[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 5c402d9: [cff, truetype] Integer overflows.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 5c402d9: [cff, truetype] Integer overflows. |
|
Date: |
Tue, 13 Jun 2017 00:59:11 -0400 (EDT) |
branch: master
commit 5c402d97afcc98cbb8d8e049409533f747c4c514
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
---
ChangeLog | 13 +++++++++++++
src/cff/cf2fixed.h | 2 +-
src/truetype/ttinterp.c | 14 +++++++++-----
3 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index ef88237..fe0f795 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2017-06-13 Werner Lemberg <address@hidden>
+
+ [cff, truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
+
+ * src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
+
+ * src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
+
2017-06-11 Werner Lemberg <address@hidden>
[cff] Integer overflows.
diff --git a/src/cff/cf2fixed.h b/src/cff/cf2fixed.h
index d8e695b..a041184 100644
--- a/src/cff/cf2fixed.h
+++ b/src/cff/cf2fixed.h
@@ -66,7 +66,7 @@ FT_BEGIN_HEADER
#define cf2_doubleToFixed( f ) \
( (CF2_Fixed)( (f) * 65536.0 + 0.5 ) )
#define cf2_fixedAbs( x ) \
- ( (x) < 0 ? -(x) : (x) )
+ ( (x) < 0 ? NEG_INT32( x ) : (x) )
#define cf2_fixedFloor( x ) \
( (CF2_Fixed)( (FT_UInt32)(x) & 0xFFFF0000UL ) )
#define cf2_fixedFraction( x ) \
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index e527dfd..4e1167a 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6627,9 +6627,11 @@
FT_Vector vec;
- vec.x = FT_MulFix( exc->zp1.orus[exc->GS.rp2].x - orus_base->x,
+ vec.x = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].x,
+ orus_base->x ),
exc->metrics.x_scale );
- vec.y = FT_MulFix( exc->zp1.orus[exc->GS.rp2].y - orus_base->y,
+ vec.y = FT_MulFix( SUB_LONG( exc->zp1.orus[exc->GS.rp2].y,
+ orus_base->y ),
exc->metrics.y_scale );
old_range = FAST_DUALPROJ( &vec );
@@ -6664,9 +6666,11 @@
FT_Vector vec;
- vec.x = FT_MulFix( exc->zp2.orus[point].x - orus_base->x,
+ vec.x = FT_MulFix( SUB_LONG( exc->zp2.orus[point].x,
+ orus_base->x ),
exc->metrics.x_scale );
- vec.y = FT_MulFix( exc->zp2.orus[point].y - orus_base->y,
+ vec.y = FT_MulFix( SUB_LONG( exc->zp2.orus[point].y,
+ orus_base->y ),
exc->metrics.y_scale );
org_dist = FAST_DUALPROJ( &vec );
@@ -6705,7 +6709,7 @@
exc->func_move( exc,
&exc->zp2,
(FT_UShort)point,
- new_dist - cur_dist );
+ SUB_LONG( new_dist, cur_dist ) );
}
Fail:
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 5c402d9: [cff, truetype] Integer overflows.,
Werner LEMBERG <=