Disallow sanitize recursing into Extension subtables multiple times
Fixes https://oss-fuzz.com/v2/testcase-detail/5216838347653120 which is a stack overflow, not by way of infinite recursion, just being deep. That's disallowed anyway, so catch it as it happens, not afterwards.
This commit is contained in:
parent
bcb6f1ae0a
commit
949f6af289
|
@ -1272,10 +1272,9 @@ struct SubstLookup : Lookup
|
|||
{
|
||||
/* The spec says all subtables of an Extension lookup should
|
||||
* have the same type, which shall not be the Extension type
|
||||
* itself. This is specially important if one has a reverse type! */
|
||||
* itself (but we already checked for that).
|
||||
* This is specially important if one has a reverse type! */
|
||||
unsigned int type = get_subtable (0).u.extension.get_type ();
|
||||
if (unlikely (type == SubstLookupSubTable::Extension))
|
||||
return_trace (false);
|
||||
unsigned int count = get_subtable_count ();
|
||||
for (unsigned int i = 1; i < count; i++)
|
||||
if (get_subtable (i).u.extension.get_type () != type)
|
||||
|
|
|
@ -2230,7 +2230,9 @@ struct ExtensionFormat1
|
|||
inline bool sanitize (hb_sanitize_context_t *c) const
|
||||
{
|
||||
TRACE_SANITIZE (this);
|
||||
return_trace (c->check_struct (this) && extensionOffset != 0);
|
||||
return_trace (c->check_struct (this) &&
|
||||
extensionOffset != 0 &&
|
||||
extensionLookupType != T::LookupSubTable::Extension);
|
||||
}
|
||||
|
||||
protected:
|
||||
|
|
Loading…
Reference in New Issue