From 79ae6b657f9c7bff8c97eb8ee7d2dbeb2217868e Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Fri, 24 Mar 2023 17:14:55 +0000
Subject: [PATCH] [subset] Fix fuzzer found memory leaks.

---
 src/hb-subset-plan.cc                            |   9 +++++++--
 ...e-minimized-hb-subset-fuzzer-5793182905663488 | Bin 0 -> 803 bytes
 ...e-minimized-hb-subset-fuzzer-6742230974201856 | Bin 0 -> 1214 bytes
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5793182905663488
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6742230974201856

diff --git a/src/hb-subset-plan.cc b/src/hb-subset-plan.cc
index 786cbbb72..45b530e67 100644
--- a/src/hb-subset-plan.cc
+++ b/src/hb-subset-plan.cc
@@ -346,8 +346,10 @@ _get_hb_font_with_variations (const hb_subset_plan_t *plan)
   hb_font_t *font = hb_font_create (plan->source);
 
   hb_vector_t<hb_variation_t> vars;
-  if (!vars.alloc (plan->user_axes_location.get_population ()))
+  if (!vars.alloc (plan->user_axes_location.get_population ())) {
+    hb_font_destroy (font);
     return nullptr;
+  }
 
   for (auto _ : plan->user_axes_location)
   {
@@ -383,8 +385,11 @@ _collect_layout_variation_indices (hb_subset_plan_t* plan)
   bool collect_delta = plan->pinned_at_default ? false : true;
   if (collect_delta)
   {
-    if (unlikely (!plan->check_success (font = _get_hb_font_with_variations (plan))))
+    if (unlikely (!plan->check_success (font = _get_hb_font_with_variations (plan)))) {
+      gdef.destroy ();
+      gpos.destroy ();
       return;
+    }
     
     if (gdef->has_var_store ())
     {
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5793182905663488 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5793182905663488
new file mode 100644
index 0000000000000000000000000000000000000000..2577001aaee7a0bed73d2afefade4c077aa5a3db
GIT binary patch
literal 803
zcmZQzWME(rQUC*If1e-_11JLF{|8fW!rjHy4a8w!U<8Y~qshY+;$Q@aIEH|vVEWOO
zrIjTXLFKd2<%s5!=q7^Z{#W=<B_lzh#vlO1Obj9n3Jg4$Rs%(W04ff&7zjxQ1hn9k
vrj{=WIheZMLJ2R3)i59aX90yJes96lg3_}Q5HkR=3=qpJfP)^Snc+VG$Nzd~

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6742230974201856 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6742230974201856
new file mode 100644
index 0000000000000000000000000000000000000000..5b914937b5dec1dc1664f0bf9141164f2b827f73
GIT binary patch
literal 1214
zcmZWoOGuPa6#o8y{)f#>qp3v;$q6I|6|5o4!ZKeeF^rMZ0}5&|O-yr~tgJQzK~%N~
zi(J&gYGW1=K`;xWAX>Bw32f2AMPx4u5~)Pz_MJP?gYM7y&-u<d_uO;OJqHGWeEuv1
z>sul_P;G<(&lYMs>XWtGqmk$-8ebDnG&MACHI~s6Mmfr`qG@|e>+sXzA=>k3&n3zF
zK>JJbP)ln?_{5pB?*Vg)_&{r{Ha2|c{3F^g5|^~~#1ru2D(xZSwH?Rf$?H!CpY!}t
z;=V)OCp&KWqWM5zIm2H#M0;iPp2vW@4{*ji+v5idKE9!=NsM)!RQM<DF2=u4T+-Ro
zKX9PSlcN0!@wV>Xws?6(=oszu#HBs)fdsCbi-{w|!6WgW_Lct4PXL?yjj=@U(SDW2
z8p_>bhp~~hqV#7OFyMi~l7y?m>#Hg^gbSfqiO<NP#l#9YbUsM3w5Q&w9%ApG5R{hw
zLJ}>9yHY63YShA`+l>)}&(qr6u-o8C{NRo*JOF&okJS8#@2+V6SxdCWi&gy0hOLnp
z^1I{xM-b3nOchXHe($(x95w@Hmsw`cc&a=PJTul#>z-X>UvnI%&w1;Xx~JV|^1RH8
z4?`-H8*9#<A-DA1fO@5fYL!w?e&wVyD+<+(?Ektyw|W*H_XRyLIi8aGWAfAd`5&o;
zLEl|hu&Ym?U?;HFp1>kp7B4lYaRR;ML!@4@*_#j{&r(`Fx6`mmrJ7$<b6AJ(BxY<)
z8JA$gvI{NgimO>}jw5WQCB7}c?E0&c18A;`1+fLSsF!*h8F$o-29eFlI>$V~+e<y9
zqES)+d0Mu4dxv*%;ZfgMlSRZ{VjsQz^jl0EAkHP0!peK)6Bp=c*-nv~n(PHj?~xNE
zw>;`h*587^Zdar9?0-ufJ|Uy#RYqkpx!e|-W{ePQncifxZnd($ci=P8)w{Zs&Fg2r
zlC?giMmkon8#!wXj!3d?c1&>EEY>4pzV&(84X>!G)*~`#{nx?LC0uiiIHm)8ISS>R
uBWXmr7RQ?j=pzreCq)<2ow*8*TtPmW7$MG<><$7&l#5Zq5=~R;fcgn@y3FVR

literal 0
HcmV?d00001