Fix sanitize fail of extension sublookups

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
2019-05-10 16:01:39 -07:00 · 2019-05-10 16:01:39 -07:00 · 25a5b287f2
parent 9c0c3589f3
commit 25a5b287f2
3 changed files with 10 additions and 2 deletions
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@ -751,12 +751,18 @@ struct Lookup
    if (unlikely (!get_subtables<TSubTable> ().sanitize (c, this, get_type ())))
      return_trace (false);

-    if (unlikely (get_type () == TSubTable::Extension))
+    if (unlikely (get_type () == TSubTable::Extension && !c->get_edit_count ()))
    {
      /* The spec says all subtables of an Extension lookup should
       * have the same type, which shall not be the Extension type
       * itself (but we already checked for that).
-       * This is specially important if one has a reverse type! */
+       * This is specially important if one has a reverse type!
+       *
+       * We only do this if sanitizer edit_count is zero.  Otherwise,
+       * some of the subtables might have become insane after they
+       * were sanity-checked by the edits of subsequent subtables.
+       * https://bugs.chromium.org/p/chromium/issues/detail?id=960331
+       */
      unsigned int type = get_subtable<TSubTable> (0).u.extension.get_type ();
      unsigned int count = get_subtable_count ();
      for (unsigned int i = 1; i < count; i++)
--- a/src/hb-sanitize.hh
+++ b/src/hb-sanitize.hh
@ -211,6 +211,8 @@ struct hb_sanitize_context_t :
    this->start = this->end = nullptr;
  }

+  unsigned get_edit_count () { return edit_count; }
+
  bool check_range (const void *base,
 		    unsigned int len) const
  {
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296