From b5acde43ed81f7c212b4a37aa06c3988bce168a1 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 13 Dec 2022 22:04:19 +0000
Subject: [PATCH] [subset] check pending/subsetted tag sets for alloc failure.

---
 src/hb-subset.cc                                  |   7 ++++++-
 ...se-minimized-hb-subset-fuzzer-6164014466203648 | Bin 0 -> 191 bytes
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6164014466203648

diff --git a/src/hb-subset.cc b/src/hb-subset.cc
index 353a3a5cf..186b12dbb 100644
--- a/src/hb-subset.cc
+++ b/src/hb-subset.cc
@@ -590,10 +590,15 @@ hb_subset_plan_execute_or_fail (hb_subset_plan_t *plan)
 
   while (!pending_subset_tags.is_empty ())
   {
+    if (subsetted_tags.in_error ()
+        || pending_subset_tags.in_error ()) {
+      success = false;
+      goto end;
+    }
+
     bool made_changes = false;
     for (hb_tag_t tag : pending_subset_tags)
     {
-
       if (!_dependencies_satisfied (plan, tag,
                                     subsetted_tags,
                                     pending_subset_tags))
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6164014466203648 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6164014466203648
new file mode 100644
index 0000000000000000000000000000000000000000..3a15ab230169fdc27b8e3ac41d8df1274670784c
GIT binary patch
literal 191
zcmXRZNls&6WB>ssAQn+Q@&HJ20?`*BZCp^4S^%We|KD!UEvaDNz;KG;E8_|Vh9CcP
za#K?>dH(|e(_L94aQ%bh93-wRgEXTT1EU>70>d8G3F|o+Q1}Rixv5|!KsCr>yU{hE
F^8u%3F4F)2

literal 0
HcmV?d00001