shithub: freetype+ttf2subf

Download patch

ref: 3802ca8b643dbc966d12ef11ed8e2e5893cabef2
parent: cd02d359a6d0455e9d16b87bf9665961c4699538
author: Werner Lemberg <[email protected]>
date: Fri Jun 2 04:44:20 EDT 2017 

[cff] Fix integer overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028

* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-06-02  Werner Lemberg  <[email protected]>
+
+	[cff] Fix integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
+
+	* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
+	(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
+
 2017-06-01  Werner Lemberg  <[email protected]>
 
 	[smooth] Some 32bit integer overflow run-time errors.
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -638,14 +638,16 @@
       {
         /* Use hint map to position the center of stem, and nominal scale */
         /* to position the two edges.  This preserves the stem width.     */
-        CF2_Fixed  midpoint  = cf2_hintmap_map(
-                                 hintmap->initialHintMap,
-                                 ( secondHintEdge->csCoord +
-                                   firstHintEdge->csCoord ) / 2 );
-        CF2_Fixed  halfWidth = FT_MulFix(
-                                 ( secondHintEdge->csCoord -
-                                   firstHintEdge->csCoord ) / 2,
-                                 hintmap->scale );
+        CF2_Fixed  midpoint =
+                     cf2_hintmap_map(
+                       hintmap->initialHintMap,
+                       OVERFLOW_ADD_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2 );
+        CF2_Fixed  halfWidth =
+                     FT_MulFix(
+                       OVERFLOW_SUB_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2,
+                       hintmap->scale );
 
 
         firstHintEdge->dsCoord  = midpoint - halfWidth;
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -358,8 +358,11 @@
 
     if ( doConditionalLastRead )
     {
-      FT_Bool    lastIsX = (FT_Bool)( cf2_fixedAbs( vals[10] - *curX ) >
-                                        cf2_fixedAbs( vals[11] - *curY ) );
+      FT_Bool    lastIsX = (FT_Bool)(
+                             cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[10],
+                                                               *curX ) ) >
+                               cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[11],
+                                                                 *curY ) ) );
       CF2_Fixed  lastVal = cf2_stack_getReal( opStack, idx );