freetype-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 1ea3432: [cff, truetype] Integer overflows.


From: Werner LEMBERG
Subject: [freetype2] master 1ea3432: [cff, truetype] Integer overflows.
Date: Sat, 3 Jun 2017 00:52:55 -0400 (EDT)

branch: master
commit 1ea343228d8987afae5f58908581c1e59e26e9ad
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [cff, truetype] Integer overflows.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
    
    * src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
    
    * src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
    (Ins_SUB): Use OVERFLOW_SUB_LONG.
    (Ins_NEG): Use NEG_LONG.
---
 ChangeLog               | 15 +++++++++++++++
 src/cff/cf2hints.c      |  3 ++-
 src/truetype/ttinterp.c |  6 +++---
 src/type1/t1load.c      |  4 ++--
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5976f0e..83a239a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
 2017-06-03  Werner Lemberg  <address@hidden>
 
+       [cff, truetype] Integer overflows.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
+
+       * src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
+
+       * src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
+       (Ins_SUB): Use OVERFLOW_SUB_LONG.
+       (Ins_NEG): Use NEG_LONG.
+
+2017-06-03  Werner Lemberg  <address@hidden>
+
        ftcalc.h: Avoid left-shift of negative numbers.
 
        Reported as
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index dbd3c88..89af2ff 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -343,7 +343,8 @@
          * Use edge[i], the highest entry where csCoord >= entry[i].csCoord
          */
         return OVERFLOW_ADD_INT32(
-                 FT_MulFix( csCoord - hintmap->edge[i].csCoord,
+                 FT_MulFix( OVERFLOW_SUB_INT32( csCoord,
+                                                hintmap->edge[i].csCoord ),
                             hintmap->edge[i].scale ),
                  hintmap->edge[i].dsCoord );
       }
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 775d110..cbb7540 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -2826,7 +2826,7 @@
   static void
   Ins_ADD( FT_Long*  args )
   {
-    args[0] += args[1];
+    args[0] = OVERFLOW_ADD_LONG( args[0], args[1] );
   }
 
 
@@ -2839,7 +2839,7 @@
   static void
   Ins_SUB( FT_Long*  args )
   {
-    args[0] -= args[1];
+    args[0] = OVERFLOW_SUB_LONG( args[0], args[1] );
   }
 
 
@@ -2895,7 +2895,7 @@
   static void
   Ins_NEG( FT_Long*  args )
   {
-    args[0] = -args[0];
+    args[0] = NEG_LONG( args[0] );
   }
 
 
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index f5c661f..f569d6b 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -329,8 +329,8 @@
     for ( i = 0; i < mmaster.num_axis; i++ )
     {
       mmvar->axis[i].name    = mmaster.axis[i].name;
-      mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum);
-      mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum);
+      mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum );
+      mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum );
       mmvar->axis[i].def     = ( mmvar->axis[i].minimum +
                                    mmvar->axis[i].maximum ) / 2;
                             /* Does not apply.  But this value is in range */



reply via email to

[Prev in Thread] Current Thread [Next in Thread]