[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 0c14a3a: [truetype] Fix integer overflow.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 0c14a3a: [truetype] Fix integer overflow. |
|
Date: |
Fri, 13 Dec 2019 18:04:26 -0500 (EST) |
branch: master
commit 0c14a3adb08ca5aaac3188a63246361c50b069d4
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[truetype] Fix integer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
* src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
---
ChangeLog | 10 ++++++++++
src/truetype/ttinterp.c | 14 ++++++++------
2 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 0c3f4e4..720a38c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2019-12-14 Werner Lemberg <address@hidden>
+
+ [truetype] Fix integer overflow.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19305
+
+ * src/truetype/ttinterp.c (Ins_MIRP): Use `ADD_LONG'.
+
2019-12-13 Werner Lemberg <address@hidden>
Another bunch of UBSan warnings on adding offsets to nullptr.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index cedc4a5..7d021eb 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6346,12 +6346,14 @@
/* twilight points (confirmed by Greg Hitchcock) */
if ( exc->GS.gep1 == 0 )
{
- exc->zp1.org[point].x = exc->zp0.org[exc->GS.rp0].x +
- TT_MulFix14( cvt_dist,
- exc->GS.freeVector.x );
- exc->zp1.org[point].y = exc->zp0.org[exc->GS.rp0].y +
- TT_MulFix14( cvt_dist,
- exc->GS.freeVector.y );
+ exc->zp1.org[point].x = ADD_LONG(
+ exc->zp0.org[exc->GS.rp0].x,
+ TT_MulFix14( cvt_dist,
+ exc->GS.freeVector.x ) );
+ exc->zp1.org[point].y = ADD_LONG(
+ exc->zp0.org[exc->GS.rp0].y,
+ TT_MulFix14( cvt_dist,
+ exc->GS.freeVector.y ) );
exc->zp1.cur[point] = exc->zp1.org[point];
}
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 0c14a3a: [truetype] Fix integer overflow.,
Werner LEMBERG <=