Disallow sanitize recursing into Extension subtables multiple times
Fixes https://oss-fuzz.com/v2/testcase-detail/5216838347653120 which is a stack overflow, not by way of infinite recursion, just being deep. That's disallowed anyway, so catch it as it happens, not afterwards.
This commit is contained in:
Behdad Esfahbod
parent
bcb6f1ae0a
commit
949f6af289
|
|
@ -1272,10 +1272,9 @@ struct SubstLookup : Lookup
|
||||||
{
|
{
|
||||||
/* The spec says all subtables of an Extension lookup should
|
/* The spec says all subtables of an Extension lookup should
|
||||||
* have the same type, which shall not be the Extension type
|
* have the same type, which shall not be the Extension type
|
||||||
* itself. This is specially important if one has a reverse type! */
|
* itself (but we already checked for that).
|
||||||
|
* This is specially important if one has a reverse type! */
|
||||||
unsigned int type = get_subtable (0).u.extension.get_type ();
|
unsigned int type = get_subtable (0).u.extension.get_type ();
|
||||||
if (unlikely (type == SubstLookupSubTable::Extension))
|
|
||||||
return_trace (false);
|
|
||||||
unsigned int count = get_subtable_count ();
|
unsigned int count = get_subtable_count ();
|
||||||
for (unsigned int i = 1; i < count; i++)
|
for (unsigned int i = 1; i < count; i++)
|
||||||
if (get_subtable (i).u.extension.get_type () != type)
|
if (get_subtable (i).u.extension.get_type () != type)
|
||||||
|
|
|
||||||
|
|
@ -2230,7 +2230,9 @@ struct ExtensionFormat1
|
||||||
inline bool sanitize (hb_sanitize_context_t *c) const
|
inline bool sanitize (hb_sanitize_context_t *c) const
|
||||||
{
|
{
|
||||||
TRACE_SANITIZE (this);
|
TRACE_SANITIZE (this);
|
||||||
return_trace (c->check_struct (this) && extensionOffset != 0);
|
return_trace (c->check_struct (this) &&
|
||||||
|
extensionOffset != 0 &&
|
||||||
|
extensionLookupType != T::LookupSubTable::Extension);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected:
|
protected:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue