diff --git a/ChangeLog b/ChangeLog index 0c3f4e4a1..720a38c17 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2019-12-14 Werner Lemberg + + [truetype] Fix integer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305 + + * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'. + 2019-12-13 Werner Lemberg Another bunch of UBSan warnings on adding offsets to nullptr. diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index cedc4a522..7d021eb7c 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -6346,12 +6346,14 @@ /* twilight points (confirmed by Greg Hitchcock) */ if ( exc->GS.gep1 == 0 ) { - exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x + - TT_MulFix14( cvt_dist, - exc->GS.freeVector.x ); - exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y + - TT_MulFix14( cvt_dist, - exc->GS.freeVector.y ); + exc->zp1.org[point].x = ADD_LONG( + exc->zp0.org[exc->GS.rp0].x, + TT_MulFix14( cvt_dist, + exc->GS.freeVector.x ) ); + exc->zp1.org[point].y = ADD_LONG( + exc->zp0.org[exc->GS.rp0].y, + TT_MulFix14( cvt_dist, + exc->GS.freeVector.y ) ); exc->zp1.cur[point] = exc->zp1.org[point]; }