[avar2] Fix mapping when coords length don't match

Ouch. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49407
2022-07-23 10:50:26 -06:00 · 2022-07-23 10:50:26 -06:00 · 32c85b8c8c
parent 06c3ec0a19
commit 32c85b8c8c
2 changed files with 3 additions and 0 deletions
--- a/src/hb-ot-var-avar-table.hh
+++ b/src/hb-ot-var-avar-table.hh
@ -186,6 +186,9 @@ struct avar
    if (version.major < 2)
      return;

+    for (; count < axisCount; count++)
+      map = &StructAfter<SegmentMaps> (*map);
+
    const auto &v2 = * (const avarV2Tail *) map;

    const auto &varidx_map = this+v2.varIdxMap;
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-4523349576908800
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-4523349576908800