From ec7d2e5f683dab0d1471cbc1f25d0e65aae63b5d Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 28 Sep 2017 14:21:34 +0200
Subject: [PATCH] * src/psaux/psintrp.c (cf2_doStems): Fix integer overflow.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3510
---
 ChangeLog           | 8 ++++++++
 src/psaux/psintrp.c | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9d0bbbb72..7a613b124 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-09-28  Werner Lemberg  <wl@gnu.org>
+
+	* src/psaux/psintrp.c (cf2_doStems): Fix integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3510
+
 2017-09-28  Ewald Hew  <ewaldhew@gmail.com>
 
 	* src/cid/cidgload.c (cid_slot_load_glyph): Fix memory leak.
diff --git a/src/psaux/psintrp.c b/src/psaux/psintrp.c
index 9e6718702..ab6ed4954 100644
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@@ -297,8 +297,8 @@
                  " No width. Use hsbw/sbw as first op\n" ));
     }
     if ( !font->isT1 && hasWidthArg && !*haveWidth )
-      *width = cf2_stack_getReal( opStack, 0 ) +
-                 cf2_getNominalWidthX( font->decoder );
+      *width = ADD_INT32( cf2_stack_getReal( opStack, 0 ),
+                          cf2_getNominalWidthX( font->decoder ) );
 
     if ( font->decoder->width_only )
       goto exit;