[cff] Fix handling of `roll' op in old engine.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10080 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll> [CFF_CONFIG_OPTION_OLD_ENGINE]: Use modulo for loop count, as documented in the specification.
6 years ago · 3915a18b8c
parent 2c8e6279a7
commit 3915a18b8c
3 changed files with 20 additions and 0 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2018-08-29  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix handling of `roll' op in old engine.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10080
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Use modulo for loop count, as
+	documented in the specification.
+
 2018-08-26  Werner Lemberg  <wl@gnu.org>

 	* src/truetype/ttobjs.c (tt_size_read_bytecode): Trace CVT values.
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@ -1821,6 +1821,7 @@

            if ( idx >= 0 )
            {
+              idx = idx % count;
              while ( idx > 0 )
              {
                FT_Fixed  tmp = args[count - 1];
@ -1835,6 +1836,10 @@
            }
            else
            {
+              /* before C99 it is implementation-defined whether    */
+              /* the result of `%' is negative if the first operand */
+              /* is negative                                        */
+              idx = -( ( -idx ) % count );
              while ( idx < 0 )
              {
                FT_Fixed  tmp = args[0];
--- a/src/psaux/psstack.c
+++ b/src/psaux/psstack.c
@ -258,6 +258,9 @@
      return;
    }

+    /* before C99 it is implementation-defined whether    */
+    /* the result of `%' is negative if the first operand */
+    /* is negative                                        */
    if ( shift < 0 )
      shift = -( ( -shift ) % count );
    else