[truetype] Integer overflow.

Changes triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107 * src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use NEG_LONG.
8 years ago · 0aca17cf53
parent 7653c76533
commit 0aca17cf53
2 changed files with 20 additions and 6 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2017-08-22  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Integer overflow.
+
+	Changes triggered by
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3107
+
+	* src/truetype/ttinterp.c (Ins_MDRP, Ins_MIRP, Ins_ALIGNPTS): Use
+	NEG_LONG.
+
 2017-08-17  Alexei Podtelezhnikov  <apodtele@gmail.com>

 	[sfnt] Avoid synthetic unicode for symbol fonts with PUA.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -6119,8 +6119,8 @@
      }
      else
      {
-        if ( distance > -minimum_distance )
-          distance = -minimum_distance;
+        if ( distance > NEG_LONG( minimum_distance ) )
+          distance = NEG_LONG( minimum_distance );
      }
    }

@ -6303,8 +6303,8 @@
      }
      else
      {
-        if ( distance > -minimum_distance )
-          distance = -minimum_distance;
+        if ( distance > NEG_LONG( minimum_distance ) )
+          distance = NEG_LONG( minimum_distance );
      }
    }

@ -6355,7 +6355,10 @@
      }

      if ( reverse_move )
-        exc->func_move( exc, &exc->zp1, point, -( distance - cur_dist ) );
+        exc->func_move( exc,
+                        &exc->zp1,
+                        point,
+                        SUB_LONG( cur_dist, distance ) );
    }

 #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
@ -6557,7 +6560,7 @@
    distance = PROJECT( exc->zp0.cur + p2, exc->zp1.cur + p1 ) / 2;

    exc->func_move( exc, &exc->zp1, p1, distance );
-    exc->func_move( exc, &exc->zp0, p2, -distance );
+    exc->func_move( exc, &exc->zp0, p2, NEG_LONG( distance ) );
  }