Integer overflow in _cairo_path_fixed_line_to() for certain call to cairo_line_to()
See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54779
oss-fuzz is running the new svg-render-fuzzer and found the following 'SVG': <svg /><path d="h2-2e22 2"/>
. 'Rendering' this SVG through _cairo_debug_svg_render()
triggers an integer overflow in cairo_line_to:
../src/cairo-slope-private.h:49:22: runtime error: signed integer overflow: -2147483392 - 512 cannot be represented in type 'int'
#0 0x55a5e0 in _cairo_slope_init cairo/src/cairo-slope-private.h:49:22
#1 0x559df5 in _cairo_path_fixed_line_to cairo/src/cairo-path-fixed.c:516:6
#2 0x52e178 in _cairo_default_context_line_to cairo/src/cairo-default-context.c:738:12
#3 0x50ad1b in cairo_line_to cairo/src/cairo.c:1791:14
#4 0x519a28 in render_element_path cairo/src/cairo-svg-glyph-render.c:2392:21
#5 0x51485d in call_element cairo/src/cairo-svg-glyph-render.c:2976:23
#6 0x51442a in render_element cairo/src/cairo-svg-glyph-render.c:3015:15
#7 0x51271a in render_element_tree cairo/src/cairo-svg-glyph-render.c:0
#8 0x5126cf in render_element_tree cairo/src/cairo-svg-glyph-render.c:3062:17
#9 0x510df1 in render_element_tree_id cairo/src/cairo-svg-glyph-render.c:3086:5
#10 0x5106c9 in _cairo_render_svg_glyph cairo/src/cairo-svg-glyph-render.c:0
#11 0x511140 in _cairo_debug_svg_render cairo/src/cairo-svg-glyph-render.c:3216:12
#12 0x4d770e in LLVMFuzzerTestOneInput cairo/test/svg/fuzzer/svg-render-fuzzer.c:48:5
#13 0x43d5f3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#14 0x428d52 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#15 0x42e5fc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#16 0x457b32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#17 0x7ff37d0400b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#18 0x41ef1d in _start
I am not quite sure what to do with this and thus I am just opening this bug. Suggestions welcome.