From ca8a0f3ea32af8fdaf2f99ad87a43e82be854f62 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Fri, 6 May 2022 11:54:38 -0600 Subject: [PATCH] [gvar] Protect against out-of-range access Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47281 Fixes https://oss-fuzz.com/testcase-detail/5508865908670464 --- src/hb-ot-var-gvar-table.hh | 5 ++++- ...z-testcase-hb-subset-fuzzer-5508865908670464 | Bin 0 -> 17004 bytes 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5508865908670464 diff --git a/src/hb-ot-var-gvar-table.hh b/src/hb-ot-var-gvar-table.hh index 618cec08f..05c1fafd1 100644 --- a/src/hb-ot-var-gvar-table.hh +++ b/src/hb-ot-var-gvar-table.hh @@ -490,7 +490,10 @@ struct gvar bool is_long_offset () const { return flags & 1; } unsigned get_offset (unsigned i) const - { return is_long_offset () ? get_long_offset_array ()[i] : get_short_offset_array ()[i] * 2; } + { + if (unlikely (i > glyphCount)) return 0; + return is_long_offset () ? get_long_offset_array ()[i] : get_short_offset_array ()[i] * 2; + } const HBUINT32 * get_long_offset_array () const { return (const HBUINT32 *) &offsetZ; } const HBUINT16 *get_short_offset_array () const { return (const HBUINT16 *) &offsetZ; } diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5508865908670464 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5508865908670464 new file mode 100644 index 0000000000000000000000000000000000000000..14048105986f83f2e16c35bcd37b3e3d4213062a GIT binary patch literal 17004 zcmeHO33yaRwmwz&<|c#$l8_)GU_!(_%mL0LvHfKOy}B!j3RI3EMN5$4G^I4CLs0@?2S&%K?dLqNi!$h@5HbF1pq za;xf|I;ZMX6$v70MBPcD_{3p8F=;JR_YjEzpjuKgtl7%nJem>77NB)cong%xIk8_i zBF{C5?>RYrcItr+?@u67iV^QM8S%gSY=#x_he@a3rP-{LeEq*0iM0EHozp<@T&Ex` z$O{CbCbPVsp>aeJv|f-sJuAiPTkMOnlwTq;Gs8M7n>MI}k-i<#`L9a#3|srX=T8!; z2T-TD?5te7wpiPW_i=H{P%IZs>r0L`n$WoC1yYpLpwQ(}Nja@|#d|q@jI!M*i71~4LCusc5U|i3#ezB%qr75}xh*8l%Xi>d*hk~I zTz;ETK1bg!xY}Pz4X$050y1L@)Lm~(^cX^@ncf0zkA8sg8NIj{RSS)#Il7LN7D^y1 z5}(xf=(~)x2mn0kEMgl_4$};%cAdd1PW%j%-YU}{ZmD8w(6!l*5^qi||Z z4^aoOZ%2xxD2k>S>O`>=XXH+%WLi}H%gwf?*j%A%YArXDKA=V7alHV28H2_bD$QgV zYRcUD1nm(gK#$eOh(a;jMSqG8>hn3ho?1<}=GtvJQ*x*2|5;5p%K6pwEW6FEWp~GG zv;*zQLcNXpaXYm@v}cQ1A%AujR97wlo?g`fm+Nr(=%MQ}l99&yN=n1$6SMijqSLi}*01j(Uhj?_rkD=b2DwUI@H2~MO7x$TT6cQj3 zoPI%?80Pd#@)M(+eg*U?{YNAWjTo3TIKpnrwGXvTo}O;aiS8H`71e{KMUNWM5zhGj zBiu${GDh4ar!