From 7416faceeb7a875ba7316cee124edee2d59ea8d0 Mon Sep 17 00:00:00 2001
From: Qunxin Liu <qxliu@google.com>
Date: Wed, 7 Jul 2021 11:27:49 -0700
Subject: [PATCH] [subset] fuzzer fix:
 https://oss-fuzz.com/testcase-detail/5715464591376384

---
 src/hb-ot-color-cpal-table.hh                 |  49 ++++++------------
 ...inimized-hb-subset-fuzzer-5715464591376384 | Bin 0 -> 2116 bytes
 2 files changed, 15 insertions(+), 34 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5715464591376384

diff --git a/src/hb-ot-color-cpal-table.hh b/src/hb-ot-color-cpal-table.hh
index a59b46bef..9ee4bafb2 100644
--- a/src/hb-ot-color-cpal-table.hh
+++ b/src/hb-ot-color-cpal-table.hh
@@ -83,45 +83,26 @@ struct CPALV1Tail
     auto *out = c->allocate_size<CPALV1Tail> (static_size);
     if (unlikely (!out)) return_trace (false);
 
-    const hb_array_t<const HBUINT32> paletteFlags = (base+paletteFlagsZ).as_array (palette_count);
-    const hb_array_t<const NameID> paletteLabels = (base+paletteLabelsZ).as_array (palette_count);
+    out->paletteFlagsZ.serialize_copy (c, paletteFlagsZ, base, 0, hb_serialize_context_t::Head, palette_count);
+    out->paletteLabelsZ.serialize_copy (c, paletteLabelsZ, base, 0, hb_serialize_context_t::Head, palette_count);
+
     const hb_array_t<const NameID> colorLabels = (base+colorLabelsZ).as_array (color_count);
-
-    c->push ();
-    for (const auto _ : paletteFlags)
+    if (colorLabelsZ)
     {
-      if (!c->copy<HBUINT32> (_))
+      c->push ();
+      for (const auto _ : colorLabels)
       {
-        c->pop_discard ();
-        return_trace (false);
+        if (!color_index_map->has (_)) continue;
+        NameID new_color_idx;
+        new_color_idx = color_index_map->get (_);
+        if (!c->copy<NameID> (new_color_idx))
+        {
+          c->pop_discard ();
+          return_trace (false);
+        }
       }
+      c->add_link (out->colorLabelsZ, c->pop_pack ());
     }
-    c->add_link (out->paletteFlagsZ, c->pop_pack ());
-
-    c->push ();
-    for (const auto _ : paletteLabels)
-    {
-      if (!c->copy<NameID> (_))
-      {
-        c->pop_discard ();
-        return_trace (false);
-      }
-    }
-    c->add_link (out->paletteLabelsZ, c->pop_pack ());
-
-    c->push ();
-    for (const auto _ : colorLabels)
-    {
-      if (!color_index_map->has (_)) continue;
-      NameID new_color_idx;
-      new_color_idx = color_index_map->get (_);
-      if (!c->copy<NameID> (new_color_idx))
-      {
-        c->pop_discard ();
-        return_trace (false);
-      }
-    }
-    c->add_link (out->colorLabelsZ, c->pop_pack ());
     return_trace (true);
   }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5715464591376384 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5715464591376384
new file mode 100644
index 0000000000000000000000000000000000000000..63faabe4191e016eea14f770ce4496a046c1fdfe
GIT binary patch
literal 2116
zcmZQzWME(rRKN<H{e6N!5)2Hib3n9nfTItTzeC}_0tk@`z*=zW%OJ|M{|f(c*qxhL
zQ2;W6fq|I;mr>|;qw{g;BOs37nEwz!z>HDp0SEyG#sRRDE>>bolGwzEbqpxifdDWq
zLm0RV0Js8}!jVT469o9wfC8C;fdPThf{=mnKS+)NSs0y<EC*v_+KCjOFhxU;#`M-8
m^8?8a1Xgq8K#(RP^g+~s!U$mtBtIkg5Ee)Y*ia;uXlejyZEd~)

literal 0
HcmV?d00001