[kern] Fix invalid memory access if offset is zero

If offset is zero, we return Null() object.  Wasn't prepared for that.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4088
This commit is contained in:
Behdad Esfahbod 2017-11-09 18:09:40 -08:00
parent b68fba4dc8
commit 8eed9cb11e
3 changed files with 6 additions and 4 deletions

View File

@ -117,10 +117,11 @@ struct KernSubTableFormat2
unsigned int l = (this+leftClassTable).get_class (left); unsigned int l = (this+leftClassTable).get_class (left);
unsigned int r = (this+leftClassTable).get_class (left); unsigned int r = (this+leftClassTable).get_class (left);
unsigned int offset = l * rowWidth + r * sizeof (FWORD); unsigned int offset = l * rowWidth + r * sizeof (FWORD);
const FWORD *v = &StructAtOffset<FWORD> (&(this+array), offset); const FWORD *arr = &(this+array);
/* Untested code, as I have not been able to find ANY kern table format-2 yet. */ if (unlikely ((const void *) arr < (const void *) this || (const void *) arr >= (const void *) end))
assert (&(this+array) <= v); return 0;
if (unlikely (v + 1 > (const FWORD *) end)) const FWORD *v = &StructAtOffset<FWORD> (arr, offset);
if (unlikely ((const void *) v < (const void *) arr || (const void *) (v + 1) > (const void *) end))
return 0; return 0;
return *v; return *v;
} }

View File

@ -15,3 +15,4 @@ fonts/sha1sum/a34a9191d9376bda419836effeef7e75c1386016.ttf:--font-funcs=ot:U+004
fonts/sha1sum/a69118c2c2ada48ff803d9149daa54c9ebdae30e.ttf:--font-funcs=ot:U+0041:[gid0=0+1229] fonts/sha1sum/a69118c2c2ada48ff803d9149daa54c9ebdae30e.ttf:--font-funcs=ot:U+0041:[gid0=0+1229]
fonts/sha1sum/b6acef662e0beb8d5fcf5b61c6b0ca69537b7402.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] fonts/sha1sum/b6acef662e0beb8d5fcf5b61c6b0ca69537b7402.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
fonts/sha1sum/e88c339237f52d21e01c55f01b9c1b4cc14a0467.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] fonts/sha1sum/e88c339237f52d21e01c55f01b9c1b4cc14a0467.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]