From 0ded6a70c829284a8220ce30a405b0a974061df4 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 28 Jul 2021 11:28:38 -0600
Subject: [PATCH] [subset] Fix another fuzzer issue

Addition could overflow on 32bit arch.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
---
 src/hb-serialize.hh                             |   5 +++--
 ...-minimized-hb-subset-fuzzer-5072358514753536 | Bin 0 -> 55875 bytes
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5072358514753536
diff --git a/src/hb-serialize.hh b/src/hb-serialize.hh
index b352750b6..537fc8c82 100644
--- a/src/hb-serialize.hh
+++ b/src/hb-serialize.hh
@@ -519,8 +519,9 @@ struct hb_serialize_context_t
 
     assert (this->start <= (char *) obj);
     assert ((char *) obj <= this->head);
-    assert ((char *) obj + size >= this->head);
-    if (unlikely (!this->allocate_size<Type> (((char *) obj) + size - this->head))) return nullptr;
+    assert (this->head - (char *) obj <= size);
+    if (unlikely (((char *) obj + size < (char *) obj) ||
+		  !this->allocate_size<Type> (((char *) obj) + size - this->head))) return nullptr;
     return reinterpret_cast<Type *> (obj);
   }
   template <typename Type>
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5072358514753536 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5072358514753536
new file mode 100644
index 0000000000000000000000000000000000000000..d3cf859be9ade5f9059ae797cfcf632838c40cda
GIT binary patch
literal 55875
zcmeI54R94zmdDTOzTN%aBVr~p$*8QxF-CL-1lK`i5CRD#15A=hB4m({gd`G>d>9gl
zd`3P3<mC$p5F!FHps2I%EY4D_iwv@sMNy7Rxh};bI}#0)Yq=~th2p}%+kf}ty$A_r
zVa#matJAOg*SBx?>yO*_o^$T))Ay!jWu?)rR7HATUSd&sWgqeq<xHZXG3mZ!B8&W!
z&o{*vK_3@U1eN=iR3-R)zE6559olst4W;kRpi5tU`C4H^O6C)zj2y$~GcMda>nDXv
zQzneeF#7EA;Sg09eZIUx-8`FHP>9w4!QcLao-Qn}Bwk{lp|=f8jQL@QV`xB8Ze^)I
ziryn?{j4~rs37jX1+`S=X(lp<H7u(2`hHIo@wa<vFHtN}x_@`3{FDi&wbMA-smrI1
z6Mfq9>Bdv<oH~H@v8SfBwY7cP_U}Y(yD-1owy&+Ft*WiEwXrp`b#!ZD>xkCJTL<8L
z87KeiWb?;oKHhQS@X^MjSwyZTV#a^?9n9}zKFTL>y`(qk8+2Te-mLG@_v&xz`}F<#
z0sWw}4f{G1Qp}m075$KY*dMLGs~_@*Z0ZN~_w^64{2cQa?eXm){WP|mb@m1I3&AbN
zG=C5a6^D7SN>XFgc$J|htLZ9V6{}KJrsk^oYPqUbwW=Qb*mI+Q_W#+AS50bzYE~_3
zvwB^<qux~~)F<i-bq4!=W$ZFOFix29!LyPXZ%#K4o2M<ZJk|i~VPu&EE5#ab;Zax_
z{{5^}J8Vq=F@JNi#$VYZ#a>ztozN(Myc0&sTbMhatl`(jTLYaK#+@!vzcXJlf2W44
z#cCt&=|%HHq(F_TP%o%?s?t1e{+s!cTBzPqo77g-Vt%ZetO)hI+M+g_tyaBSV7_L)
