From b7e43f7d7dc9a2fdb488c989162272e840c88bb8 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 8 Oct 2017 11:58:39 +0200
Subject: [PATCH] * src/base/ftobjs.c (ft_glyphslot_preset_bitmap): Integer
 overflows.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3579
---
 ChangeLog         |  8 ++++++++
 src/base/ftobjs.c | 20 ++++++++++----------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2e8c6d829..178ea064c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-10-08  Werner Lemberg  <wl@gnu.org>
+
+	* src/base/ftobjs.c (ft_glyphslot_preset_bitmap): Integer overflows.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3579
+
 2017-10-07  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] Adjust behaviour of PS font names for variation fonts.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 2258a3175..3569ca213 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -372,29 +372,29 @@
       if ( cbox.xMax - cbox.xMin < 64 )
       {
         cbox.xMin = FT_PIX_FLOOR( cbox.xMin );
-        cbox.xMax = FT_PIX_CEIL( cbox.xMax );
+        cbox.xMax = FT_PIX_CEIL_LONG( cbox.xMax );
       }
       else
       {
-        cbox.xMin = FT_PIX_ROUND( cbox.xMin );
-        cbox.xMax = FT_PIX_ROUND( cbox.xMax );
+        cbox.xMin = FT_PIX_ROUND_LONG( cbox.xMin );
+        cbox.xMax = FT_PIX_ROUND_LONG( cbox.xMax );
       }
 
       if ( cbox.yMax - cbox.yMin < 64 )
       {
         cbox.yMin = FT_PIX_FLOOR( cbox.yMin );
-        cbox.yMax = FT_PIX_CEIL( cbox.yMax );
+        cbox.yMax = FT_PIX_CEIL_LONG( cbox.yMax );
       }
       else
       {
-        cbox.yMin = FT_PIX_ROUND( cbox.yMin );
-        cbox.yMax = FT_PIX_ROUND( cbox.yMax );
+        cbox.yMin = FT_PIX_ROUND_LONG( cbox.yMin );
+        cbox.yMax = FT_PIX_ROUND_LONG( cbox.yMax );
       }
 #else
       cbox.xMin = FT_PIX_FLOOR( cbox.xMin );
       cbox.yMin = FT_PIX_FLOOR( cbox.yMin );
-      cbox.xMax = FT_PIX_CEIL( cbox.xMax );
-      cbox.yMax = FT_PIX_CEIL( cbox.yMax );
+      cbox.xMax = FT_PIX_CEIL_LONG( cbox.xMax );
+      cbox.yMax = FT_PIX_CEIL_LONG( cbox.yMax );
 #endif
       break;
 
@@ -415,8 +415,8 @@
     Round:
       cbox.xMin = FT_PIX_FLOOR( cbox.xMin );
       cbox.yMin = FT_PIX_FLOOR( cbox.yMin );
-      cbox.xMax = FT_PIX_CEIL( cbox.xMax );
-      cbox.yMax = FT_PIX_CEIL( cbox.yMax );
+      cbox.xMax = FT_PIX_CEIL_LONG( cbox.xMax );
+      cbox.yMax = FT_PIX_CEIL_LONG( cbox.yMax );
     }
 
     x_shift = SUB_LONG( x_shift, cbox.xMin );