[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master dde8f5a: [truetype] Integer overflows.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master dde8f5a: [truetype] Integer overflows. |
|
Date: |
Tue, 27 Jun 2017 00:19:10 -0400 (EDT) |
branch: master
commit dde8f5abbe5a27af2186c3f0e2c702612d7ca930
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391
* src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
NEG_LONG.
* src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
---
ChangeLog | 14 ++++++++++++++
src/base/ftcalc.c | 14 +++++++-------
src/truetype/ttinterp.c | 6 +++---
3 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f992e06..f79ab73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2017-06-27 Werner Lemberg <address@hidden>
+
+ [truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391
+
+ * src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
+ NEG_LONG.
+
+ * src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
+
2017-06-24 Werner Lemberg <address@hidden>
[truetype] Integer overflows.
diff --git a/src/base/ftcalc.c b/src/base/ftcalc.c
index cb10612..f27fcfd 100644
--- a/src/base/ftcalc.c
+++ b/src/base/ftcalc.c
@@ -193,7 +193,7 @@
d_ = (FT_Long)d;
- return s < 0 ? -d_ : d_;
+ return s < 0 ? NEG_LONG( d_ ) : d_;
}
@@ -222,7 +222,7 @@
d_ = (FT_Long)d;
- return s < 0 ? -d_ : d_;
+ return s < 0 ? NEG_LONG( d_ ) : d_;
}
@@ -269,7 +269,7 @@
q_ = (FT_Long)q;
- return s < 0 ? -q_ : q_;
+ return s < 0 ? NEG_LONG( q_ ) : q_;
}
@@ -456,7 +456,7 @@
a_ = (FT_Long)a;
- return s < 0 ? -a_ : a_;
+ return s < 0 ? NEG_LONG( a_ ) : a_;
}
@@ -499,7 +499,7 @@
a_ = (FT_Long)a;
- return s < 0 ? -a_ : a_;
+ return s < 0 ? NEG_LONG( a_ ) : a_;
}
@@ -595,7 +595,7 @@
a_ = (FT_Long)a;
- return s < 0 ? -a_ : a_;
+ return s < 0 ? NEG_LONG( a_ ) : a_;
#endif /* 0 */
@@ -648,7 +648,7 @@
q_ = (FT_Long)q;
- return s < 0 ? -q_ : q_;
+ return s < 0 ? NEG_LONG( q_ ) : q_;
}
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 8e7809a..24318bf 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4260,9 +4260,9 @@
if ( ( opcode & 1 ) != 0 )
{
- C = B; /* counter clockwise rotation */
- B = A;
- A = -C;
+ C = B; /* counter clockwise rotation */
+ B = A;
+ A = NEG_LONG( C );
}
Normalize( A, B, Vec );
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master dde8f5a: [truetype] Integer overflows.,
Werner LEMBERG <=