From b33a0d628e5e76992fdd02fd4178906137e6153c Mon Sep 17 00:00:00 2001 From: Qunxin Liu Date: Mon, 21 Oct 2019 13:24:52 -0700 Subject: [PATCH] fuzzer crash fix: Null-dereference WRITE https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18363 --- src/hb-ot-layout-common.hh | 4 +++- ...se-minimized-hb-subset-fuzzer-5659903036751872 | Bin 0 -> 781 bytes 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5659903036751872 diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh index 2777c659d..fa08140f5 100644 --- a/src/hb-ot-layout-common.hh +++ b/src/hb-ot-layout-common.hh @@ -1545,6 +1545,7 @@ struct ClassDefFormat2 range_rec.value = prev_klass; RangeRecord *record = c->copy (range_rec); + if (unlikely (!record)) return_trace (false); for (const auto gid_klass_pair : + (++it)) { @@ -1554,6 +1555,7 @@ struct ClassDefFormat2 if (cur_gid != prev_gid + 1 || cur_klass != prev_klass) { + if (unlikely (!record)) break; record->end = prev_gid; num_ranges++; @@ -1568,7 +1570,7 @@ struct ClassDefFormat2 prev_gid = cur_gid; } - record->end = prev_gid; + if (likely (record)) record->end = prev_gid; rangeRecord.len = num_ranges; return_trace (true); } diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5659903036751872 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5659903036751872 new file mode 100644 index 0000000000000000000000000000000000000000..51ab2fe43733fb17298003507cd5cd0305ac7135 GIT binary patch literal 781 zcmZuv&ubGw6#izj8`o{bC?Zl6R#Z&YLlMQID6PiyU{9KYpdyReB-rd`+1-TnA`OBE zQN-#&Fa8n!x-k2XdS4{+n5D~B=u^<8VHuJx=?2NuRz^?Eg`1?|d>4$r{t+V+~4MD*u*F7RvD z8uL{pkG2{6{Ev0ttNgk;*9XEC`i|Atu^WzZP^g60nmtkEM`%?UV(LJK#^Mct7*f1=_n1_X%e6r-I;_q-CUs?RzOxgVY z;7J<7C7tM+)FLw2K!FYh5_T{`3JI7d4q!wJv9OCd8L??2a-Ii}^y#VnmxvL0Ldy56 zX77K4-HaaXwNa+PQPqN)nCW0*?Kn@9n4+HpR&6-ggE5Fo zHAvYhr#HqcQvb#lGHi%A3aZrT3^FpLK+Og{S?;sq2RY+%6;58WHJT%45LH))C4B>f K)>TKn9_&9*+oKo& literal 0 HcmV?d00001