[truetype] Fix integer overflow.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305 * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
5 years ago · 0c14a3adb0
parent 2c9a2d58ca
commit 0c14a3adb0
2 changed files with 18 additions and 6 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2019-12-14  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
+
+	* src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
+
 2019-12-13  Werner Lemberg  <wl@gnu.org>

 	Another bunch of UBSan warnings on adding offsets to nullptr.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -6346,12 +6346,14 @@
    /* twilight points (confirmed by Greg Hitchcock)   */
    if ( exc->GS.gep1 == 0 )
    {
-      exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x +
-                              TT_MulFix14( cvt_dist,
-                                           exc->GS.freeVector.x );
-      exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y +
-                              TT_MulFix14( cvt_dist,
-                                           exc->GS.freeVector.y );
+      exc->zp1.org[point].x = ADD_LONG(
+                                exc->zp0.org[exc->GS.rp0].x,
+                                TT_MulFix14( cvt_dist,
+                                             exc->GS.freeVector.x ) );
+      exc->zp1.org[point].y = ADD_LONG(
+                                exc->zp0.org[exc->GS.rp0].y,
+                                TT_MulFix14( cvt_dist,
+                                             exc->GS.freeVector.y ) );
      exc->zp1.cur[point]   = exc->zp1.org[point];
    }