[truetype] Mask numeric overflows.

* src/truetype/ttinterp.c (Move_CVT, Move_CVT_Stretched, Ins_MIRP):
Mask numeric overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11681
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11734
This commit is contained in:
Armin Hasitzka 2019-02-21 10:14:57 +00:00
parent 5e3a38b194
commit 8ea854bfe9
2 changed files with 16 additions and 3 deletions

@ -1,3 +1,15 @@
2019-02-21 Armin Hasitzka <prince.cherusker@gmail.com>
[truetype] Mask numeric overflows.
* src/truetype/ttinterp.c (Move_CVT, Move_CVT_Stretched, Ins_MIRP):
Mask numeric overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11681
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11734
2019-02-21 Armin Hasitzka <prince.cherusker@gmail.com>
[psaux] Mask numeric overflow.

@ -1564,7 +1564,7 @@
FT_ULong idx,
FT_F26Dot6 value )
{
exc->cvt[idx] += value;
exc->cvt[idx] = ADD_LONG( exc->cvt[idx], value );
}
@ -1573,7 +1573,8 @@
FT_ULong idx,
FT_F26Dot6 value )
{
exc->cvt[idx] += FT_DivFix( value, Current_Ratio( exc ) );
exc->cvt[idx] = ADD_LONG( exc->cvt[idx],
FT_DivFix( value, Current_Ratio( exc ) );
}
@ -6311,7 +6312,7 @@
if ( exc->GS.auto_flip )
{
if ( ( org_dist ^ cvt_dist ) < 0 )
cvt_dist = -cvt_dist;
cvt_dist = NEG_LONG( cvt_dist );
}
#ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY