From 9584b090bbd4286d611dda4de00f81c87f808ec7 Mon Sep 17 00:00:00 2001 From: Michiharu Ariza Date: Fri, 15 Mar 2019 13:46:25 -0700 Subject: [PATCH] cff2 subset fuzzer issues (#1619) * add check to FDArray::serialize * add test files * fix off by one --- src/hb-ot-cff-common.hh | 1 + ...se-minimized-hb-subset-fuzzer-5739000398086144 | Bin 0 -> 620 bytes ...se-minimized-hb-subset-fuzzer-5760768497156096 | Bin 0 -> 210 bytes ...se-minimized-hb-subset-fuzzer-5764268627066880 | Bin 0 -> 687 bytes 4 files changed, 1 insertion(+) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5739000398086144 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5760768497156096 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5764268627066880 diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh index 797effcea..4438a6b68 100644 --- a/src/hb-ot-cff-common.hh +++ b/src/hb-ot-cff-common.hh @@ -474,6 +474,7 @@ struct FDArray : CFFIndexOf for (unsigned i = 0; i < fontDicts.length; i++) if (fdmap.has (i)) { + if (unlikely (fid >= fdCount)) return_trace (false); CFFIndexOf::set_offset_at (fid++, offset); offset += FontDict::calculate_serialized_size (fontDicts[i], opszr); } diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5739000398086144 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5739000398086144 new file mode 100644 index 0000000000000000000000000000000000000000..0dec23fad3d427bc5ca05307b3e6f08155e7f209 GIT binary patch literal 620 zcma)2O-lk%6g|)J3myC11btxTA|gtqT?L6T6qH5|5oq9~#srOung~Hki#7#qT17!i zA?P=>Y}d!4`T;=^L8~BwnC=^+BBHvFciuba-23k3g=IO6I#htT5R@eU%2o6fzyo0Q zkIx2XMzqHTz%~a6!&Af$pQz5t0`ZReCvCX05jd@8FRE@ zg4$YqO@`wz3k+j?gpX81{~2<~V+k3g;f5dm@Dh441eLS`5{6SGkN)VN@#j-M0bu-B UP%f7%w0YE~W1(N0*zwJN0~4vTOaK4? literal 0 HcmV?d00001 diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5760768497156096 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5760768497156096 new file mode 100644 index 0000000000000000000000000000000000000000..063aab2ebc7f2667782a22e8a9f32329a1bf7020 GIT binary patch literal 210 zcmeYd3GruOQ~-ki3eIkBMj#dg1A`feMg{+oxJ(MH48pQNb@e_o8!nZu;O${;KY^j$rV z3W(|#gqR9sDln2@fx>@eQ^6WB1h5zfv_=cr8X%tmi!zuH0~Tvwa