[subset] Fix another fuzzer issue

Addition could overflow on 32bit arch.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
This commit is contained in:
Behdad Esfahbod 2021-07-28 11:28:38 -06:00
parent c65e1e0842
commit 0ded6a70c8
2 changed files with 3 additions and 2 deletions

View File

@ -519,8 +519,9 @@ struct hb_serialize_context_t
assert (this->start <= (char *) obj);
assert ((char *) obj <= this->head);
assert ((char *) obj + size >= this->head);
if (unlikely (!this->allocate_size<Type> (((char *) obj) + size - this->head))) return nullptr;
assert (this->head - (char *) obj <= size);
if (unlikely (((char *) obj + size < (char *) obj) ||
!this->allocate_size<Type> (((char *) obj) + size - this->head))) return nullptr;
return reinterpret_cast<Type *> (obj);
}
template <typename Type>