[cff] Integer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089 * src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.

commit: 8667042997cb9095d3c925417b29f5a3163ab352 [log] [tgz]
author: Werner Lemberg <wl@gnu.org> Mon Jun 05 06:20:53 2017 +0200
committer: Werner Lemberg <wl@gnu.org> Mon Jun 05 06:20:53 2017 +0200
tree: 4a59bc1f79ab19ae03652a3e7704599591c947bd
parent: 9fa8a2997f869c6172a12a9497b3ca649806ec4d [diff]
diff --git a/ChangeLog b/ChangeLog
index 7f68614..6442e87 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,3 +1,13 @@
+2017-06-05  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Integer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089
+
+	* src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
+
 2017-06-04  Werner Lemberg  <wl@gnu.org>
 
 	[cff, truetype] Integer overflows.

diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 3beaeb1..2ee4387 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c

@@ -1352,9 +1352,12 @@
       sum = cff_parse_num( parser, &parser->stack[i + base] ) * 65536;
 
       for ( j = 1; j < blend->lenBV; j++ )
-        sum += FT_MulFix( *weight++,
-                          cff_parse_num( parser,
-                                         &parser->stack[delta++] ) * 65536 );
+        sum = OVERFLOW_ADD_INT32(
+                sum,
+                FT_MulFix(
+                  *weight++,
+                  cff_parse_num( parser,
+                                 &parser->stack[delta++] ) * 65536 ) );
 
       /* point parser stack to new value on blend_stack */
       parser->stack[i + base] = subFont->blend_top;
commit	8667042997cb9095d3c925417b29f5a3163ab352	[log] [tgz]
author	Werner Lemberg <wl@gnu.org>	Mon Jun 05 06:20:53 2017 +0200
committer	Werner Lemberg <wl@gnu.org>	Mon Jun 05 06:20:53 2017 +0200
tree	4a59bc1f79ab19ae03652a3e7704599591c947bd
parent	9fa8a2997f869c6172a12a9497b3ca649806ec4d [diff]