walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[CFF] fix oss-fuzz issue 11670: NULL dereference (#1450) 

* guard against no subr access

* code tweak

* add minimized testcase for oss-fuzz 11670 (Null deference)
This commit is contained in:
Michiharu Ariza 2018-12-04 21:32:34 -08:00 committed by Ebrahim Byagowi
parent d0a250a7b1
commit 32cc46c75a
3 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/hb-cff-interp-cs-common.hh
View File

@ -65,7 +65,7 @@ struct BiasedSubrs
inline void init (const SUBRS &subrs_) inline void init (const SUBRS &subrs_)
{ {
subrs = &subrs_; subrs = &subrs_;
unsigned int nSubrs = subrs_.count; unsigned int nSubrs = get_count ();
if (nSubrs < 1240) if (nSubrs < 1240)
bias = 107; bias = 107;
else if (nSubrs < 33900) else if (nSubrs < 33900)
@ -76,8 +76,20 @@ struct BiasedSubrs
inline void fini (void) {} inline void fini (void) {}
const SUBRS *subrs; inline unsigned int get_count (void) const { return (subrs == nullptr)? 0: subrs->count; }
inline unsigned int get_bias (void) const { return bias; }
inline ByteStr operator [] (unsigned int index) const
{
if (unlikely ((subrs == nullptr) || index >= subrs->count))
return Null(ByteStr);
else
return (*subrs)[index];
}
protected:
unsigned int bias; unsigned int bias;
const SUBRS *subrs;
}; };
struct Point struct Point
@ -137,8 +149,8 @@ struct CSInterpEnv : InterpEnv<ARG>
inline bool popSubrNum (const BiasedSubrs<SUBRS>& biasedSubrs, unsigned int &subr_num) inline bool popSubrNum (const BiasedSubrs<SUBRS>& biasedSubrs, unsigned int &subr_num)
{ {
int n = SUPER::argStack.pop_int (); int n = SUPER::argStack.pop_int ();
n += biasedSubrs.bias; n += biasedSubrs.get_bias ();
if (unlikely ((n < 0) || ((unsigned int)n >= biasedSubrs.subrs->count))) if (unlikely ((n < 0) || ((unsigned int)n >= biasedSubrs.get_count ())))
return false; return false;
subr_num = (unsigned int)n; subr_num = (unsigned int)n;
@ -158,7 +170,7 @@ struct CSInterpEnv : InterpEnv<ARG>
context.substr = SUPER::substr; context.substr = SUPER::substr;
callStack.push (context); callStack.push (context);
context.init ( (*biasedSubrs.subrs)[subr_num], type, subr_num); context.init ( biasedSubrs[subr_num], type, subr_num);
SUPER::substr = context.substr; SUPER::substr = context.substr;
} }

2
src/hb-ot-cff-common.hh
View File

@ -208,7 +208,7 @@ struct CFFIndex
inline unsigned int data_size (void) const inline unsigned int data_size (void) const
{ return HBINT8::static_size; } { return HBINT8::static_size; }
ByteStr operator [] (unsigned int index) const inline ByteStr operator [] (unsigned int index) const
{ {
if (likely (index < count)) if (likely (index < count))
return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index)); return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index));

BIN
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672913680728064 Normal file
View File

Binary file not shown.