From 6b660f12151c7f333f8be6d84df916db210d3742 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Tue, 2 Oct 2018 16:48:59 +0200 Subject: [PATCH] [psaux] Fix numeric overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT. --- ChangeLog | 11 +++++++++++ src/psaux/cffdecode.c | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8a308a652..123cc515f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2018-10-02 Werner Lemberg + + [psaux] Fix numeric overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 + + * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) + [CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT. + 2018-10-02 Werner Lemberg [pshinter] Handle numeric overflow. diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c index 0576ca6ee..b90a82853 100644 --- a/src/psaux/cffdecode.c +++ b/src/psaux/cffdecode.c @@ -1839,7 +1839,7 @@ /* before C99 it is implementation-defined whether */ /* the result of `%' is negative if the first operand */ /* is negative */ - idx = -( ( -idx ) % count ); + idx = -( NEG_INT( idx ) % count ); while ( idx < 0 ) { FT_Fixed tmp = args[0];