diff --git a/ChangeLog b/ChangeLog index 74dc50f1b..e4a4db9ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2017-06-15 Werner Lemberg + + [bdf, cff] Integer overflows. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261 + + * src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with + direct code to avoid value negation. + + * src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and + ADD_INT32. + 2017-06-13 Werner Lemberg * src/winfonts/winfnt.c (FNT_Face_Init): Don't set active encoding. diff --git a/src/bdf/bdfdrivr.c b/src/bdf/bdfdrivr.c index 09cb489d2..37e6eea1c 100644 --- a/src/bdf/bdfdrivr.c +++ b/src/bdf/bdfdrivr.c @@ -442,13 +442,13 @@ THE SOFTWARE. FT_ZERO( bsize ); /* sanity checks */ - if ( FT_ABS( font->font_ascent ) > 0x7FFF ) + if ( font->font_ascent > 0x7FFF || font->font_ascent < -0x7FFF ) { font->font_ascent = font->font_ascent < 0 ? -0x7FFF : 0x7FFF; FT_TRACE0(( "BDF_Face_Init: clamping font ascent to value %d\n", font->font_ascent )); } - if ( FT_ABS( font->font_descent ) > 0x7FFF ) + if ( font->font_descent > 0x7FFF || font->font_descent < -0x7FFF ) { font->font_descent = font->font_descent < 0 ? -0x7FFF : 0x7FFF; FT_TRACE0(( "BDF_Face_Init: clamping font descent to value %d\n", @@ -464,7 +464,8 @@ THE SOFTWARE. if ( prop->value.l < 0 ) FT_TRACE0(( "BDF_Face_Init: negative average width\n" )); #endif - if ( ( FT_ABS( prop->value.l ) > 0x7FFFL * 10 - 5 ) ) + if ( prop->value.l > 0x7FFFL * 10 - 5 || + prop->value.l < -( 0x7FFFL * 10 - 5 ) ) { bsize->width = 0x7FFF; FT_TRACE0(( "BDF_Face_Init: clamping average width to value %d\n", @@ -487,7 +488,8 @@ THE SOFTWARE. FT_TRACE0(( "BDF_Face_Init: negative point size\n" )); #endif /* convert from 722.7 decipoints to 72 points per inch */ - if ( FT_ABS( prop->value.l ) > 0x504C2L ) /* 0x7FFF * 72270/7200 */ + if ( prop->value.l > 0x504C2L || /* 0x7FFF * 72270/7200 */ + prop->value.l < -0x504C2L ) { bsize->size = 0x7FFF; FT_TRACE0(( "BDF_Face_Init: clamping point size to value %d\n", @@ -511,7 +513,7 @@ THE SOFTWARE. if ( prop->value.l < 0 ) FT_TRACE0(( "BDF_Face_Init: negative pixel size\n" )); #endif - if ( FT_ABS( prop->value.l ) > 0x7FFF ) + if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF ) { bsize->y_ppem = 0x7FFF << 6; FT_TRACE0(( "BDF_Face_Init: clamping pixel size to value %d\n", @@ -528,7 +530,7 @@ THE SOFTWARE. if ( prop->value.l < 0 ) FT_TRACE0(( "BDF_Face_Init: negative X resolution\n" )); #endif - if ( FT_ABS( prop->value.l ) > 0x7FFF ) + if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF ) { resolution_x = 0x7FFF; FT_TRACE0(( "BDF_Face_Init: clamping X resolution to value %d\n", @@ -545,7 +547,7 @@ THE SOFTWARE. if ( prop->value.l < 0 ) FT_TRACE0(( "BDF_Face_Init: negative Y resolution\n" )); #endif - if ( FT_ABS( prop->value.l ) > 0x7FFF ) + if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF ) { resolution_y = 0x7FFF; FT_TRACE0(( "BDF_Face_Init: clamping Y resolution to value %d\n", diff --git a/src/cff/cf2blues.c b/src/cff/cf2blues.c index 5ba5f9ceb..f5b44b21c 100644 --- a/src/cff/cf2blues.c +++ b/src/cff/cf2blues.c @@ -489,10 +489,10 @@ if ( blues->zone[i].bottomZone && cf2_hint_isBottom( bottomHintEdge ) ) { - if ( ( blues->zone[i].csBottomEdge - csFuzz ) <= - bottomHintEdge->csCoord && + if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <= + bottomHintEdge->csCoord && bottomHintEdge->csCoord <= - ( blues->zone[i].csTopEdge + csFuzz ) ) + ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) ) { /* bottom edge captured by bottom zone */ @@ -524,10 +524,10 @@ if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) ) { - if ( ( blues->zone[i].csBottomEdge - csFuzz ) <= - topHintEdge->csCoord && + if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <= + topHintEdge->csCoord && topHintEdge->csCoord <= - ( blues->zone[i].csTopEdge + csFuzz ) ) + ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) ) { /* top edge captured by top zone */