From 0aca17cf53f099f9ea34b3797949076073b60b5d Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Tue, 22 Aug 2017 08:25:14 +0200 Subject: [PATCH] [truetype] Integer overflow. Changes triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107 * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use NEG_LONG. --- ChangeLog | 11 +++++++++++ src/truetype/ttinterp.c | 15 +++++++++------ 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 236842ee8..10319520e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2017-08-22 Werner Lemberg + + [truetype] Integer overflow. + + Changes triggered by + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107 + + * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use + NEG_LONG. + 2017-08-17 Alexei Podtelezhnikov [sfnt] Avoid synthetic unicode for symbol fonts with PUA. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index bc201554e..ddcc839bb 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -6119,8 +6119,8 @@ } else { - if ( distance > -minimum_distance ) - distance = -minimum_distance; + if ( distance > NEG_LONG( minimum_distance ) ) + distance = NEG_LONG( minimum_distance ); } } @@ -6303,8 +6303,8 @@ } else { - if ( distance > -minimum_distance ) - distance = -minimum_distance; + if ( distance > NEG_LONG( minimum_distance ) ) + distance = NEG_LONG( minimum_distance ); } } @@ -6355,7 +6355,10 @@ } if ( reverse_move ) - exc->func_move( exc, &exc->zp1, point, -( distance - cur_dist ) ); + exc->func_move( exc, + &exc->zp1, + point, + SUB_LONG( cur_dist, distance ) ); } #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ @@ -6557,7 +6560,7 @@ distance = PROJECT( exc->zp0.cur + p2, exc->zp1.cur + p1 ) / 2; exc->func_move( exc, &exc->zp1, p1, distance ); - exc->func_move( exc, &exc->zp0, p2, -distance ); + exc->func_move( exc, &exc->zp0, p2, NEG_LONG( distance ) ); }