From 09c3b82f5e5a25f07145f405776c466b02743442 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Thu, 29 Jul 2021 17:49:10 -0600 Subject: [PATCH] [buffer] When shifting forward, leave no gap Trying to see if this fixes the fuzzer issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236 --- src/hb-buffer.cc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc index c147dfcce..13fe11f18 100644 --- a/src/hb-buffer.cc +++ b/src/hb-buffer.cc @@ -359,12 +359,11 @@ hb_buffer_t::move_to (unsigned int i) /* This will blow in our face if memory allocation fails later * in this same lookup... * - * We used to shift with extra 32 items, instead of the 0 below. + * We used to shift with extra 32 items. * But that would leave empty slots in the buffer in case of allocation - * failures. Setting to zero for now to avoid other problems (see - * comments in shift_forward(). This can cause O(N^2) behavior more - * severely than adding 32 empty slots can... */ - if (unlikely (idx < count && !shift_forward (count + 0))) return false; + * failures. See comments in shift_forward(). This can cause O(N^2) + * behavior more severely than adding 32 empty slots can... */ + if (unlikely (idx < count && !shift_forward (count - idx))) return false; assert (idx >= count);