ref: bfe53294757b03873b1432b7c1cd3e027802c634
parent: f56830ed406f90f6f53ee6367f2068a0f27bf90b
author: Werner Lemberg <[email protected]>
date: Fri Oct 26 20:07:53 EDT 2018
[psaux] Fix numeric overflow. Triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11157 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_blend> [CFF_CONFIG_OPTION_OLD_ENGINE]: Fix integer overflow.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-10-27 Werner Lemberg <[email protected]>
+
+ [psaux] Fix numeric overflow.
+
+ Triggered by
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11157
+
+ * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_blend>
+ [CFF_CONFIG_OPTION_OLD_ENGINE]: Fix integer overflow.
+
2018-10-20 Werner Lemberg <[email protected]>
Avoid endless loop while tracing (#54858).
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -1950,7 +1950,8 @@
if ( num_results < 0 )
goto Syntax_Error;
- if ( num_results * (FT_Int)num_designs > num_args )
+ if ( num_results > num_args ||
+ num_results * (FT_Int)num_designs > num_args )
goto Stack_Underflow;
/* since we currently don't handle interpolation of multiple */