ref: 0aca17cf53f099f9ea34b3797949076073b60b5d
parent: 7653c76533dcde3d87bd7af5a2c12e8c95412c12
author: Werner Lemberg <[email protected]>
date: Tue Aug 22 04:25:14 EDT 2017
[truetype] Integer overflow. Changes triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107 * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use NEG_LONG.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2017-08-22 Werner Lemberg <[email protected]>
+
+ [truetype] Integer overflow.
+
+ Changes triggered by
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107
+
+ * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use
+ NEG_LONG.
+
2017-08-17 Alexei Podtelezhnikov <[email protected]>
[sfnt] Avoid synthetic unicode for symbol fonts with PUA.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6119,8 +6119,8 @@
}
else
{- if ( distance > -minimum_distance )
- distance = -minimum_distance;
+ if ( distance > NEG_LONG( minimum_distance ) )
+ distance = NEG_LONG( minimum_distance );
}
}
@@ -6303,8 +6303,8 @@
}
else
{- if ( distance > -minimum_distance )
- distance = -minimum_distance;
+ if ( distance > NEG_LONG( minimum_distance ) )
+ distance = NEG_LONG( minimum_distance );
}
}
@@ -6355,7 +6355,10 @@
}
if ( reverse_move )
- exc->func_move( exc, &exc->zp1, point, -( distance - cur_dist ) );
+ exc->func_move( exc,
+ &exc->zp1,
+ point,
+ SUB_LONG( cur_dist, distance ) );
}
#endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
@@ -6557,7 +6560,7 @@
distance = PROJECT( exc->zp0.cur + p2, exc->zp1.cur + p1 ) / 2;
exc->func_move( exc, &exc->zp1, p1, distance );
- exc->func_move( exc, &exc->zp0, p2, -distance );
+ exc->func_move( exc, &exc->zp0, p2, NEG_LONG( distance ) );
}