walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[ENOMEM] Return gracefully if stages isn't initialized correctly (#2639) 

This happens if calls to 'm.lookups[table_index].push ()' has been
silently failed due to lack of memory.

This change just returns gracefully instead issuing the assert.

Fixes https://crbug.com/oss-fuzz/24494
This commit is contained in:
ebraminio 2020-09-21 11:39:38 +03:30 committed by GitHub
parent a0ebea5280
commit 1f8b1e7f18
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/hb-ot-map.hh
View File

@ -140,12 +140,12 @@ struct hb_ot_map_t
void get_stage_lookups (unsigned int table_index, unsigned int stage, void get_stage_lookups (unsigned int table_index, unsigned int stage,
const struct lookup_map_t **plookups, unsigned int *lookup_count) const const struct lookup_map_t **plookups, unsigned int *lookup_count) const
{ {
if (unlikely (stage == UINT_MAX)) { if (unlikely (stage > stages[table_index].length))
{
*plookups = nullptr; *plookups = nullptr;
*lookup_count = 0; *lookup_count = 0;
return; return;
} }
assert (stage <= stages[table_index].length);
unsigned int start = stage ? stages[table_index][stage - 1].last_lookup : 0; unsigned int start = stage ? stages[table_index][stage - 1].last_lookup : 0;
unsigned int end = stage < stages[table_index].length ? stages[table_index][stage].last_lookup : lookups[table_index].length; unsigned int end = stage < stages[table_index].length ? stages[table_index][stage].last_lookup : lookups[table_index].length;
*plookups = end == start ? nullptr : &lookups[table_index][start]; *plookups = end == start ? nullptr : &lookups[table_index][start];

BIN
test/api/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5753845452636160 Normal file
View File

Binary file not shown.