.num_axis; i++ )
     {
       mmvar->axis[i].name    = mmaster.axis[i].name;
-      mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum);
-      mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum);
+      mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum );
+      mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum );
       mmvar->axis[i].def     = ( mmvar->axis[i].minimum +
                                    mmvar->axis[i].maximum ) / 2;
                             /* Does not apply.  But this value is in range */
-- 
cgit v1.2.1