From 1f8b1e7f186f44db575e18d0958c9fb3ea14a594 Mon Sep 17 00:00:00 2001
From: ebraminio <ebrahim@gnu.org>
Date: Mon, 21 Sep 2020 11:39:38 +0330
Subject: [PATCH] [ENOMEM] Return gracefully if stages isn't initialized
 correctly (#2639)

This happens if calls to 'm.lookups[table_index].push ()' has been
silently failed due to lack of memory.

This change just returns gracefully instead issuing the assert.

Fixes https://crbug.com/oss-fuzz/24494
---
 src/hb-ot-map.hh                                 |   4 ++--
 ...se-minimized-hb-shape-fuzzer-5753845452636160 | Bin 0 -> 2109 bytes
 2 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 test/api/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5753845452636160

diff --git a/src/hb-ot-map.hh b/src/hb-ot-map.hh
index 7629a869b..5f2afae28 100644
--- a/src/hb-ot-map.hh
+++ b/src/hb-ot-map.hh
@@ -140,12 +140,12 @@ struct hb_ot_map_t
   void get_stage_lookups (unsigned int table_index, unsigned int stage,
 			  const struct lookup_map_t **plookups, unsigned int *lookup_count) const
   {
-    if (unlikely (stage == UINT_MAX)) {
+    if (unlikely (stage > stages[table_index].length))
+    {
       *plookups = nullptr;
       *lookup_count = 0;
       return;
     }
-    assert (stage <= stages[table_index].length);
     unsigned int start = stage ? stages[table_index][stage - 1].last_lookup : 0;
     unsigned int end   = stage < stages[table_index].length ? stages[table_index][stage].last_lookup : lookups[table_index].length;
     *plookups = end == start ? nullptr : &lookups[table_index][start];
diff --git a/test/api/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5753845452636160 b/test/api/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5753845452636160
new file mode 100644
index 0000000000000000000000000000000000000000..b36f5b1ad7f10b6085fff1a00e216879606b95d6
GIT binary patch
literal 2109
zcmeHHPfJ@t5dZBy^S4bXA}XFF^i)VnlS@w`MH2*3A$aPgPs!^GeJ^<=K@;0UKY?FF
z5JCJFegY4kJbMtlsqr_1il7*U+{`RHyED5xJM){_g#nPoe>nJ6Sy(J1_hAZ198&wG
zvbI|Nc{IOE`Hb>$rMmuO|Jz;}NFD%Ae6{+uxb0m0MK8?Owwl|upk4pn2!mdj-m16U
z(3NSX=SHoX?*^Vqt;bTDYt42?PjG=#j3Lf06r)R)Jb|S9$8Vsh{JU7f98G#yh}s<w
z%Mqs0?UQ%_DEt3l*pM<Q=qxTFl5&)iG%4KRlj<zBmKR!BW6Ugr&HyF$C)B7%E{~<S
zHNjC@%n}KXweDtcZ`9}ovO|qdBxooF)6M%E%??e-{;Q>Ha&b<ibGcjul~!Ob#Ytjd
zLC-C<7USp+C&-C{&>bK*Dm<{f*OVapI}HCM)5j#o)B7%XWMa@Hxq+rkRN^HaRP4p-
zN7V_Y4kMC2#^x}MY3eABka->%q9n=IIv`e`QGyMFu!yX@4!%%*6vSBzrxp1gaToOE
z#6t=Tg_)}t^QYV2Th$E%+d;UFegr8~r8oTu!^n-4|DgQHGa1$WtNxTnKgs}9Zvg=0
BE-U~5

literal 0
HcmV?d00001