From dde8f5abbe5a27af2186c3f0e2c702612d7ca930 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Tue, 27 Jun 2017 06:16:04 +0200 Subject: [PATCH] [truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391 * src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use NEG_LONG. * src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG. --- ChangeLog | 14 ++++++++++++++ src/base/ftcalc.c | 14 +++++++------- src/truetype/ttinterp.c | 6 +++--- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index f992e068a..f79ab736d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2017-06-27 Werner Lemberg + + [truetype] Integer overflows. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391 + + * src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use + NEG_LONG. + + * src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG. + 2017-06-24 Werner Lemberg [truetype] Integer overflows. diff --git a/src/base/ftcalc.c b/src/base/ftcalc.c index cb10612d4..f27fcfda0 100644 --- a/src/base/ftcalc.c +++ b/src/base/ftcalc.c @@ -193,7 +193,7 @@ d_ = (FT_Long)d; - return s < 0 ? -d_ : d_; + return s < 0 ? NEG_LONG( d_ ) : d_; } @@ -222,7 +222,7 @@ d_ = (FT_Long)d; - return s < 0 ? -d_ : d_; + return s < 0 ? NEG_LONG( d_ ) : d_; } @@ -269,7 +269,7 @@ q_ = (FT_Long)q; - return s < 0 ? -q_ : q_; + return s < 0 ? NEG_LONG( q_ ) : q_; } @@ -456,7 +456,7 @@ a_ = (FT_Long)a; - return s < 0 ? -a_ : a_; + return s < 0 ? NEG_LONG( a_ ) : a_; } @@ -499,7 +499,7 @@ a_ = (FT_Long)a; - return s < 0 ? -a_ : a_; + return s < 0 ? NEG_LONG( a_ ) : a_; } @@ -595,7 +595,7 @@ a_ = (FT_Long)a; - return s < 0 ? -a_ : a_; + return s < 0 ? NEG_LONG( a_ ) : a_; #endif /* 0 */ @@ -648,7 +648,7 @@ q_ = (FT_Long)q; - return s < 0 ? -q_ : q_; + return s < 0 ? NEG_LONG( q_ ) : q_; } diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 8e7809a7d..24318bf1b 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -4260,9 +4260,9 @@ if ( ( opcode & 1 ) != 0 ) { - C = B; /* counter clockwise rotation */ - B = A; - A = -C; + C = B; /* counter clockwise rotation */ + B = A; + A = NEG_LONG( C ); } Normalize( A, B, Vec );