From 6879efc2c1596d11a6a6ad296f80063b558d5e0f Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 17 Jan 2019 14:06:37 -0500
Subject: [PATCH] [AAT] Fix anchor bound checking, again

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12532
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=922303
---
 src/hb-aat-layout-ankr-table.hh                   |   3 ++-
 ...ase-minimized-harfbuzz_fuzzer-5166320261529600 | Bin 0 -> 393 bytes
 ...ase-minimized-hb-shape-fuzzer-5667182741028864 | Bin 0 -> 407 bytes
 3 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864

diff --git a/src/hb-aat-layout-ankr-table.hh b/src/hb-aat-layout-ankr-table.hh
index 497b2ea2f..69e27066e 100644
--- a/src/hb-aat-layout-ankr-table.hh
+++ b/src/hb-aat-layout-ankr-table.hh
@@ -69,7 +69,8 @@ struct ankr
     if (!offset)
       return Null(Anchor);
     const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset);
-    if (unlikely (end - (const char *) &anchors < anchors.len.static_size ||
+    if (unlikely (end < (const char *) &anchors ||
+		  end - (const char *) &anchors < anchors.len.static_size ||
 		  end - (const char *) &anchors < anchors.get_size ()))
       return Null(Anchor);
     return anchors[i];
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600
new file mode 100644
index 0000000000000000000000000000000000000000..b79765a714312bcbceed632e88a20b2099e15d1e
GIT binary patch
literal 393
zcmaKoy-Gtt5QV?VO@dL#A96_{5`qXyQVC*VanXP_g4iiYND%}R^paS_E`{krKzp$j
z^Z`um3+Myr1E{5-7-gIlwbQe3X7}vbnb|>rDC^8KSKX^O=?7U;0wnL%Yt8m1@s6Dr
zcdEtEB56={3cin)^R}@JE(uYej*Fh7AFSA=7F3sF9w{egDHx|IGQqU5Fp|kbiNI?$
zn$7`{HD|4LRJASDZ*(PPPiCyqWox&z%`Sb8I3AvI!PWaOxaNjC9(a+cWMonTS&$7|
z6=}$!bUERSO9q^O)%uTaxu^2TtHjcx&k&BgL9{~E98=^NBSwS-@r0YrYPjDz&{_M@
a(-0X%K1_3i88z?LA7zrg?pqo0l6(R=TT9;n

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864
new file mode 100644
index 0000000000000000000000000000000000000000..0c40dd8f12ac6fe905cc05dbe671f3fdf5393501
GIT binary patch
literal 407
zcma)2ITC;%3=AH%U*I7Ye!(YLSTSQk<?mxQ+)80)fNb_)fD92$R_nN&M<bKXTDI==
zcf>2sQp^k>n`k8gAt6Q15g^qrBtxjHB>d>Y9T3WOy^4`aRe5izQhAt!dGKvoLwu^r
Zz*KrcG|)n`ItmjYKF73%%G+;~^8tT(#V!B<

literal 0
HcmV?d00001