[kerx] Fix sanitize of KerxSubtableFormat2::array read

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11033
This commit is contained in:
Behdad Esfahbod 2018-10-20 12:09:41 -07:00
parent 00fdbca4f6
commit 68b7050768
1 changed files with 3 additions and 2 deletions

View File

@ -103,7 +103,8 @@ struct KerxSubTableFormat0
inline bool sanitize (hb_sanitize_context_t *c) const inline bool sanitize (hb_sanitize_context_t *c) const
{ {
TRACE_SANITIZE (this); TRACE_SANITIZE (this);
return_trace (likely (pairs.sanitize (c))); return_trace (likely (c->check_struct (this) &&
pairs.sanitize (c)));
} }
protected: protected:
@ -275,7 +276,7 @@ struct KerxSubTableFormat2
inline bool sanitize (hb_sanitize_context_t *c) const inline bool sanitize (hb_sanitize_context_t *c) const
{ {
TRACE_SANITIZE (this); TRACE_SANITIZE (this);
return_trace (likely (rowWidth.sanitize (c) && return_trace (likely (c->check_struct (this) &&
leftClassTable.sanitize (c, this) && leftClassTable.sanitize (c, this) &&
rightClassTable.sanitize (c, this) && rightClassTable.sanitize (c, this) &&
c->check_range (this, array))); c->check_range (this, array)));