From 44f7d6ecde9bf7427a05cbe73ed5d668b8a72b2a Mon Sep 17 00:00:00 2001
From: jfkthame <jfkthame@gmail.com>
Date: Fri, 17 Feb 2017 03:03:24 +0000
Subject: [PATCH] Guard against underflow when adjusting length (#421)

* Guard against underflow when adjusting length

With the fuzz-testcase in mozilla bug 1295299, we end up with a recursed lookup that removes 3 items, when `match_positions[idx]` is 0, which results in (unsigned) `end` wrapping to a huge value.

Making `end` a signed int is probably the simplest route to a fix.

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1295299.

* Add testcase for #421.
---
 src/hb-ot-layout-gsubgpos-private.hh             |   6 +++---
 .../558661aa659912f4d30ecd27bd09835171a8e2b0.ttf | Bin 0 -> 1358 bytes
 test/shaping/tests/fuzzed.tests                  |   1 +
 3 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf

diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
index b7a0122a3..0c4235268 100644
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@@ -959,7 +959,7 @@ static inline bool apply_lookup (hb_apply_context_t *c,
   TRACE_APPLY (NULL);
 
   hb_buffer_t *buffer = c->buffer;
-  unsigned int end;
+  int end;
 
   /* All positions are distance from beginning of *output* buffer.
    * Adjust. */
@@ -998,8 +998,8 @@ static inline bool apply_lookup (hb_apply_context_t *c,
 
     /* Recursed lookup changed buffer len.  Adjust. */
 
-    end = int (end) + delta;
-    if (end <= match_positions[idx])
+    end += delta;
+    if (end <= int (match_positions[idx]))
     {
       /* End might end up being smaller than match_positions[idx] if the recursed
        * lookup ended up removing many items, more than we have had matched.
diff --git a/test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf b/test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..5d72fdfe31f93c74989082bbd274f53c21cc9a39
GIT binary patch
literal 1358
zcmeHFF%H5o5c9PWiXy?l#DsVNL*Bpu4?ulD#R`alC-Nvp><dyB2HFXvMr!X;$IjU*
z3_$*F9gf{jCjt9NIbHhO8-J+&!=e=+VT~>9+~2Q=2nwX60+R=R%Q8$Pv0Gt}#&?nI
z4I0cyF`jD4GAwJN#Hb{-ngs&)hUD+S?#ZXZBRbyKipJ_fDx5{mx)E}Pf_bI7pln3H
g#6zj*;EuCpCPVKF<~5i;5vBxwBmw=wJ_<^G0h}}EQUCw|

literal 0
HcmV?d00001

diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index 771ac2b45..d9bace324 100644
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests
@@ -10,3 +10,4 @@ fonts/sha1sum/3511ff5c1647150595846ac414c595cccac34f18.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/fab39d60d758cb586db5a504f218442cd1395725.ttf:--font-funcs=ot:U+0041,U+0041:[gid0=0+1000|gid0=1+1000]
 fonts/sha1sum/205edd09bd3d141cc9580f650109556cc28b22cb.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/217a934cfe15c548b572c203dceb2befdf026462.ttf:--font-funcs=ot:U+0061,U+0061,U+0061:[]
+fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf:--font-funcs=ot:U+FFFD,U+E0100,U+FFFD,U+E0010:[]