From 97229244ebd2e50ec0021ecd442e3c1c27156a5c Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Wed, 12 Feb 2020 15:41:22 +0330
Subject: [PATCH] [fuzzer] Fix hb-set-fuzzer minor overflow issue

Size shouldn't be smaller than the struct not its pointer size.

Fixes https://crbug.com/oss-fuzz/20655
---
 ...fuzz-testcase-minimized-hb-set-fuzzer-6255224052514816 | 1 +
 test/fuzzing/hb-set-fuzzer.cc                             | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 test/api/fonts/clusterfuzz-testcase-minimized-hb-set-fuzzer-6255224052514816

diff --git a/test/api/fonts/clusterfuzz-testcase-minimized-hb-set-fuzzer-6255224052514816 b/test/api/fonts/clusterfuzz-testcase-minimized-hb-set-fuzzer-6255224052514816
new file mode 100644
index 000000000..d8a39898e
--- /dev/null
+++ b/test/api/fonts/clusterfuzz-testcase-minimized-hb-set-fuzzer-6255224052514816
@@ -0,0 +1 @@
+       
\ No newline at end of file
diff --git a/test/fuzzing/hb-set-fuzzer.cc b/test/fuzzing/hb-set-fuzzer.cc
index 6f967c32b..30b60797f 100644
--- a/test/fuzzing/hb-set-fuzzer.cc
+++ b/test/fuzzing/hb-set-fuzzer.cc
@@ -33,15 +33,15 @@ static hb_set_t* create_set (const uint32_t* value_array, int count)
 
 extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
-  if (size < sizeof(instructions_t*))
+  if (size < sizeof (instructions_t))
     return 0;
 
   const instructions_t* instructions = reinterpret_cast<const instructions_t*> (data);
-  data += sizeof(instructions_t);
-  size -= sizeof(instructions_t);
+  data += sizeof (instructions_t);
+  size -= sizeof (instructions_t);
 
   const uint32_t* values = reinterpret_cast<const uint32_t*> (data);
-  size = size / sizeof(uint32_t);
+  size = size / sizeof (uint32_t);
 
   if (size < instructions->first_set_size)
     return 0;