From a4c3732f59188046322e599a1a67279680385cbd Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Wed, 16 Sep 2020 12:35:09 -0700
Subject: [PATCH] [ENOMEM] fix set clear() causing corruption if the set is
 in_error().

---
 src/hb-set.hh                                    |  11 ++++++++---
 ...e-minimized-hb-subset-fuzzer-5345734743031808 | Bin 0 -> 1240 bytes
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5345734743031808

diff --git a/src/hb-set.hh b/src/hb-set.hh
index b6e2086a2..d5b95084a 100644
--- a/src/hb-set.hh
+++ b/src/hb-set.hh
@@ -266,9 +266,9 @@ struct hb_set_t
   {
     if (unlikely (hb_object_is_immutable (this)))
       return;
-    population = 0;
-    page_map.resize (0);
-    pages.resize (0);
+
+    if (resize (0))
+      population = 0;
   }
   bool is_empty () const
   {
@@ -515,6 +515,7 @@ struct hb_set_t
   void compact (unsigned int length)
   {
     hb_vector_t<uint32_t> old_index_to_page_map_index;
+    // TODO(grieger): need to handle resize failure here.
     old_index_to_page_map_index.resize(pages.length);
     for (uint32_t i = 0; i < old_index_to_page_map_index.length; i++)
       old_index_to_page_map_index[i] = 0xFFFFFFFF;
@@ -599,6 +600,7 @@ struct hb_set_t
     }
 
     if (!resize (count))
+      // TODO(grieger): does this leave us in an invalid state?
       return;
 
     newCount = count;
@@ -655,6 +657,9 @@ struct hb_set_t
       }
     assert (!count);
     if (pages.length > newCount)
+      // This resize() doesn't need to be checked because we can't get here
+      // if the set is currently in_error() and this only resizes downwards
+      // which will always succeed if the set is not in_error().
       resize (newCount);
   }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5345734743031808 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5345734743031808
new file mode 100644
index 0000000000000000000000000000000000000000..193cf8958b98f570c5693f7636363c2e97151d5e
GIT binary patch
literal 1240
zcmd5*%S%*o6#nj=M_17@7g0ltTUtJ9AtEV3G3v}n_#~Z$q2SoOlDXqFkJL?R5iY_=
zbYT!dw2F%81%VJD{R4p{gkXp+f`YI>k(v4R{btOR1ZmfSANRb!a}M`|0zl7-<I%YW
zT1pOXHvvLxa5!DcXSJEGlSpfw?zz_XM$Pk-b{k(^L%X|fz!gmc>SS7^K0JR?A*MpN
z#JFO9&ptg}h9`38bx}TGDF!Zv<EDAt@=^~17fKoL^G5>43-8rIVE7)8e<0wAMMM$>
zv}IfigogZ;EtkJgM-F^TL7&H)Oe`<j5niI}RFDqKUDFAm|1j4m4jS>n{wpQrwC#ZD
zUC6}+MiMnZjOogv;Teo56;y%3>H-hKy5V~e=!{vBFv~MgG<Rsm0UV;bUifUx8*!bP
zJ_?MzqGJj&DKC?`M%|>uF}_bhxyZ^gOpMELE(XpzdQ=xWnvU!Z#p7Ys2Gdst1ejVX
z({tWFUO*u|qLThUxWiDtwMBQrm1z{k1c^%=iM!6X6}OtW*MH-NZE>Dq6IY0`t++xs
zoz2bN-Q8U~42*39hZ9DxFB-cP$P8@Fj3JB8<2zJGV^fEDW#WD^9@e?f8jun&+n_Nm
zoy#nxzP3uoLG&UGp}=g;)>lD=rV6oY&P7e?G%Y)7xlG>g8y2Aqiq~(%*(y_m61)*V
zh4>)^lxW28!^-wqQ7{h+dsyM+X@-vTF30xZp<r~s%-}SN%J0qpb}%_{c6B)~&zPB)
zsw5HlQJh*ABcnoGqn;#J6f3kzpdL;x%u|wu^4KhpZ&yldf0MdZh=n@&cdqgk?8<K3
zAWkRj^)8p*H@Y%MYnBw)u<=RSBFR=+XN%r9vGQ@2-VNgBXNXIClep8{iM#j@#AO?v
MK>m4d%)l1<1!A~Ni~s-t

literal 0
HcmV?d00001