[CFF] fix oss-fuzz issue 11670: NULL dereference (#1450)

* guard against no subr access * code tweak * add minimized testcase for oss-fuzz 11670 (Null deference)
2018-12-04 21:32:34 -08:00 · 2018-12-04 21:32:34 -08:00 · 32cc46c75a
parent d0a250a7b1
commit 32cc46c75a
3 changed files with 18 additions and 6 deletions
--- a/src/hb-cff-interp-cs-common.hh
+++ b/src/hb-cff-interp-cs-common.hh
@ -65,7 +65,7 @@ struct BiasedSubrs
  inline void init (const SUBRS &subrs_)
  {
    subrs = &subrs_;
-    unsigned int  nSubrs = subrs_.count;
+    unsigned int  nSubrs = get_count ();
    if (nSubrs < 1240)
      bias = 107;
    else if (nSubrs < 33900)
@ -76,8 +76,20 @@ struct BiasedSubrs

  inline void fini (void) {}

-  const SUBRS   *subrs;
+  inline unsigned int get_count (void) const { return (subrs == nullptr)? 0: subrs->count; }
+  inline unsigned int get_bias (void) const { return bias; }
+
+  inline ByteStr operator [] (unsigned int index) const
+  {
+    if (unlikely ((subrs == nullptr) || index >= subrs->count))
+      return Null(ByteStr);
+    else
+      return (*subrs)[index];
+  }
+
+  protected:
  unsigned int  bias;
+  const SUBRS   *subrs;
 };

 struct Point
@ -137,8 +149,8 @@ struct CSInterpEnv : InterpEnv<ARG>
  inline bool popSubrNum (const BiasedSubrs<SUBRS>& biasedSubrs, unsigned int &subr_num)
  {
    int n = SUPER::argStack.pop_int ();
-    n += biasedSubrs.bias;
-    if (unlikely ((n < 0) || ((unsigned int)n >= biasedSubrs.subrs->count)))
+    n += biasedSubrs.get_bias ();
+    if (unlikely ((n < 0) || ((unsigned int)n >= biasedSubrs.get_count ())))
      return false;

    subr_num = (unsigned int)n;
@ -158,7 +170,7 @@ struct CSInterpEnv : InterpEnv<ARG>
    context.substr = SUPER::substr;
    callStack.push (context);

-    context.init ( (*biasedSubrs.subrs)[subr_num], type, subr_num);
+    context.init ( biasedSubrs[subr_num], type, subr_num);
    SUPER::substr = context.substr;
  }

--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@ -208,7 +208,7 @@ struct CFFIndex
  inline unsigned int data_size (void) const
  { return HBINT8::static_size; }

-  ByteStr operator [] (unsigned int index) const
+  inline ByteStr operator [] (unsigned int index) const
  {
    if (likely (index < count))
      return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index));
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672913680728064
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672913680728064