zZ0<C7scmY96|MG|Q`IW-Q{`2Atr&BM`3JL~`G9qcc}ne6YpuTK{br6@ZN6<DH2+C0
zqQUg2#zXn1r14LA7&wd{2OsC*;BX!Rj^G3^fk%QPc@#K`6Tw7I0+V<&IGV?RV>lU1
z<`gi6e+K@H$AV*d95{~0gX8(<;LkY~Oyx8%jnlz&{ss68&Hytw6U^i+FpHl6pWq4L
z1fB>^<ZLjTe+mAQCxMgrN$^RY3{K`L;1r$;PUUIfG|mBYI2X+2>ELwE1M@f^%;y5I
zfS&@N;u+u!E(8mCCODI4fwTB&@M)e6&gLSph>O8uE&)rp6fEUuz-PD&EaN%g94-gT
zxdN=<x!_!$2hQV4u#%qzpXK@Bd|m)9;Dz8qUIZ@U#o%Jd9gUZ86<Ed3fzR<$a49bX
zm+^9NIj;a$a5Y%XE5Vh#3S7mj!PQ&?*02}!axGZPbzmLWgZ111HgF@@$ZNngycS%`
z>%eu~1UB({a6NATH}FPqBR7N1yb0XIEno{j4?fSE!Oi>v_yTVMxA0bQD{lk0@r&S#
zydB)mzXE^7JHQ>h6Wqx!fiLmP;L8wS8t>v)z*qQH@Kt^de2utIH2+$ksu${I`a->0
zZ`51#9s27KX9xB7^rQMo{d4`Cep$Ixl<KSE)j%~A0wz^uL%7UFp{hc$YC^%;rFN@*
z5E@6+an+{IsILvph%lm!SmQzC5o5TKVq_STji-!KW4^K6s5hF8?Z&T-J;nj!u<@bs
z2jes2kH()&(~LClFyqVt<`8p~Io_OL=9sh0a&xh{%3N!1Mxp+V`KI}f`M!C~{KWji
z{K^qOeXP5ze%8a*Fl&sJZcVcCtzxUvT58o=8?0^CtJZI={njDt1M7r!+B$1pa4A=B
z*AHAjbp6;h*p=WK>&kLXbrrhGTnk;*u0~gjYlrJ~*Iw5_*L$v`u9L3MUFTev-7a^O
zyRSRmJ<vVWo#ak+XS=7nXS?URtK2p2CifQiF86NtKKHxsBktqwHuo9#*B;Fi;feOd
zdLHyV;u-Eq@nm==d!Ax;@hy;3y2i*N23^u>v}~-8^Dj}v260~^O_{o(3{6wmX6r_K
z!jkvXKfd*Mlt3eCqIUf9A90`!oECd!A3m;ap$DK3HSEje!jh;Dxxu*mwRtlN%ULH%
zOwGz*h3!!k4|SYM)4!^q8rni{JNpwGWNRjSPQYv*gV^FU7!1%lxI%l<ka^rpk5eNe
z_?#01aIcGX>)m&4dvsca+Z)mAVDaC3y>n_~JReOwuX(-R+L&H%w9MP;^;Rsc@p@O+
z#oQM0(R%-;71->pi;1|UFTHgej`W~?4+?fjFW3m*!(GJCopd+ih&9T`4&yM}OGG%-
z$T~m=sP*^9qlpT0rx%pZ%u6jPFUia;o|8CsT>p%M85Og0%lao56c?0rzA0tm%>44g
z)DoZi#-H??o1ClSyu6}PJO|s(sUn?J>G!G4R#QKE;MNKD9{1we982H2$hm_74(UhM
zXGFFMbj`lbb0iIVyYJw_!h+n0y=JEUAU<oRxJp=X)^F%A-DBG+E}C6bkU!JTXU_gn
zCJt9gqtqm<+o@$gOI*^cbjuw%iDSmV^r|@e<UeD>{hl-DOR5@H*R6axzp;AVJ)ZLi
zm#?p>_0~q33;to<(lslZp4t4|`uX>HE^c4uUAAs<ZRG6>rmU^0U)8X4ev;?>%!?(P
z^YNHVb|-qyZ-1lWK&)q8vgcxC%lZ`~JZr{2<S{QsEnM@$%7zt9{XKbGeNk4_yfyW4
z9)Du7`F8r*^V4n}_9f{$(f~=*lJ>TLd0@0J)n}>_y%y`bKT{%P-;9UiXduNUjTxUs
zy=Ui^7vs+CVnaTk|F};VlodM<!H#U7BD-}8n0>yk&(eNLfzYL12>I?FT2eBnH~qK0
zqLS0oGT($v;Y@#{-JJ}Z`^deA_u1>asp+99&Mj}d>`S<iKs0#pqk|sX`sYj!)1BHw
z^jm#@0u9OOSCmV%mnUnzozq|PW%w?iL2yu9VUf!R3E^Z&eeQ)PP*h2~T}@`Be*1LE
z2~t{e()i5uMbQ_@`=#$ZDig8EnWIM?+iu@Q>FkO*v^y>Hp+VDHoRfqqn1(*W!?c;&
z5hr`X2(oY9z8gEUI+I4a6M<R<Dlv$%w_q-h98&qs?Efzdr~a$`hvTEI52!y9cBg$%
zsxt%mAEhK;Yo%fIwa=$b_Lb8i#Pp~B+RpZq*$052#5uL+9hJj=Rg+s<P?lLVr@)cu
z{9|XgAifS>tMl(!WwFo&*_5qk+b4-Gg9%5_ADH-@b4~qFC~<+9?PUyTA0ZM2F*Xjl
z7e9MF+erw}_lmvlK@{q9H0d#&mMB|IT|JfAhZ*3;VS7`H9aioH9e2CS36H=*5!Z&?
