ref: b27cef27ffc37cb14190a1860523d6a1aa9bc783
parent: 298e2ea5a6c2e3264f8abaa8b1d2371fb4c77f4d
author: Werner Lemberg <[email protected]>
date: Sat Jun 24 16:17:46 EDT 2017
[truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364 * src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-06-24 Werner Lemberg <[email protected]>
+
+ [truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364
+
+ * src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
+
2017-06-22 Werner Lemberg <[email protected]>
[cff, truetype] Integer overflows.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6487,7 +6487,7 @@
dx = SUB_LONG( exc->zp0.cur[b0].x, exc->zp1.cur[a0].x );
dy = SUB_LONG( exc->zp0.cur[b0].y, exc->zp1.cur[a0].y );
- discriminant = ADD_LONG( FT_MulDiv( dax, -dby, 0x40 ),
+ discriminant = ADD_LONG( FT_MulDiv( dax, NEG_LONG( dby ), 0x40 ),
FT_MulDiv( day, dbx, 0x40 ) );
dotproduct = ADD_LONG( FT_MulDiv( dax, dbx, 0x40 ),
FT_MulDiv( day, dby, 0x40 ) );
@@ -6502,7 +6502,7 @@
/* thresholding abs(tan(angle)) at 1/19, corresponding to 3 degrees. */
if ( MUL_LONG( 19, FT_ABS( discriminant ) ) > FT_ABS( dotproduct ) )
{- val = ADD_LONG( FT_MulDiv( dx, -dby, 0x40 ),
+ val = ADD_LONG( FT_MulDiv( dx, NEG_LONG( dby ), 0x40 ),
FT_MulDiv( dy, dbx, 0x40 ) );
R.x = FT_MulDiv( val, dax, discriminant );