[base, cff, truetype] Integer overflows

System Internals / FreeType - Werner Lemberg [gnu.org] - 3 June 2017 15:05 EDT

Reported as

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068

- src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.

- src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32.

- src/truetype/ttgload.c (compute_glyph_metrics): User OVERFLOW_SUB_LONG.

- src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig, Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X, Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.

addb2dd [base, cff, truetype] Integer overflows.
ChangeLog | 27 +++++++++++++++++++++++-
src/base/ftobjs.c | 24 ++++++++++++++-------
src/cff/cf2blues.c | 3 ++-
src/cff/cf2hints.c | 12 +++++++----
src/truetype/ttgload.c | 7 ++++---
src/truetype/ttinterp.c | 56 ++++++++++++++++++++++++++++++++-----------------
6 files changed, 93 insertions(+), 36 deletions(-)

Upstream: git.savannah.gnu.org


  • Share