[repacker] don't allow references to the null object in graph.

Fixes fuzzer issue https://oss-fuzz.com/testcase-detail/6714085985353728
This commit is contained in:
Garret Rieger 2022-12-05 19:15:36 +00:00 committed by Behdad Esfahbod
parent 4ce0f08897
commit 239a5aca02
2 changed files with 4 additions and 3 deletions

View File

@ -50,12 +50,13 @@ struct graph_t
unsigned priority = 0; unsigned priority = 0;
bool link_positions_valid (unsigned num_objects) bool link_positions_valid (unsigned num_objects, bool removed_nil)
{ {
hb_set_t assigned_bytes; hb_set_t assigned_bytes;
for (const auto& l : obj.real_links) for (const auto& l : obj.real_links)
{ {
if (l.objidx >= num_objects) if (l.objidx >= num_objects
|| (removed_nil && !l.objidx))
{ {
DEBUG_MSG (SUBSET_REPACK, nullptr, DEBUG_MSG (SUBSET_REPACK, nullptr,
"Invalid graph. Invalid object index."); "Invalid graph. Invalid object index.");
@ -340,7 +341,7 @@ struct graph_t
if (check_success (!vertices_.in_error ())) if (check_success (!vertices_.in_error ()))
v->obj = *objects[i]; v->obj = *objects[i];
check_success (v->link_positions_valid (objects.length)); check_success (v->link_positions_valid (objects.length, removed_nil));
if (!removed_nil) continue; if (!removed_nil) continue;
// Fix indices to account for removed nil object. // Fix indices to account for removed nil object.