walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[AAT] Fix anchor bound checking, again 

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12532
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=922303
This commit is contained in:
Behdad Esfahbod 2019-01-17 14:06:37 -05:00
parent a262eb3d0b
commit 6879efc2c1
3 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/hb-aat-layout-ankr-table.hh
View File

@ -69,7 +69,8 @@ struct ankr
if (!offset) if (!offset)
return Null(Anchor); return Null(Anchor);
const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset); const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset);
if (unlikely (end - (const char *) &anchors < anchors.len.static_size || if (unlikely (end < (const char *) &anchors ||
end - (const char *) &anchors < anchors.len.static_size ||
end - (const char *) &anchors < anchors.get_size ())) end - (const char *) &anchors < anchors.get_size ()))
return Null(Anchor); return Null(Anchor);
return anchors[i]; return anchors[i];

BIN
test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600 Normal file
View File

Binary file not shown.

BIN
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864 Normal file
View File

Binary file not shown.