From 40342c9437712cd51e37dc54f1f535bb24ae7529 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Wed, 21 Dec 2022 21:52:28 +0000
Subject: [PATCH] [subset] check for addition overflow in hdmx size
 calculation.

Fixes https://oss-fuzz.com/testcase-detail/4877336988483584.
---
 src/hb-ot-hdmx-table.hh                           |   1 +
 ...se-minimized-hb-subset-fuzzer-4877336988483584 | Bin 0 -> 738 bytes
 2 files changed, 1 insertion(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4877336988483584

diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh
index dea2b7e29..a86cc3c31 100644
--- a/src/hb-ot-hdmx-table.hh
+++ b/src/hb-ot-hdmx-table.hh
@@ -156,6 +156,7 @@ struct hdmx
     TRACE_SANITIZE (this);
     return_trace (c->check_struct (this) &&
 		  !hb_unsigned_mul_overflows (numRecords, sizeDeviceRecord) &&
+                  min_size + numRecords * sizeDeviceRecord > numRecords * sizeDeviceRecord &&
 		  sizeDeviceRecord >= DeviceRecord::min_size &&
 		  c->check_range (this, get_size ()));
   }
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4877336988483584 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4877336988483584
new file mode 100644
index 0000000000000000000000000000000000000000..73d4e5de71ef853c313496bdaae2addd6f1798ae
GIT binary patch
literal 738
zcmbVJy9&ZU5S)!DA{N$GSEjJAv`S&)2Z$dK5YZxHC8_*UKSelqa=G&^1Pu;kAG5o2
zcN++Rg=w(cAGQntnbTXE0ElhjskH9dFFp*|CORLhn%#PXJemq!5toE)a0&@+s<OV3
zQN0)aFCj?U1MXsm9Cub!XR2RDA%R+hW;^O9%mkkUus&U`B{t+y(8hp4n>z0^k{Dr(
zC7!a<I4-cJw}9RP845h~H13~6!{E9tL}xotnZa7{v(eFkb2VxazBBRNS0%+i68CR<
J274c6%^R#-h}-}G

literal 0
HcmV?d00001