diff options
author | Werner Lemberg <wl@gnu.org> | 2019-12-14 00:04:01 +0100 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2019-12-14 00:04:01 +0100 |
commit | 0c14a3adb08ca5aaac3188a63246361c50b069d4 (patch) | |
tree | fae778369e7bd0ce84e362fc6d1107efb3dbf9c7 /src | |
parent | 2c9a2d58ca9c8e58cae1d0b63f17e291297484eb (diff) | |
download | freetype2-0c14a3adb08ca5aaac3188a63246361c50b069d4.tar.gz |
[truetype] Fix integer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
* src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
Diffstat (limited to 'src')
-rw-r--r-- | src/truetype/ttinterp.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index cedc4a522..7d021eb7c 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -6346,12 +6346,14 @@ /* twilight points (confirmed by Greg Hitchcock) */ if ( exc->GS.gep1 == 0 ) { - exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x + - TT_MulFix14( cvt_dist, - exc->GS.freeVector.x ); - exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y + - TT_MulFix14( cvt_dist, - exc->GS.freeVector.y ); + exc->zp1.org[point].x = ADD_LONG( + exc->zp0.org[exc->GS.rp0].x, + TT_MulFix14( cvt_dist, + exc->GS.freeVector.x ) ); + exc->zp1.org[point].y = ADD_LONG( + exc->zp0.org[exc->GS.rp0].y, + TT_MulFix14( cvt_dist, + exc->GS.freeVector.y ) ); exc->zp1.cur[point] = exc->zp1.org[point]; } |