[subset] Fix another fuzzer issue

Addition could overflow on 32bit arch. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636 Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
2021-07-28 11:28:38 -06:00 · 2021-07-28 11:28:38 -06:00 · 0ded6a70c8
parent c65e1e0842
commit 0ded6a70c8
2 changed files with 3 additions and 2 deletions
--- a/src/hb-serialize.hh
+++ b/src/hb-serialize.hh
@ -519,8 +519,9 @@ struct hb_serialize_context_t

    assert (this->start <= (char *) obj);
    assert ((char *) obj <= this->head);
-    assert ((char *) obj + size >= this->head);
-    if (unlikely (!this->allocate_size<Type> (((char *) obj) + size - this->head))) return nullptr;
+    assert (this->head - (char *) obj <= size);
+    if (unlikely (((char *) obj + size < (char *) obj) ||
+		  !this->allocate_size<Type> (((char *) obj) + size - this->head))) return nullptr;
    return reinterpret_cast<Type *> (obj);
  }
  template <typename Type>
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5072358514753536
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5072358514753536