From 64fa5cd482d0be2e215998aa1c2a05b978133e7c Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Tue, 7 Feb 2023 15:50:36 -0700 Subject: [PATCH] [GPOS] Fix assert fail introduced recently Was introduced in 8708b9e081192786c027bb7f5f23d76dbe5c19e8. If these lookups are recursed to from (Chain)Context out-of-order, it was possible that last_base > buffer->idx, in which case we were attaching marks to a base after them... and an assertion was failing fortunately. Fixes https://oss-fuzz.com/testcase-detail/6377756666757120 --- src/OT/Layout/GPOS/MarkBasePosFormat1.hh | 5 +++++ src/OT/Layout/GPOS/MarkLigPosFormat1.hh | 5 +++++ ...ase-minimized-hb-shape-fuzzer-6377756666757120 | Bin 0 -> 607 bytes 3 files changed, 10 insertions(+) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-6377756666757120 diff --git a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh index 73839a4c8..938369a50 100644 --- a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh +++ b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh @@ -122,6 +122,11 @@ struct MarkBasePosFormat1_2 hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); + if (c->last_base_until > buffer->idx) + { + c->last_base_until = 0; + c->last_base = -1; + } unsigned j; for (j = buffer->idx; j > c->last_base_until; j--) { diff --git a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh index 447187102..7e7b438aa 100644 --- a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh +++ b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh @@ -104,6 +104,11 @@ struct MarkLigPosFormat1_2 hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); + if (c->last_base_until > buffer->idx) + { + c->last_base_until = 0; + c->last_base = -1; + } unsigned j; for (j = buffer->idx; j > c->last_base_until; j--) { diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-6377756666757120 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-6377756666757120 new file mode 100644 index 0000000000000000000000000000000000000000..718e169a787806a211ccd6631bd6f4e09a0e24c0 GIT binary patch literal 607 zcmaJ;O-lk%6g_Vo9SZ}oC=0S8Dlnz|0oD*fixvs)qD4WA7JU#%TZcC7+6O`Z!Ckvr z<-S!!AS4kfNhX+K-p(6cNKto~nfvZN=YE_A1;9v}p{C?kQfuk+uS-88Be5CiOfLrb zsNJp1KKwj+FpC&Hi&+x}Jp=EO1m+2jz)^2Vz;;?9@V=H1EP=qok5EqMz#LFTl%y!> zQTTYK{jNBtphO!x)}(r;2vz7ur7R@-AlP%6tK)h44h%2HoLCw{ouge7Y7?dxuvx(U z3yz0Xfv1Ceu5}w>)1IA$6LkdJlosO+i0RgJIexvK)PF1;VYJBD6uJ_YW@Y&*q#nH$ zku1FIZeS4RX9AnuY6MlGqXr9THG&;A8uUFIl0n|{{1Qjp;Lr+T17>~k594y7(;$W7 z@Qwxd!orkd+hTx3eqBhd4bk-!`VgjI4`N>_Vu}}XR-R@U>gInVqUv7A*ytq71_J5z VOj|DLXzhb7O| literal 0 HcmV?d00001