Don't subset a glyf table with an unknown format.

Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/4875306193518592
2023-03-08 20:02:26 +00:00 · 2023-03-08 20:02:26 +00:00 · 9286e12525
parent cfa9541daa
commit 9286e12525
2 changed files with 14 additions and 1 deletions
--- a/src/OT/glyf/glyf.hh
+++ b/src/OT/glyf/glyf.hh
@ -31,6 +31,12 @@ struct glyf

  static constexpr hb_tag_t tableTag = HB_OT_TAG_glyf;

+  static bool has_valid_glyf_format(const hb_face_t* face)
+  {
+    const OT::head &head = *face->table.head;
+    return head.indexToLocFormat <= 1 && head.glyphDataFormat <= 1;
+  }
+
  bool sanitize (hb_sanitize_context_t *c HB_UNUSED) const
  {
    TRACE_SANITIZE (this);
@ -72,6 +78,13 @@ struct glyf
  {
    TRACE_SUBSET (this);

+    if (!has_valid_glyf_format (c->plan->source)) {
+      // glyf format is unknown don't attempt to subset it.
+      DEBUG_MSG (SUBSET, nullptr,
+                 "unkown glyf format, dropping from subset.");
+      return_trace (false);
+    }
+
    glyf *glyf_prime = c->serializer->start_embed <glyf> ();
    if (unlikely (!c->serializer->check_success (glyf_prime))) return_trace (false);

@ -162,7 +175,7 @@ struct glyf_accelerator_t
    vmtx = nullptr;
 #endif
    const OT::head &head = *face->table.head;
-    if (head.indexToLocFormat > 1 || head.glyphDataFormat > 1)
+    if (!glyf::has_valid_glyf_format (face))
      /* Unknown format.  Leave num_glyphs=0, that takes care of disabling us. */
      return;
    short_offset = 0 == head.indexToLocFormat;
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4875306193518592.fuzz
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4875306193518592.fuzz