freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master eaa9adf: [truetype] Integer overflows.

From: Werner LEMBERG
Subject: [freetype2] master eaa9adf: [truetype] Integer overflows.
Date: Wed, 20 Sep 2017 02:00:22 -0400 (EDT) 
branch: master
commit eaa9adf325e1612bdc7134648205597d055cb99c
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [truetype] Integer overflows.
    
    Changes triggered by
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3429
    
    * src/truetype/ttinterp.c (Ins_SHPIX, Ins_DELTAP): Use NEG_LONG.
    (Ins_MIAP): Use SUB_LONG.
---
 ChangeLog               | 11 +++++++++++
 src/truetype/ttinterp.c | 12 ++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0aff98f..f08b56a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2017-09-20  Werner Lemberg  <address@hidden>
+
+       [truetype] Integer overflows.
+
+       Changes triggered by
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3429
+
+       * src/truetype/ttinterp.c (Ins_SHPIX, Ins_DELTAP): Use NEG_LONG.
+       (Ins_MIAP): Use SUB_LONG.
+
 2017-09-19  Alexei Podtelezhnikov  <address@hidden>
 
        [build] Fix DLL builds in Visual C++ project.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index ddcc839..c3d7103 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5690,7 +5690,11 @@
                    ( B1 & 63 ) != 0                                           
&&
                    ( B2 & 63 ) != 0                                           
&&
                    B1 != B2                                                   )
-                Move_Zp2_Point( exc, point, -dx, -dy, TRUE );
+                Move_Zp2_Point( exc,
+                                point,
+                                NEG_LONG( dx ),
+                                NEG_LONG( dy ),
+                                TRUE );
             }
           }
           else if ( exc->face->sph_compatibility_mode )
@@ -5722,7 +5726,7 @@
               if ( ( B1 & 63 ) == 0 &&
                    ( B2 & 63 ) != 0 &&
                    B1 != B2         )
-                Move_Zp2_Point( exc, point, 0, -dy, TRUE );
+                Move_Zp2_Point( exc, point, 0, NEG_LONG( dy ), TRUE );
             }
           }
           else if ( exc->sph_in_func_flags & SPH_FDEF_TYPEMAN_DIAGENDCTRL )
@@ -5991,7 +5995,7 @@
                                     exc->tt_metrics.compensations[0] );
     }
 
-    exc->func_move( exc, &exc->zp0, point, distance - org_dist );
+    exc->func_move( exc, &exc->zp0, point, SUB_LONG( distance, org_dist ) );
 
   Fail:
     exc->GS.rp0 = point;
@@ -7153,7 +7157,7 @@
                          SPH_TWEAK_SKIP_NONPIXEL_Y_MOVES_DELTAP ) &&
                        ( B1 & 63 ) != 0                           &&
                        ( B2 & 63 ) != 0                           ) ) )
-                exc->func_move( exc, &exc->zp0, A, -B );
+                exc->func_move( exc, &exc->zp0, A, NEG_LONG( B ) );
             }
           }
           else
reply via email to
[Prev in Thread] Current Thread [Next in Thread]