[subset] fixes dangling object_t issue in FeatureVariationRecord

Fixes https://crbug.com/oss-fuzz/21560
revert () does not clean up useless object_t. Adjust the order of
subsetting substitutions and conditions to avoid dangling object_t.
This commit is contained in:
Qunxin Liu 2020-04-05 18:44:26 -07:00 committed by Ebrahim Byagowi
parent 57b7de032f
commit 0d5695983e
2 changed files with 5 additions and 4 deletions

View File

@ -2709,10 +2709,11 @@ struct FeatureVariationRecord
auto *out = c->subset_context->serializer->embed (this); auto *out = c->subset_context->serializer->embed (this);
if (unlikely (!out)) return_trace (false); if (unlikely (!out)) return_trace (false);
out->conditions.serialize_subset (c->subset_context, conditions, base);
bool ret = out->substitutions.serialize_subset (c->subset_context, substitutions, base, c); bool ret = out->substitutions.serialize_subset (c->subset_context, substitutions, base, c);
return_trace (ret); if (unlikely (!ret)) return_trace (false);
out->conditions.serialize_subset (c->subset_context, conditions, base);
return_trace (true);
} }
bool sanitize (hb_sanitize_context_t *c, const void *base) const bool sanitize (hb_sanitize_context_t *c, const void *base) const