^V=)T{MSgCP~F8f-!ua6%|Q*OfJHLtOZ^j_-^@R= zjQ?p=yROx5n=Z_^WjfnnLEUGeq+AS2vy_fR-6%E|!!!mMZBS7UNU<()qv26?J#qN( zL~6Xtfl#>~`b~UO=tuv*Q{}}A8`72!7%|i%!6PDBpIxTwrnhCecFIL5LG1~&>4POcP&9RGf=U`fq11DkQ$Jn9Uo#jXKdL*0S$;`{XOXPKIR z?yn%f1@vZJJ4%77g|03k(lV_XkI0q{F<4|YXsxp6=i2qBAl*nFCI?xnXhGiM6?0c* zFMZK#vFCHEURqi5(z3i|3zizMxayHNm&?5qa9>Dbblc#TLt=ZyjLsQi5zEn7AYFjF z%0z7=zCgOJi{FB72W_2+vp;2`Bc6h(PF zajCjeeN}a+3)Dqwp1M$dQY}ym)!%xq(%w`5pl(o~Ri9JWtFNoCX<^zzElP{lp4PT% zuWLKCx3wa*m-@E0UpuIMrhTCOS^H4is}*a1(e`N{X&-B!XrF2av@_c0+7a!vZB|OU zHN$hY=d)6gDl{Y@bP+$n#1G&EDkz);>0$=&e0j;%(>U_9uOjLKn4KY!B75xbY zFmO9)&f*N;4Ryg)oOF)`#lJ9K96g@vLl!-LHtRs zp*VyB4+8~Ip}wJ2uNz%n8XkV)bP4q=|3#jq|KP-7)NKAhq=>Jgm5=owmeji=H5tI+ zWXdb;(X8B<_F^j0ibN)6k;Eeajlf%}9A&SB%ij?wP#dZQ;vwFEQ)Qyq30F5!Y+B|H zdX@HTgt3IVWw`L=_U_loY&M;n4}EPY4MTCDib6u+%#(=di2$^Rp+Qhzp_&LaPde0G z6;SwsrkM!UPQufPfpF0y&_^gpu^7NTNG%P8)f~!`W4s|8!qEZ#M)&!Mob0qz%#P5f z6k-vWGquAUT7|~bfB*~?b4o-f+)6&NyH?5ZX33oACjyLIF?E*mhS%HE*+j7PZ3aN~BwjI6RCB*3Y`@XWc*lSvLjWty#Be8n})L zpbE)K+GI0FuXQ!Dhp1{ zKVBsB{KBa$>^wo^e6U#>F=Co6Cle++q!(i;UKpUjqQ}5l>+Rq5_HTn3YCSL~2K&|B z{(TqLr$pB0@bszDOjBH~ieRK(n zC~Qz-aE5u&!*YFZN`^}Ff<7$A`p^S${1ZS)-q`5-T0cb=*a9R4L49Ib3DXSgOK59o zR$h>^QR8A&E3(=%dC0Sh#Y+7oB{npQG75u$F_bJX*0Fh;mSeTqrc6$=r;V_Z(7mF< z2u4l=xIA}=CprmuuvM!dc5fb7xaq9p$BGNsafO))6_nV(!!z4%YX9&cxLE(b2l?oQ zxs21=0I4|FVpKzmD1SBkwzJ)uFDA+$Z4!;ViyjmHsd+gZVyT#0k(ei9%Kygv!ks?6F z)a^yEa?A2{`g)uxX^hRs;Gnia!EtTkT$#np-LkV=&XD8CmsZ62o+z{EbCIth=kpH^ z!p|SSiYKIAxkL7^6u=$D6=}sqva4)|N|kTHn=V(s$v?0S=jgx z%8O)3^z?)}ZSVla?#g)((ZeVH# zH-b}FxKn<}|0B$T>0Uj6;x-Gu3FFfZlDfX#jXm}Iad{XeTMhgP_u~>^_OIWNb8XK- zDnVcva;1Jl?uSHYo#X0cX+3~Gzl{w!XJu|_3u^hjc=GGD`lDa}en-E+#W3D8{>;wk z)T`#ZqMGY9vr8?*Q?Hrpta9s^@JH3mjenVSGhj@)@^KNx2WC#3G{KP*{CRr^>qc`U z(Xevj_!G-W)5=NuC5l&Z_84GnG|oz&=;yX3I&JPuHYYj7VxiznK^_RQCWnAt0V_8>r+Us{ET-z50 zul^{z62@4$qk^mMV&WE0?Ln#@#+eMeWT|N$;OJmTC4C!&C5z1Y=r4mp6}sMq_nr)p zIL)g`-p+Z~!s+}3m5Q!tHrVJ{-sFIF%vdK|ZDq@f&~nYTxlfB8X}xvVnN!R2-}y&|=ai!{Zw@JW`P;{n^Baz= zny9W@cD~oBCpYZbQm~~YV(88T=PvYWp78C-B;PlGzj2Sq%KYzdxAhqMMgI&jZTw5S znl1>ny;Cspo0%3lXXEjS1J7^$-&g;9%u;adbk#S*OOAD0EY~K?o-zE~Hz6S%mnW?8 z-r=))Oy!cinREZRBILt>kMdXFq_(XoGu^l#D4n+$S7Q7)W)5;GMhsMK51I!aF_^}+ zX^J~OSD@4zg7+2}k>4XLL`^$lB| zQM3nzOCY+0y=4#lc;6X)M~xhf;BQJzuQ!L9jBnhw4#Y4K!~_* zefkYanwYgHf63~C^&59!lN#_8U-7*GN1_JxJcy6r#)H^FH%4j2_qcjmp;yVxD#aMb z0jP0nY;bvn;dAkX)|@M;<}4eZW*hcbxumN>3#`q`k+n%Kis$FS@jJsE=j61dTvXz4 zqriB=#XX;S3*$*KK0h84UeQ;td-=uey)94v)s~YxA-YQ!j7uDtNL|t=>ptP( z(Umljub)iY9GB#3QWmMW7w`)+W7@nc^t