From be872001063d263efe708c4db5af569cfaedd3fe Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Fri, 24 Mar 2023 17:30:53 +0000
Subject: [PATCH] [subset] fix buffer overflow fuzzer reported issue.

---
 src/hb-subset-plan.cc                            |  14 ++++++++------
 ...e-minimized-hb-subset-fuzzer-5120246288875520 | Bin 0 -> 2501 bytes
 2 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5120246288875520

diff --git a/src/hb-subset-plan.cc b/src/hb-subset-plan.cc
index 45b530e67..ee8136797 100644
--- a/src/hb-subset-plan.cc
+++ b/src/hb-subset-plan.cc
@@ -812,12 +812,15 @@ _normalize_axes_location (hb_face_t *face, hb_subset_plan_t *plan)
 
   bool has_avar = face->table.avar->has_data ();
   const OT::SegmentMaps *seg_maps = nullptr;
+  unsigned avar_axis_count = 0;
   if (has_avar)
+  {
     seg_maps = face->table.avar->get_segment_maps ();
+    avar_axis_count = face->table.avar->get_axis_count();
+  }
 
   bool axis_not_pinned = false;
   unsigned old_axis_idx = 0, new_axis_idx = 0;
-  unsigned int i = 0;
   for (const auto& axis : axes)
   {
     hb_tag_t axis_tag = axis.get_axis_tag ();
@@ -832,7 +835,7 @@ _normalize_axes_location (hb_face_t *face, hb_subset_plan_t *plan)
     else
     {
       int normalized_v = axis.normalize_axis_value (plan->user_axes_location.get (axis_tag));
-      if (has_avar && old_axis_idx < face->table.avar->get_axis_count ())
+      if (has_avar && old_axis_idx < avar_axis_count)
       {
         normalized_v = seg_maps->map (normalized_v);
       }
@@ -840,14 +843,13 @@ _normalize_axes_location (hb_face_t *face, hb_subset_plan_t *plan)
       if (normalized_v != 0)
         plan->pinned_at_default = false;
 
-      plan->normalized_coords[i] = normalized_v;
+      plan->normalized_coords[old_axis_idx] = normalized_v;
     }
-    if (has_avar)
-      seg_maps = &StructAfter<OT::SegmentMaps> (*seg_maps);
 
     old_axis_idx++;
 
-    i++;
+    if (has_avar && old_axis_idx < avar_axis_count)
+      seg_maps = &StructAfter<OT::SegmentMaps> (*seg_maps);
   }
   plan->all_axes_pinned = !axis_not_pinned;
 }
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5120246288875520 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5120246288875520
new file mode 100644
index 0000000000000000000000000000000000000000..12d40b0d32e9baa4f0308b05bd8829ac4c368fe4
GIT binary patch
literal 2501
zcmeYd3Gru8zy$v>g=j94Se94>vV?(wlLtg6g9s#$hLEoT2~+AuZ2GZ@Avu9q=Kudt
zgFp-_nMthO)Kmv_J_rzRB)U?#W)K5il6YeWi%N7K3^VVc2Q%Dz=n}(@KP*xwnXv+l
zWe^}<H@Z@|W)K5il6Yf>o=UjKhn~|(bn!@tSO!K=pfE6?2MsWmK>%GCHy>RoTr-FP
Zm1F<{Mj#dd+Q`Hp0<sk(gxgR&G5|n!dk6pk

literal 0
HcmV?d00001