ref: 0716c6ab7a1c43ba88192498d23e84178e216820
parent: 7a4276fb9095430b86b329f52fb8dfe26f966dcd
author: Werner Lemberg <[email protected]>
date: Fri Jun 2 15:24:03 EDT 2017
[cff] Even more integer overflows. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046 * src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use OVERFLOW_ADD_INT32.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2017-06-02 Werner Lemberg <[email protected]>
+ [cff] Even more integer overflows.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
+
+ * src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
+ OVERFLOW_ADD_INT32.
+
+2017-06-02 Werner Lemberg <[email protected]>
+
[cff] More integer overflows.
Reported as
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -304,10 +304,12 @@
CF2_StemHintRec stemhint;
- stemhint.min =
- position += cf2_stack_getReal( opStack, i );
- stemhint.max =
- position += cf2_stack_getReal( opStack, i + 1 );
+ stemhint.min =
+ position = OVERFLOW_ADD_INT32( position,
+ cf2_stack_getReal( opStack, i ) );
+ stemhint.max =
+ position = OVERFLOW_ADD_INT32( position,
+ cf2_stack_getReal( opStack, i + 1 ) );
stemhint.used = FALSE;
stemhint.maxDS =
@@ -1617,8 +1619,8 @@
if ( font->decoder->width_only )
goto exit;
- curY += cf2_stack_popFixed( opStack );
- curX += cf2_stack_popFixed( opStack );
+ curY = OVERFLOW_ADD_INT32( curY, cf2_stack_popFixed( opStack ) );
+ curX = OVERFLOW_ADD_INT32( curX, cf2_stack_popFixed( opStack ) );
cf2_glyphpath_moveTo( &glyphPath, curX, curY );