diff --git a/src/hb-algs.hh b/src/hb-algs.hh index 681c447c5..59acfb055 100644 --- a/src/hb-algs.hh +++ b/src/hb-algs.hh @@ -607,12 +607,6 @@ hb_memset (void *s, int c, unsigned int n) return memset (s, c, n); } -static inline bool -hb_unsigned_mul_overflows (unsigned int count, unsigned int size) -{ - return (size > 0) && (count >= ((unsigned int) -1) / size); -} - static inline unsigned int hb_ceil_to_4 (unsigned int v) { @@ -640,6 +634,29 @@ hb_in_ranges (T u, T lo1, T hi1, T lo2, T hi2, T lo3, T hi3) } +/* + * Overflow checking. + */ + +/* Consider __builtin_mul_overflow use here also */ +static inline bool +hb_unsigned_mul_overflows (unsigned int count, unsigned int size) +{ + return (size > 0) && (count >= ((unsigned int) -1) / size); +} + +/* Right now we only have one use for signed overflow and as it + * is GCC 5.1 > and clang we don't care about its fallback ATM */ +#ifndef __has_builtin +# define __has_builtin(x) 0 +#endif +#if __has_builtin(__builtin_mul_overflow) +# define hb_signed_mul_overflows(x, y, result) __builtin_mul_overflow(x, y, &result) +#else +# define hb_signed_mul_overflows(x, y, result) (result = (x) * (y), false) +#endif + + /* * Sort and search. */ diff --git a/src/hb-ot-var-avar-table.hh b/src/hb-ot-var-avar-table.hh index 1022b00cf..f5235ac56 100644 --- a/src/hb-ot-var-avar-table.hh +++ b/src/hb-ot-var-avar-table.hh @@ -89,10 +89,14 @@ struct SegmentMaps : ArrayOf if (unlikely (arrayZ[i-1].fromCoord == arrayZ[i].fromCoord)) return arrayZ[i-1].toCoord; + int factor; + if (hb_signed_mul_overflows (arrayZ[i].toCoord - arrayZ[i-1].toCoord, + value - arrayZ[i-1].fromCoord, + factor)) + return arrayZ[i-1].toCoord; + int denom = arrayZ[i].fromCoord - arrayZ[i-1].fromCoord; - return arrayZ[i-1].toCoord + - ((arrayZ[i].toCoord - arrayZ[i-1].toCoord) * - (value - arrayZ[i-1].fromCoord) + denom/2) / denom; + return arrayZ[i-1].toCoord + (factor + denom/2) / denom; #undef toCoord #undef fromCoord } diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5712313459146752 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5712313459146752 new file mode 100644 index 000000000..319a56cdb Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5712313459146752 differ