Fix collect lookups logic of FeatureVariationRecord

As "Offset to a feature table substitution table, from beginning of the FeatureVariations table." from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should match its sanitize logic not the reverse way. Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
2020-01-11 15:37:24 +03:30 · 2020-01-11 15:37:24 +03:30 · a32ecc15ae
parent 1a4c658b43
commit a32ecc15ae
3 changed files with 4 additions and 3 deletions
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@ -2363,10 +2363,11 @@ struct FeatureVariationRecord
 {
  friend struct FeatureVariations;
-  void collect_lookups (const hb_set_t *feature_indexes,
+  void collect_lookups (const void     *base,
 			const hb_set_t *feature_indexes,
 			hb_set_t       *lookup_indexes /* OUT */) const
  {
-    return (this+substitutions).collect_lookups (feature_indexes, lookup_indexes);
+    return (base+substitutions).collect_lookups (feature_indexes, lookup_indexes);
  }
  bool sanitize (hb_sanitize_context_t *c, const void *base) const
@ -2423,7 +2424,7 @@ struct FeatureVariations
 			hb_set_t       *lookup_indexes /* OUT */) const
  {
    for (const FeatureVariationRecord& r : varRecords)
-      r.collect_lookups (feature_indexes, lookup_indexes);
+      r.collect_lookups (this, feature_indexes, lookup_indexes);
  }
  bool sanitize (hb_sanitize_context_t *c) const
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5167653459329024
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5167653459329024
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5642531954229248
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5642531954229248