From 7f358a55f4b3c0eb6654be9e8c31ece29965b4d6 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Thu, 30 Jul 2020 13:57:30 -0700
Subject: [PATCH] [ENOMEM] unchecked resize in CFF2.

---
 src/hb-ot-cff2-table.hh                          |   3 ++-
 ...e-minimized-hb-subset-fuzzer-5181909018345472 | Bin 0 -> 2559 bytes
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5181909018345472

diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 075a0d4ef..829217fea 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -441,7 +441,8 @@ struct cff2
       { fini (); return; }
 
       fdCount = fdArray->count;
-      privateDicts.resize (fdCount);
+      if (!privateDicts.resize (fdCount))
+      { fini (); return; }
 
       /* parse font dicts and gather private dicts */
       for (unsigned int i = 0; i < fdCount; i++)
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5181909018345472 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5181909018345472
new file mode 100644
index 0000000000000000000000000000000000000000..250710b40bf48523dd97acebd7dc25ae3da92cbb
GIT binary patch
literal 2559
zcmdT``*YJ(7C-l!N0ZyohEl1{R{budM0p5iR?EwUT0jJBtL=af5Cg5$>Goj>q_)`-
z68g$F-!y3wHpW5#b#O*eAvy}KyWlLN<BZF?`@=G_yDl^Qz&><$9M*3!)$Hef(=zMM
z{sVjNoO|!*oO92)_vC!<ji-B03zd?e4AfP-Zk=mK&DPh5Xp)u~#~)~@Z+vynyw{0L
zzk%!*>o?at^7WmTFNw@i;3pmeK4Exa2k_s4_trNqc0Cd4fv%_-_^HOGnx>C#yOIF@
z74To(d)?i0Ivo8(mN$X#+1c*yqJ1<Bd<A&r)6oBR;rtFFs|@@~Ym2+N+}Z?t6Ft*<
zFQur(U9?$(%K8yHM{B#M$8wPn%PQjA+TA@}WM~lj33TQTcYDh#U;GaKIG|}mSLbd|
z{!_Y}sB{wqvIM`gZpEzE<`6?@rsykgMn}f2#4y<OUI<KY&{;@~Vh&o3_I(nPvuJ_}
z+W+h!6#f`V$h2_67~_@nJ|ePD%YY3Ml>eY&wjw$foy)`a+3WfBD-${8+|cO2>rcD*
zSLtZqeLUCW;>xk*{F*P^w}fW~5)PjG+?yF4ieiOUlI~YwbIirx-k~Vr%nGiR`#eE-
zh%bWi8QsjByVm;{v|@oR9XL9*pm7=RN(+~V9bBuNjJ(_(8II-3YnSrlN^Zf#`F*E{
zBLgwbDf4Gvllfm7@4Dr#k8@VoZuxdu=uUp%rRq}}?{V@!teCjarf5x*7ovMp{YQVj
z^PTO#f6*66^aY;W{?4kvR(Zq2e_mqAdM{OTZNv3tgP9R^_!F0tKlWnJ)b<uno_|Tn
zJvecGe_L$eVAT>uQT(TeMh_%J@Zh^LzuI^=Z#y*q$2?a*d45Qp$DP8aiu=+N9jR<8
znfg4HOuw5^2O%Aaq8mz~QzGDlo%(E4Q9?qi%fkDnXNrp1NEk~Z141U~`3iF`k{nDH
zkfNv+Mc&Lr`=Jx*MCy;}WG0)j<kY0~wj)co+pLPM_=66oqU;V=@Jm}X35&uN#o4qs
zqbPd<AvjknY_?0uf=Z78!3-3_EY!e!Q3FOQ5|u(Tshn2P59oH9OHNuqi^)aRw32FR
zJ#C~0+Du!?O}nU_y2(rZ6r@2?C`RLSgpSh*%F=06<A>}7dkecz?KjEAVY@mKnZwPh
z-4qT*WM0MNP>Hkz!DHY)@V(q5^HIBLbSM_K%lr<G%*s4wH|?y(2v3PX8tx7U5<b=L
z6$9#Pmffu5o0fBJwy%aq?4};rMeIcxF|OlTQPXCb2NrQJT<OxVy-4OOd0#x3!gMei
zRPA$<`^T|85oa}`%@@I62*&%>o6TBpw#|!B-g~$?C*{rgz;IrDkUM>;q1ZrqVlDq<
z%s+?EKJ(o8Qm#EU@r6gxwgo50p8H$;rxzCTm>1{SzZRj=ZgnL3@a16K-*L61;-n>y
zPpJ2Lb$9_!c$~aGTkqiC_`a=9#$yACz%eKPQtR}Oj;KS&o1=sAA9C%31IbWW!D0GN
z#{;l=c6@)bw+dffP{BrpeA`$kGCcZn?;5T>lj|IBMiF$Ls^!|T?B%mE_ddXL_H=S!
z6_0ILjH8tKVux_7#3H^eb3aFVVi5-~+!oAyuHm2B_R^LAB7@<osEUi}`g4Wx?Am-?
z-fZkNgn<pXR|+I*hm)hqMbeseo0_QPCvHy%l@u<ne7@kft);tzEU+xxNk)COM6FmU
z(T`{iG)-s*G*JE`)#cBi>;!Sl$LW4C&5xlR1&LctFvx%V)J8D)b^m%lZNYG(3h#`{
zz|&GZ00P0Xup>h06Fm;T4=h7R_!NZWg<uzx$UlA40)tkgf%1PMN!XHZE9}|VGfkBk
z#W}#b)&gziZcle7WYp8T%Y#AeW%{<?1ik5h`bUJzVi9OH+O&<B7bH`?h%A^f3!8z_
za4Ta`JT@eSq(^}_7Do0Y&Vt=ZMzg_WG)a>FE<k^Se)-<}C*iz?wn(3S_Z1u+Wc9Mx
zEr@+49mXIdlGwdCmB^bFy@Mq0u2v7jiEHbc9$`l4%V-`gr#jj}dnrVR>6C6y%tYcX
z75oiY_#jrqM4o}M!-7m=R-8b`?Anx!Sg|;bz*6XjY=-pn0yfAuWTl1!*gLQo5d*(F
zj__ZPFg!6_aYVO(H%{3Rlm6dcF6^9`5qT|S6@ZG&;&39TAk+kYBauxVae?%z5IUQv
z7m-0-SHeoCawc?kHggIgORS9H#mI|%HUpI-3aaC~llX`7D(;0kW2caOj|`HZ8l<0*
O$#4$;`0#?@i}*L-f3kc4

literal 0
HcmV?d00001