[bdf, cff] Integer overflows.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261 * src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with direct code to avoid value negation. * src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and ADD_INT32.
This commit is contained in:
parent
79e3789f81
commit
dbeb7bce7f
15
ChangeLog
15
ChangeLog
@ -1,3 +1,18 @@
|
||||
2017-06-15 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[bdf, cff] Integer overflows.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261
|
||||
|
||||
* src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with
|
||||
direct code to avoid value negation.
|
||||
|
||||
* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and
|
||||
ADD_INT32.
|
||||
|
||||
2017-06-13 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
* src/winfonts/winfnt.c (FNT_Face_Init): Don't set active encoding.
|
||||
|
@ -442,13 +442,13 @@ THE SOFTWARE.
|
||||
FT_ZERO( bsize );
|
||||
|
||||
/* sanity checks */
|
||||
if ( FT_ABS( font->font_ascent ) > 0x7FFF )
|
||||
if ( font->font_ascent > 0x7FFF || font->font_ascent < -0x7FFF )
|
||||
{
|
||||
font->font_ascent = font->font_ascent < 0 ? -0x7FFF : 0x7FFF;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping font ascent to value %d\n",
|
||||
font->font_ascent ));
|
||||
}
|
||||
if ( FT_ABS( font->font_descent ) > 0x7FFF )
|
||||
if ( font->font_descent > 0x7FFF || font->font_descent < -0x7FFF )
|
||||
{
|
||||
font->font_descent = font->font_descent < 0 ? -0x7FFF : 0x7FFF;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping font descent to value %d\n",
|
||||
@ -464,7 +464,8 @@ THE SOFTWARE.
|
||||
if ( prop->value.l < 0 )
|
||||
FT_TRACE0(( "BDF_Face_Init: negative average width\n" ));
|
||||
#endif
|
||||
if ( ( FT_ABS( prop->value.l ) > 0x7FFFL * 10 - 5 ) )
|
||||
if ( prop->value.l > 0x7FFFL * 10 - 5 ||
|
||||
prop->value.l < -( 0x7FFFL * 10 - 5 ) )
|
||||
{
|
||||
bsize->width = 0x7FFF;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping average width to value %d\n",
|
||||
@ -487,7 +488,8 @@ THE SOFTWARE.
|
||||
FT_TRACE0(( "BDF_Face_Init: negative point size\n" ));
|
||||
#endif
|
||||
/* convert from 722.7 decipoints to 72 points per inch */
|
||||
if ( FT_ABS( prop->value.l ) > 0x504C2L ) /* 0x7FFF * 72270/7200 */
|
||||
if ( prop->value.l > 0x504C2L || /* 0x7FFF * 72270/7200 */
|
||||
prop->value.l < -0x504C2L )
|
||||
{
|
||||
bsize->size = 0x7FFF;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping point size to value %d\n",
|
||||
@ -511,7 +513,7 @@ THE SOFTWARE.
|
||||
if ( prop->value.l < 0 )
|
||||
FT_TRACE0(( "BDF_Face_Init: negative pixel size\n" ));
|
||||
#endif
|
||||
if ( FT_ABS( prop->value.l ) > 0x7FFF )
|
||||
if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF )
|
||||
{
|
||||
bsize->y_ppem = 0x7FFF << 6;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping pixel size to value %d\n",
|
||||
@ -528,7 +530,7 @@ THE SOFTWARE.
|
||||
if ( prop->value.l < 0 )
|
||||
FT_TRACE0(( "BDF_Face_Init: negative X resolution\n" ));
|
||||
#endif
|
||||
if ( FT_ABS( prop->value.l ) > 0x7FFF )
|
||||
if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF )
|
||||
{
|
||||
resolution_x = 0x7FFF;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping X resolution to value %d\n",
|
||||
@ -545,7 +547,7 @@ THE SOFTWARE.
|
||||
if ( prop->value.l < 0 )
|
||||
FT_TRACE0(( "BDF_Face_Init: negative Y resolution\n" ));
|
||||
#endif
|
||||
if ( FT_ABS( prop->value.l ) > 0x7FFF )
|
||||
if ( prop->value.l > 0x7FFF || prop->value.l < -0x7FFF )
|
||||
{
|
||||
resolution_y = 0x7FFF;
|
||||
FT_TRACE0(( "BDF_Face_Init: clamping Y resolution to value %d\n",
|
||||
|
@ -489,10 +489,10 @@
|
||||
if ( blues->zone[i].bottomZone &&
|
||||
cf2_hint_isBottom( bottomHintEdge ) )
|
||||
{
|
||||
if ( ( blues->zone[i].csBottomEdge - csFuzz ) <=
|
||||
bottomHintEdge->csCoord &&
|
||||
if ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) <=
|
||||
bottomHintEdge->csCoord &&
|
||||
bottomHintEdge->csCoord <=
|
||||
( blues->zone[i].csTopEdge + csFuzz ) )
|
||||
ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) )
|
||||
{
|
||||
/* bottom edge captured by bottom zone */
|
||||
|
||||
@ -524,10 +524,10 @@
|
||||
|
||||
if ( !blues->zone[i].bottomZone && cf2_hint_isTop( topHintEdge ) )
|
||||
{
|
||||
if ( ( blues->zone[i].csBottomEdge - csFuzz ) <=
|
||||
topHintEdge->csCoord &&
|
||||
if ( ( SUB_INT32( blues->zone[i].csBottomEdge, csFuzz ) ) <=
|
||||
topHintEdge->csCoord &&
|
||||
topHintEdge->csCoord <=
|
||||
( blues->zone[i].csTopEdge + csFuzz ) )
|
||||
ADD_INT32( blues->zone[i].csTopEdge, csFuzz ) )
|
||||
{
|
||||
/* top edge captured by top zone */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user