Merge pull request #1448 from harfbuzz/cff-leak

[CFF] fix leak: oss-fuzz 11662
2018-12-05 13:23:23 +03:30 · 2018-12-05 13:23:23 +03:30 · cf4b7db6b1
parent 32cc46c75a 803d2f92dc
commit cf4b7db6b1
3 changed files with 4 additions and 2 deletions
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@ -1092,6 +1092,7 @@ struct cff1
 	  CFF1FontDict_Interpreter font_interp;
 	  font_interp.env.init (fontDictStr);
 	  font = fontDicts.push ();
+	  if (unlikely (font == &Crap(CFF1FontDictValues))) { fini (); return; }
 	  font->init ();
 	  if (unlikely (!font_interp.interpret (*font))) { fini (); return; }
 	  PRIVDICTVAL  *priv = &privateDicts[i];
@ -1131,7 +1132,7 @@ struct cff1
    {
      sc.end_processing ();
      topDict.fini ();
-      fontDicts.fini ();
+      fontDicts.fini_deep ();
      privateDicts.fini_deep ();
      hb_blob_destroy (blob);
      blob = nullptr;
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@ -486,6 +486,7 @@ struct cff2
 	CFF2FontDict_Interpreter font_interp;
 	font_interp.env.init (fontDictStr);
 	font = fontDicts.push ();
+	if (unlikely (font == &Crap(CFF2FontDictValues))) { fini (); return; }
 	font->init ();
 	if (unlikely (!font_interp.interpret (*font))) { fini (); return; }

@ -506,7 +507,7 @@ struct cff2
    inline void fini (void)
    {
      sc.end_processing ();
-      fontDicts.fini ();
+      fontDicts.fini_deep ();
      privateDicts.fini_deep ();
      hb_blob_destroy (blob);
      blob = nullptr;
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5175735354916864
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5175735354916864