From 647b024784e1346f6886565f570cdf940d7b82b4 Mon Sep 17 00:00:00 2001 From: Garret Rieger Date: Mon, 17 Apr 2023 22:47:47 +0000 Subject: [PATCH] [subset] Fix fuzzer issue https://oss-fuzz.com/testcase-detail/6521393809588224 --- src/OT/glyf/SimpleGlyph.hh | 6 ++++++ src/OT/glyf/SubsetGlyph.hh | 7 ++++++- ...-minimized-hb-subset-fuzzer-6521393809588224 | Bin 0 -> 15886 bytes 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6521393809588224 diff --git a/src/OT/glyf/SimpleGlyph.hh b/src/OT/glyf/SimpleGlyph.hh index b6fefce1a..b6679b2da 100644 --- a/src/OT/glyf/SimpleGlyph.hh +++ b/src/OT/glyf/SimpleGlyph.hh @@ -34,6 +34,11 @@ struct SimpleGlyph unsigned int length (unsigned int instruction_len) const { return instruction_len_offset () + 2 + instruction_len; } + bool has_instructions_length () const + { + return instruction_len_offset () + 2 <= bytes.length; + } + unsigned int instructions_length () const { unsigned int instruction_length_offset = instruction_len_offset (); @@ -94,6 +99,7 @@ struct SimpleGlyph /* zero instruction length */ void drop_hints () { + if (!has_instructions_length ()) return; GlyphHeader &glyph_header = const_cast (header); (HBUINT16 &) StructAtOffset (&glyph_header, instruction_len_offset ()) = 0; } diff --git a/src/OT/glyf/SubsetGlyph.hh b/src/OT/glyf/SubsetGlyph.hh index a38a57a7c..b783567de 100644 --- a/src/OT/glyf/SubsetGlyph.hh +++ b/src/OT/glyf/SubsetGlyph.hh @@ -27,7 +27,12 @@ struct SubsetGlyph TRACE_SERIALIZE (this); hb_bytes_t dest_glyph = dest_start.copy (c); - dest_glyph = hb_bytes_t (&dest_glyph, dest_glyph.length + dest_end.copy (c).length); + hb_bytes_t end_copy = dest_end.copy (c); + if (!end_copy.arrayZ || !dest_glyph.arrayZ) { + return false; + } + + dest_glyph = hb_bytes_t (&dest_glyph, dest_glyph.length + end_copy.length); unsigned int pad_length = use_short_loca ? padding () : 0; DEBUG_MSG (SUBSET, nullptr, "serialize %u byte glyph, width %u pad %u", dest_glyph.length, dest_glyph.length + pad_length, pad_length); diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6521393809588224 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6521393809588224 new file mode 100644 index 0000000000000000000000000000000000000000..bf7b8bb057882558822bb2c6b133bf95c3169b55 GIT binary patch literal 15886 zcmeHOeQXp(6o0$7d)HpCy;`dBQMgkpmI}7kQi^Gnen1;NTeQV54CPY#k=oLN6$_{| zk{A(U3=q&r3`$}Ui7`!z4WUXTP2>*~LQL=vF_<6-5=kJ0LfVeMw|m#SYkTFcy~;J+ zcbT1iGjC?!ynQq8&6_=vh$smcg`7p@t`{gz$|5o?L1}H#`hw+UuCh(2{2ln|lH#Sy z=sr-AG#~h!lI7(Udr$1$iTXs~_5rb_7x`t>|B5`Vydop(t*!50B9hMmUtLjIP`US; zZQZEf0X((3$=yOW+JpKu;Muhs-0Sz9*nSevKL~tXUE{{u194?ZxKE(z_7Ce&zp(V> zABill5t)zG*SObA`{z8WW#E)kj{@5nwE_Kq2RyaDskLo&gQ*?$yMaH`*j(+NpON+^ z>ia02sL9>dLi^-+;4aiV*Sec(9q(Op(F`CSkjxU9 zNPM}s8CxdTRly&w2P_4Z4GasX5>4Onz>HRCl_)(b%~Q|7pX|;TE0WvrX1=; zf+{KJq>o7@MNL*%EB5HQe2lW>F799Diw-<0542HfVWpFnPyrROyrlulLAlIHI#0?6 zY8wch+8bqwmLVljq9$Dx<2FND7BY#OkV!0XEATi_+d#*1NdRsK&VuFll>~g6)*I38 z(PYj5G0Xv$dT|^&gr1I=tU#h9v zqwD_WHv>{@W;&GD27Z}qy3~nBA%B{+R)a5M9+#%0Yz|Ut0-hX0`M5eM4?Uccm0}>9 zH0BcML2cNi#G)lcFXeF$R@yLA*IuGBr8%pFANykPeSywI@@rG6+P6M-^s992fkg*mqCd42ek8|7+qN4Z5LMF z+1aHra#m+2i2T0tl|!*E`-8708uSO;NRv%}Sa(>5rl$V*bm@p~$Q1KVu;2pf9v?gx zc5|N5Cq|gjSo}g*-NvY$eqza%U@koCPH?dV<#KS%>Fhi*!p!$9Hy&R@YA5<70DN=Z zdpC<_YF>dCA3g8K1H2S#aD!CacU0Oyb>gV>Hr3<$9yN%gFz4*m<&NytO=oW;sf_Hc zpA7Trxc4wTyRg>R(TIn-h(zg{i^%+h0_;jI7|E9ugT7=YUVJ0^a%v`%JzD@v6fl6Y z;l89!Vq6UgOhE~FmnD6I1i9*RiTtK2K;F@`sRCmuX@&c%qHR;9s>a6au57&Kc{W~9 zj3JJ5Btje`nx&v2jv$kCLW_+RfF&@+!zy#hjL4Y-;T8vk5l1pG-p%@cdiV@Al!B;5 z3MNeo#W1m=5t%&k7p$&Oc`jEyjk%!(R1y`ZFcBgoWU|e3Iu|%gDpnNIY|SH{Nl$7u zR(go$k+fZT6;vF^gR^JjkRvySD*9k{l5 zQ`IguEwixdXlBJRXi}_fPGD4Ugav;1-T|BBfC+@{d6yo(z{fQ{v&EKCA+z`kCJKgC zh!r(dASL0vLNisFG*?^yJs~O9rk);226_btTU1iMJo&eghyC-&Ffy?a3x`xZk+mo% z_u?zF!CpJjD%k4ovzNvFY`_&1loPG2=9&;e=yaZp4`=wKK%kpJNP7f*KSqB-cKnoG zIH8miGh4)#>YBB!DLL!`41*bdTu%~?*=2&M@?-peyVb=Pg3#akG9)$S;c7Wm< z(St}u46F9>07WVQ6y^VfGEBqdG!4elz*zsFIJFJKxX;fgw`K6!#jzPhZXLNV5&i>{ CQxbsy literal 0 HcmV?d00001