| From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 |
| From: Werner Lemberg <wl@gnu.org> |
| Date: Mon, 14 Nov 2022 19:18:19 +0100 |
| Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer |
| overflow. |
| |
| Reported as |
| |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 |
| |
| Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] |
| CVE: CVE-2023-2004 |
| Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> |
| --- |
| src/truetype/ttgxvar.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c |
| index 78d87dc..258d701 100644 |
| --- a/src/truetype/ttgxvar.c |
| +++ b/src/truetype/ttgxvar.c |
| @@ -43,6 +43,7 @@ |
| #include FT_INTERNAL_DEBUG_H |
| #include FT_CONFIG_CONFIG_H |
| #include FT_INTERNAL_STREAM_H |
| +#include <freetype/internal/ftcalc.h> |
| #include FT_INTERNAL_SFNT_H |
| #include FT_TRUETYPE_TAGS_H |
| #include FT_TRUETYPE_IDS_H |
| @@ -1065,7 +1066,7 @@ |
| delta == 1 ? "" : "s", |
| vertical ? "VVAR" : "HVAR" )); |
| |
| - *avalue += delta; |
| + *avalue = ADD_INT( *avalue, delta ); |
| |
| Exit: |
| return error; |
| -- |
| 2.17.1 |