diff options
| author | Werner Lemberg <wl@gnu.org> | 2017-06-03 06:52:13 +0200 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2017-06-03 06:52:13 +0200 |
| commit | 1ea343228d8987afae5f58908581c1e59e26e9ad (patch) | |
| tree | 1edc34a46038737fc06f01cfb7b5c5340524d89a | |
| parent | c5a225413ffd6f3e032cede5a14d64a2c2c047a2 (diff) | |
| download | freetype2-1ea343228d8987afae5f58908581c1e59e26e9ad.tar.gz | |
[cff, truetype] Integer overflows.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
| -rw-r--r-- | ChangeLog | 15 | ||||
| -rw-r--r-- | src/cff/cf2hints.c | 3 | ||||
| -rw-r--r-- | src/truetype/ttinterp.c | 6 | ||||
| -rw-r--r-- | src/type1/t1load.c | 4 |
4 files changed, 22 insertions, 6 deletions
@@ -1,5 +1,20 @@ 2017-06-03 Werner Lemberg <wl@gnu.org> + [cff, truetype] Integer overflows. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057 + + * src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32. + + * src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG. + (Ins_SUB): Use OVERFLOW_SUB_LONG. + (Ins_NEG): Use NEG_LONG. + +2017-06-03 Werner Lemberg <wl@gnu.org> + ftcalc.h: Avoid left-shift of negative numbers. Reported as diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c index dbd3c8864..89af2ff7a 100644 --- a/src/cff/cf2hints.c +++ b/src/cff/cf2hints.c @@ -343,7 +343,8 @@ * Use edge[i], the highest entry where csCoord >= entry[i].csCoord */ return OVERFLOW_ADD_INT32( - FT_MulFix( csCoord - hintmap->edge[i].csCoord, + FT_MulFix( OVERFLOW_SUB_INT32( csCoord, + hintmap->edge[i].csCoord ), hintmap->edge[i].scale ), hintmap->edge[i].dsCoord ); } diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 775d11047..cbb754094 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -2826,7 +2826,7 @@ static void Ins_ADD( FT_Long* args ) { - args[0] += args[1]; + args[0] = OVERFLOW_ADD_LONG( args[0], args[1] ); } @@ -2839,7 +2839,7 @@ static void Ins_SUB( FT_Long* args ) { - args[0] -= args[1]; + args[0] = OVERFLOW_SUB_LONG( args[0], args[1] ); } @@ -2895,7 +2895,7 @@ static void Ins_NEG( FT_Long* args ) { - args[0] = -args[0]; + args[0] = NEG_LONG( args[0] ); } diff --git a/src/type1/t1load.c b/src/type1/t1load.c index f5c661f7d..f569d6bec 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -329,8 +329,8 @@ for ( i = 0; i < mmaster.num_axis; i++ ) { mmvar->axis[i].name = mmaster.axis[i].name; - mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum); - mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum); + mmvar->axis[i].minimum = INT_TO_FIXED( mmaster.axis[i].minimum ); + mmvar->axis[i].maximum = INT_TO_FIXED( mmaster.axis[i].maximum ); mmvar->axis[i].def = ( mmvar->axis[i].minimum + mmvar->axis[i].maximum ) / 2; /* Does not apply. But this value is in range */ |