[subset] Fix possible overflows in VarRegionList serialize
Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
This commit is contained in:
parent
7b8464b655
commit
c68a00b92e
|
@ -9,6 +9,7 @@
|
||||||
#include "hb-fallback-shape.cc"
|
#include "hb-fallback-shape.cc"
|
||||||
#include "hb-font.cc"
|
#include "hb-font.cc"
|
||||||
#include "hb-map.cc"
|
#include "hb-map.cc"
|
||||||
|
#include "hb-ms-feature-ranges.cc"
|
||||||
#include "hb-number.cc"
|
#include "hb-number.cc"
|
||||||
#include "hb-ot-cff1-table.cc"
|
#include "hb-ot-cff1-table.cc"
|
||||||
#include "hb-ot-cff2-table.cc"
|
#include "hb-ot-cff2-table.cc"
|
||||||
|
|
|
@ -2517,7 +2517,8 @@ struct VarRegionList
|
||||||
{
|
{
|
||||||
TRACE_SANITIZE (this);
|
TRACE_SANITIZE (this);
|
||||||
return_trace (c->check_struct (this) &&
|
return_trace (c->check_struct (this) &&
|
||||||
axesZ.sanitize (c, (unsigned int) axisCount * (unsigned int) regionCount));
|
!hb_unsigned_mul_overflows (axisCount * regionCount, VarRegionAxis::static_size) &&
|
||||||
|
axesZ.sanitize (c, axisCount * regionCount));
|
||||||
}
|
}
|
||||||
|
|
||||||
bool serialize (hb_serialize_context_t *c, const VarRegionList *src, const hb_bimap_t ®ion_map)
|
bool serialize (hb_serialize_context_t *c, const VarRegionList *src, const hb_bimap_t ®ion_map)
|
||||||
|
@ -2527,7 +2528,9 @@ struct VarRegionList
|
||||||
if (unlikely (!out)) return_trace (false);
|
if (unlikely (!out)) return_trace (false);
|
||||||
axisCount = src->axisCount;
|
axisCount = src->axisCount;
|
||||||
regionCount = region_map.get_population ();
|
regionCount = region_map.get_population ();
|
||||||
if (unlikely (!c->allocate_size<VarRegionList> (get_size () - min_size))) return_trace (false);
|
if (unlikely (hb_unsigned_mul_overflows (axisCount * regionCount,
|
||||||
|
VarRegionAxis::static_size))) return_trace (false);
|
||||||
|
if (unlikely (!c->extend<VarRegionList> (out))) return_trace (false);
|
||||||
unsigned int region_count = src->get_region_count ();
|
unsigned int region_count = src->get_region_count ();
|
||||||
for (unsigned int r = 0; r < regionCount; r++)
|
for (unsigned int r = 0; r < regionCount; r++)
|
||||||
{
|
{
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue