ref: 8667042997cb9095d3c925417b29f5a3163ab352
parent: 9fa8a2997f869c6172a12a9497b3ca649806ec4d
author: Werner Lemberg <[email protected]>
date: Mon Jun 5 02:20:53 EDT 2017
[cff] Integer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089 * src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-06-05 Werner Lemberg <[email protected]>
+
+ [cff] Integer overflow.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089
+
+ * src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
+
2017-06-04 Werner Lemberg <[email protected]>
[cff, truetype] Integer overflows.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1352,9 +1352,12 @@
sum = cff_parse_num( parser, &parser->stack[i + base] ) * 65536;
for ( j = 1; j < blend->lenBV; j++ )
- sum += FT_MulFix( *weight++,
- cff_parse_num( parser,
- &parser->stack[delta++] ) * 65536 );
+ sum = OVERFLOW_ADD_INT32(
+ sum,
+ FT_MulFix(
+ *weight++,
+ cff_parse_num( parser,
+ &parser->stack[delta++] ) * 65536 ) );
/* point parser stack to new value on blend_stack */
parser->stack[i + base] = subFont->blend_top;