From 35233d2514cc202e9e2f8f94b3102cb620a0d403 Mon Sep 17 00:00:00 2001 From: Garret Rieger Date: Wed, 7 Dec 2022 00:47:28 +0000 Subject: [PATCH] [repacker] fix fuzzer reported stack overflow. Fixes https://oss-fuzz.com/testcase-detail/6014493291577344. --- src/graph/graph.hh | 5 +++++ src/hb-repacker.hh | 8 ++++++++ ...-minimized-hb-repacker-fuzzer-6014493291577344 | Bin 0 -> 921 bytes 3 files changed, 13 insertions(+) create mode 100644 test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6014493291577344 diff --git a/src/graph/graph.hh b/src/graph/graph.hh index 372f05e5b..dc5b6a36f 100644 --- a/src/graph/graph.hh +++ b/src/graph/graph.hh @@ -1187,6 +1187,11 @@ struct graph_t } } + for (unsigned i = 0; i < vertices_.length; i++) + // parents arrays must be accurate or downstream operations like cycle detection + // and sorting won't work correctly. + check_success (!vertices_[i].parents.in_error ()); + parents_invalid = false; } diff --git a/src/hb-repacker.hh b/src/hb-repacker.hh index 6817ffae4..7a3143cec 100644 --- a/src/hb-repacker.hh +++ b/src/hb-repacker.hh @@ -393,6 +393,14 @@ hb_resolve_overflows (const T& packed, return nullptr; } + if (sorted_graph.in_error ()) + { + // Allocations failed somewhere + DEBUG_MSG (SUBSET_REPACK, nullptr, + "Graph is in error, likely due to a memory allocation error."); + return nullptr; + } + if (!hb_resolve_graph_overflows (table_tag, max_rounds, recalculate_extensions, sorted_graph)) return nullptr; diff --git a/test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6014493291577344 b/test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6014493291577344 new file mode 100644 index 0000000000000000000000000000000000000000..a29d1e2fbbc04a23fd33ee2b77deaa26bc79aa2a GIT binary patch literal 921 zcmWIc4{&E<;9yXIf_O0NKa5L#nwf!tff0za6hI^slvZHyp}tk4CXR-{Pz{0q0M`L? AsQ>@~ literal 0 HcmV?d00001