walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[fuzzer] Fix hb-set-fuzzer minor overflow issue 

Size shouldn't be smaller than the struct not its pointer size.

Fixes https://crbug.com/oss-fuzz/20655
This commit is contained in:
Ebrahim Byagowi 2020-02-12 15:41:22 +03:30
parent 7b42403c1c
commit 97229244eb
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
test/api/fonts/clusterfuzz-testcase-minimized-hb-set-fuzzer-6255224052514816 Normal file
View File

@ -0,0 +1 @@

8
test/fuzzing/hb-set-fuzzer.cc
View File

@ -33,15 +33,15 @@ static hb_set_t* create_set (const uint32_t* value_array, int count)
extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
{ {
if (size < sizeof(instructions_t*)) if (size < sizeof (instructions_t))
return 0; return 0;
const instructions_t* instructions = reinterpret_cast<const instructions_t*> (data); const instructions_t* instructions = reinterpret_cast<const instructions_t*> (data);
data += sizeof(instructions_t); data += sizeof (instructions_t);
size -= sizeof(instructions_t); size -= sizeof (instructions_t);
const uint32_t* values = reinterpret_cast<const uint32_t*> (data); const uint32_t* values = reinterpret_cast<const uint32_t*> (data);
size = size / sizeof(uint32_t); size = size / sizeof (uint32_t);
if (size < instructions->first_set_size) if (size < instructions->first_set_size)
return 0; return 0;