[cff] Fix integer overflows.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028 * src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c (cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
8 years ago · 3802ca8b64
parent cd02d359a6
commit 3802ca8b64
3 changed files with 27 additions and 10 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2017-06-02  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
+
+	* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
+	(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
+
 2017-06-01  Werner Lemberg  <wl@gnu.org>

 	[smooth] Some 32bit integer overflow run-time errors.
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@ -638,14 +638,16 @@
      {
        /* Use hint map to position the center of stem, and nominal scale */
        /* to position the two edges.  This preserves the stem width.     */
-        CF2_Fixed  midpoint  = cf2_hintmap_map(
-                                 hintmap->initialHintMap,
-                                 ( secondHintEdge->csCoord +
-                                   firstHintEdge->csCoord ) / 2 );
-        CF2_Fixed  halfWidth = FT_MulFix(
-                                 ( secondHintEdge->csCoord -
-                                   firstHintEdge->csCoord ) / 2,
-                                 hintmap->scale );
+        CF2_Fixed  midpoint =
+                     cf2_hintmap_map(
+                       hintmap->initialHintMap,
+                       OVERFLOW_ADD_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2 );
+        CF2_Fixed  halfWidth =
+                     FT_MulFix(
+                       OVERFLOW_SUB_INT32( secondHintEdge->csCoord,
+                                           firstHintEdge->csCoord ) / 2,
+                       hintmap->scale );


        firstHintEdge->dsCoord  = midpoint - halfWidth;
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@ -358,8 +358,11 @@

    if ( doConditionalLastRead )
    {
-      FT_Bool    lastIsX = (FT_Bool)( cf2_fixedAbs( vals[10] - *curX ) >
-                                        cf2_fixedAbs( vals[11] - *curY ) );
+      FT_Bool    lastIsX = (FT_Bool)(
+                             cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[10],
+                                                               *curX ) ) >
+                               cf2_fixedAbs( OVERFLOW_SUB_INT32( vals[11],
+                                                                 *curY ) ) );
      CF2_Fixed  lastVal = cf2_stack_getReal( opStack, idx );