From 3802ca8b643dbc966d12ef11ed8e2e5893cabef2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 2 Jun 2017 08:44:20 +0200
Subject: [cff] Fix integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028

* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
---
 ChangeLog          | 12 ++++++++++++
 src/cff/cf2hints.c | 18 ++++++++++--------
 src/cff/cf2intrp.c |  7 +++++--
 3 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 04d70a39d..15b77ab39 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-06-02  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
+
+	* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
+	(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
+
 2017-06-01  Werner Lemberg  <wl@gnu.org>
 
 	[smooth] Some 32bit integer overflow run-time errors.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 5efb180dc..dbd3c8864 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -638,14 +638,16 @@
       {
         /* Use hint map to position the center of stem, and nominal scale */
         /* to position the two edges.  This preserves the stem width.     */
-        CF2_Fixed  midpoint  = cf2_hintmap_map(
-                                 hintmap->initialHintMap,
-                                 ( secondHintEdge->csCoord +
-                                   firstHintEdge->csCoord ) / 2 );
-        CF2_Fixed  halfWidth = FT_MulFix(
-                                 ( secondHintEdge->csCoord -
-                                   firstHintEdge->csCoord ) / 2,
-                                 hintmap->scale );
+        CF2_Fixed  midpoint =
+                     cf2_hintmap_map(
+                       hintmap->initialHintMap,
+                       OVERFLOW_ADD_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2 );
+        CF2_Fixed  halfWidth =
+                     FT_MulFix(
+                       OVERFLOW_SUB_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2,
+                       hintmap->scale );
 
 
         firstHintEdge->dsCoord  = midpoint - halfWidth;
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 8f0785d59..463b7e89b 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -358,8 +358,11 @@
 
     if ( doConditionalLastRead )
     {
-      FT_Bool    lastIsX = (FT_Bool)( cf2_fixedAbs( vals[10] - *curX ) >
-                                        cf2_fixedAbs( vals[11] - *curY ) );
+      FT_Bool    lastIsX = (FT_Bool)(
+                             cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[10],
+                                                               *curX ) ) >
+                               cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[11],
+                                                                 *curY ) ) );
       CF2_Fixed  lastVal = cf2_stack_getReal( opStack, idx );
 
 
-- 
cgit v1.2.1