ref: dde8f5abbe5a27af2186c3f0e2c702612d7ca930
parent: b27cef27ffc37cb14190a1860523d6a1aa9bc783
author: Werner Lemberg <[email protected]>
date: Tue Jun 27 02:16:04 EDT 2017
[truetype] Integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391 * src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use NEG_LONG. * src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2017-06-27 Werner Lemberg <[email protected]>
+
+ [truetype] Integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391
+
+ * src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
+ NEG_LONG.
+
+ * src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
+
2017-06-24 Werner Lemberg <[email protected]>
[truetype] Integer overflows.
--- a/src/base/ftcalc.c
+++ b/src/base/ftcalc.c
@@ -193,7 +193,7 @@
d_ = (FT_Long)d;
- return s < 0 ? -d_ : d_;
+ return s < 0 ? NEG_LONG( d_ ) : d_;
}
@@ -222,7 +222,7 @@
d_ = (FT_Long)d;
- return s < 0 ? -d_ : d_;
+ return s < 0 ? NEG_LONG( d_ ) : d_;
}
@@ -269,7 +269,7 @@
q_ = (FT_Long)q;
- return s < 0 ? -q_ : q_;
+ return s < 0 ? NEG_LONG( q_ ) : q_;
}
@@ -456,7 +456,7 @@
a_ = (FT_Long)a;
- return s < 0 ? -a_ : a_;
+ return s < 0 ? NEG_LONG( a_ ) : a_;
}
@@ -499,7 +499,7 @@
a_ = (FT_Long)a;
- return s < 0 ? -a_ : a_;
+ return s < 0 ? NEG_LONG( a_ ) : a_;
}
@@ -595,7 +595,7 @@
a_ = (FT_Long)a;
- return s < 0 ? -a_ : a_;
+ return s < 0 ? NEG_LONG( a_ ) : a_;
#endif /* 0 */
@@ -648,7 +648,7 @@
q_ = (FT_Long)q;
- return s < 0 ? -q_ : q_;
+ return s < 0 ? NEG_LONG( q_ ) : q_;
}
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4260,9 +4260,9 @@
if ( ( opcode & 1 ) != 0 )
{- C = B; /* counter clockwise rotation */
- B = A;
- A = -C;
+ C = B; /* counter clockwise rotation */
+ B = A;
+ A = NEG_LONG( C );
}
Normalize( A, B, Vec );