blob: 800d77579eff6bb5c407ce11be6051c27b354955 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 14 Nov 2022 19:18:19 +0100
Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
CVE: CVE-2023-2004
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
src/truetype/ttgxvar.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 78d87dc..258d701 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -43,6 +43,7 @@
#include FT_INTERNAL_DEBUG_H
#include FT_CONFIG_CONFIG_H
#include FT_INTERNAL_STREAM_H
+#include <freetype/internal/ftcalc.h>
#include FT_INTERNAL_SFNT_H
#include FT_TRUETYPE_TAGS_H
#include FT_TRUETYPE_IDS_H
@@ -1065,7 +1066,7 @@
delta == 1 ? "" : "s",
vertical ? "VVAR" : "HVAR" ));
- *avalue += delta;
+ *avalue = ADD_INT( *avalue, delta );
Exit:
return error;
--
2.17.1
|