zhyNN>48`f}1Em%Zdo8j5kiUN9v1h4_X3`8Qq;iTy6>}hdLnyW?iwbuaAZC=Wf{L-d
z0KZt&Bg?3SW+9x%|9N&Kvi;(8Dy_t24a5_}x?M4~(-N0|k>VHs$+=+u30Bqq+aO$>
z5VTbw^!;EcIv9!xhJFwX-5w0x5e(fK4D}6${wf%{D;T;v7>W&s?g@r|7!2JT48;XQ
z_XR`o!O;Cq2)B6*cQ>r8WKOyL1j+Y6pUVD)(@U_1OpC|of2Ou}Bj{#4Ogw2jajxi+
zFYsu4UUl5Q#NhPjRL46Jt|BvoDSKl9k(uEkGo?n@?KMKDU_tl>mQo{x4I(u{sS&mp
z38@iEjqplt=n;$1vTk7fOPjj1sdrDCI$HFkB~M!Nx>GFo*tZ_IX=zar2Z#2&Z#y@L
zgF_E<a1ieV@lFu$gmCvxxZXP-@jVjXBk?^F-y{2duJ|6c`zeX<k@y~o?@@czt%rs}
ztEE|dkFMu?Bwn)OB`aRCS9{KO6uIIh+c8Z-B}Oz=czAq$=N|$g1Ba6raeH|bm+Cxm
z5A1gLK>1)yJ{SvpTqcb+(r6=%Htia?hla!y4i8gUJ{S}CCUI|S7qU0*-Xz@y*x!}n
zdlu<7K)MaMy7jY@wf2%02uXuzASJqg`Tx_ii}aQwz2(>)=}2!mB)#QGZ#jN3FKVy*
z)m?X;K^i|owDIGr4AF^o`W;3&ok!W|`j}T;m9rwkp<|kaN{k4H5ETyBbfx9wH|evk
z=N3CDXyH-Nr0-<uJ6ZZpmcEmv?_}vaS^7?vzLR^d#d*Celdh3Nplf8jp_V??JL&(o
zt0?Io_<F_udht>*4U>wgjCCSooyb@xGS*2)K`$?8I;Kge#E5zh5B1!+K_7VU+VyMK
zo82RD26?lKl#oG^Y_S&@+Q1%UM+QkkYV_zqlCIQvrDA)N8e0@-cqmXAz0~&0meEW9
z5~G)P7|~RQEtO$QZ`K08_J3lL2U8$?Epi!kSVkR=>}at{OI*h^36&VBNQ6g4qVtwG
zI~QK7slVIxpw{d9upNtp2#$_v5-KqwIKo44T(2wPznDvSAj3b$OEHAtQeFlw<K^IT
zUIDJ)YOtDDf-5mRyT+?{HMp8<z#8^~Uakdexel!3da#}wzy=IluW=)<0oU+aa4oL`
z*KrfrZ3EUU)T{MIy+z-lzpn4q59;sfNA;8X=lVJQvT~^?)mO!<foiBqQr~$un1-|{
zg;R@?{(qUI@0aawR2+!)NZ&7A8esup+rAVVtUWD4EhIKrc-UZ_SKb0ut1b)mP45sm
zgSb&3CB%)w7JuSKk?phHN5ByHprVtK-%*E&hVPgrp%Nn+K0GwMw6gF9w76{Gjo?OZ
z2Ag>kxJf>|mk;md!+ZJgUOv2+5AWr}`%tk<1J^0`X?WPD(gM}hH~5`zmk$^MlHdlH
zA~?cBaNq^IL6@`|>0VvBS9e5!bgwSmtNV3<v^(FRPV7Oui+T<Z^(=OM=XQHnv0~TX
zq%ab}5gvl0lQ+vZ7A3wV!4weR633-Nd`oPv63A8YEg{-=*_Uu3foSmHM+ZIDl{Ws?
z?V_qhRR>Zae^yy6B~UhH>)F0?Iuu>Tv#>47-p=Q=BUtn!9n>(}%NWphd5a`Pv2g?{
zXFZe(s`!?OZ;7$TkRd*$4O-fuA<IdI_%x*r+Q|qcZP5O72t`U$Qh3;>(gyvl_1Eie
zl#1<5N-Yr_;UPH0x1>%6e~`f+WblWMdO+;@j%gAqF`}NsLp_UKe_hl4TQ`VZf0L3*
K1V?xXj{gPR2F;lO

literal 0
HcmV?d00001

