[subset] check for addition overflow in hdmx size calculation.

Fixes https://oss-fuzz.com/testcase-detail/4877336988483584.
2022-12-21 21:52:28 +00:00 · 2022-12-21 21:52:28 +00:00 · 40342c9437
parent d77fca997e
commit 40342c9437
2 changed files with 1 additions and 0 deletions
--- a/src/hb-ot-hdmx-table.hh
+++ b/src/hb-ot-hdmx-table.hh
@ -156,6 +156,7 @@ struct hdmx
    TRACE_SANITIZE (this);
    return_trace (c->check_struct (this) &&
 		  !hb_unsigned_mul_overflows (numRecords, sizeDeviceRecord) &&
+                  min_size + numRecords * sizeDeviceRecord > numRecords * sizeDeviceRecord &&
 		  sizeDeviceRecord >= DeviceRecord::min_size &&
 		  c->check_range (this, get_size ()));
  }
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4877336988483584
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4877336988483584