From 9286e125250c7724a5d7eece0fff4284f73341b6 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Wed, 8 Mar 2023 20:02:26 +0000
Subject: [PATCH] Don't subset a glyf table with an unknown format.

Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/4875306193518592
---
 src/OT/glyf/glyf.hh                              |  15 ++++++++++++++-
 ...imized-hb-subset-fuzzer-4875306193518592.fuzz | Bin 0 -> 1044 bytes
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4875306193518592.fuzz

diff --git a/src/OT/glyf/glyf.hh b/src/OT/glyf/glyf.hh
index 1b5972b36..541d5d1e2 100644
--- a/src/OT/glyf/glyf.hh
+++ b/src/OT/glyf/glyf.hh
@@ -31,6 +31,12 @@ struct glyf
 
   static constexpr hb_tag_t tableTag = HB_OT_TAG_glyf;
 
+  static bool has_valid_glyf_format(const hb_face_t* face)
+  {
+    const OT::head &head = *face->table.head;
+    return head.indexToLocFormat <= 1 && head.glyphDataFormat <= 1;
+  }
+
   bool sanitize (hb_sanitize_context_t *c HB_UNUSED) const
   {
     TRACE_SANITIZE (this);
@@ -72,6 +78,13 @@ struct glyf
   {
     TRACE_SUBSET (this);
 
+    if (!has_valid_glyf_format (c->plan->source)) {
+      // glyf format is unknown don't attempt to subset it.
+      DEBUG_MSG (SUBSET, nullptr,
+                 "unkown glyf format, dropping from subset.");
+      return_trace (false);
+    }
+
     glyf *glyf_prime = c->serializer->start_embed <glyf> ();
     if (unlikely (!c->serializer->check_success (glyf_prime))) return_trace (false);
 
@@ -162,7 +175,7 @@ struct glyf_accelerator_t
     vmtx = nullptr;
 #endif
     const OT::head &head = *face->table.head;
-    if (head.indexToLocFormat > 1 || head.glyphDataFormat > 1)
+    if (!glyf::has_valid_glyf_format (face))
       /* Unknown format.  Leave num_glyphs=0, that takes care of disabling us. */
       return;
     short_offset = 0 == head.indexToLocFormat;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4875306193518592.fuzz b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4875306193518592.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..20fc62e133288c7cf80b8f67351f7edf5a818892
GIT binary patch
literal 1044
zcmZQzWME)W_^&V+Kw4R15y%}349qJ)bb3x@8idaPqA);4YGMjVkb!|I2162yKu&&g
zB1AnSSe6)H<52S-3b5FMGce&=aF~h3EaFvS(TqokHs<~Z8w>O%)Mf@qFoSvV{5D_l
zI0&YL0aFdkG)$QR5+T7s{}teYL7`(oVaXr>#7qn#3@i*h3_yTxBnuWXbTtq@elGw3
DX|15x

literal 0
HcmV?d00001