Don't subset a glyf table with an unknown format.

Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/4875306193518592
This commit is contained in:
Garret Rieger 2023-03-08 20:02:26 +00:00 committed by Behdad Esfahbod
parent cfa9541daa
commit 9286e12525
2 changed files with 14 additions and 1 deletions

View File

@ -31,6 +31,12 @@ struct glyf
static constexpr hb_tag_t tableTag = HB_OT_TAG_glyf; static constexpr hb_tag_t tableTag = HB_OT_TAG_glyf;
static bool has_valid_glyf_format(const hb_face_t* face)
{
const OT::head &head = *face->table.head;
return head.indexToLocFormat <= 1 && head.glyphDataFormat <= 1;
}
bool sanitize (hb_sanitize_context_t *c HB_UNUSED) const bool sanitize (hb_sanitize_context_t *c HB_UNUSED) const
{ {
TRACE_SANITIZE (this); TRACE_SANITIZE (this);
@ -72,6 +78,13 @@ struct glyf
{ {
TRACE_SUBSET (this); TRACE_SUBSET (this);
if (!has_valid_glyf_format (c->plan->source)) {
// glyf format is unknown don't attempt to subset it.
DEBUG_MSG (SUBSET, nullptr,
"unkown glyf format, dropping from subset.");
return_trace (false);
}
glyf *glyf_prime = c->serializer->start_embed <glyf> (); glyf *glyf_prime = c->serializer->start_embed <glyf> ();
if (unlikely (!c->serializer->check_success (glyf_prime))) return_trace (false); if (unlikely (!c->serializer->check_success (glyf_prime))) return_trace (false);
@ -162,7 +175,7 @@ struct glyf_accelerator_t
vmtx = nullptr; vmtx = nullptr;
#endif #endif
const OT::head &head = *face->table.head; const OT::head &head = *face->table.head;
if (head.indexToLocFormat > 1 || head.glyphDataFormat > 1) if (!glyf::has_valid_glyf_format (face))
/* Unknown format. Leave num_glyphs=0, that takes care of disabling us. */ /* Unknown format. Leave num_glyphs=0, that takes care of disabling us. */
return; return;
short_offset = 0 == head.indexToLocFormat; short_offset = 0 == head.indexToLocFormat;