Encountered a signed integer overflow in src/cff/cf2intrp.c
I was running freetype2 in fuzzer-test-suite. I got the source code from git://git.sv.nongnu.org/freetype/freetype2.git with the commit id: cd02d359. A signed integer overflow occurs and the error message is as follows:
/data/apr/llmfixed-fuzzer-test-suite/freetype2-2017/build/BUILD/src/cff/cf2intrp.c:361:39: runtime error: signed integer overflow: -1298893590 - 1866342036 cannot be represented in type 'CF2_F16Dot16' (aka 'int')
#0 0x56190a8c6d38 in cf2_doFlex src/cff/cf2intrp.c:361:39
#1 0x56190a89e697 in cf2_interpT2CharString src/cff/cf2intrp.c:1061:15
#2 0x56190a88e8dd in cf2_getGlyphOutline src/cff/cf2font.c:522:7
#3 0x56190a88e8dd in cf2_decoder_parse_charstrings src/cff/cf2ft.c:389:18
#4 0x56190a881230 in cff_slot_load src/cff/cffgload.c:2992:17
#5 0x56190a6a8dfc in FT_Load_Glyph src/base/ftobjs.c:758:15
#6 0x56190a69633e in LLVMFuzzerTestOneInput /data/apr/llmfixed-fuzzer-test-suite/freetype2-2017/build/BUILD/src/tools/ftfuzzer/ftfuzzer.cc:397:18
#7 0x56190a536c20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/build-user/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#8 0x56190a52a024 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/build-user/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#9 0x56190a52f537 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/build-user/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:859:9
#10 0x56190a54aa02 in main /home/build-user/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f0183ee3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#12 0x56190a526c6d in _start (/data/apr/llmfixed-fuzzer-test-suite/freetype2-2017/build/freetype2-2017-fuzzer+0x507c6d)
Here is the crash poc: crash-1.zip
Thanks for your attention.