From dc31920bbe3a35c565f89aaeca43e2a5fdb5b606 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Wed, 18 Aug 2021 14:20:14 -0700
Subject: [PATCH] Don't serialize null offsets in CPAL.

Fixes https://oss-fuzz.com/testcase-detail/5443213648330752
---
 src/hb-ot-color-cpal-table.hh                     |  11 ++++++++---
 ...se-minimized-hb-subset-fuzzer-5443213648330752 | Bin 0 -> 567 bytes
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5443213648330752

diff --git a/src/hb-ot-color-cpal-table.hh b/src/hb-ot-color-cpal-table.hh
index 9ee4bafb2..04e077252 100644
--- a/src/hb-ot-color-cpal-table.hh
+++ b/src/hb-ot-color-cpal-table.hh
@@ -83,8 +83,13 @@ struct CPALV1Tail
     auto *out = c->allocate_size<CPALV1Tail> (static_size);
     if (unlikely (!out)) return_trace (false);
 
-    out->paletteFlagsZ.serialize_copy (c, paletteFlagsZ, base, 0, hb_serialize_context_t::Head, palette_count);
-    out->paletteLabelsZ.serialize_copy (c, paletteLabelsZ, base, 0, hb_serialize_context_t::Head, palette_count);
+    out->paletteFlagsZ = 0;
+    if (paletteFlagsZ)
+      out->paletteFlagsZ.serialize_copy (c, paletteFlagsZ, base, 0, hb_serialize_context_t::Head, palette_count);
+
+    out->paletteLabelsZ = 0;
+    if (paletteLabelsZ)
+      out->paletteLabelsZ.serialize_copy (c, paletteLabelsZ, base, 0, hb_serialize_context_t::Head, palette_count);
 
     const hb_array_t<const NameID> colorLabels = (base+colorLabelsZ).as_array (color_count);
     if (colorLabelsZ)
@@ -234,7 +239,7 @@ struct CPAL
 
     auto *out = c->serializer->start_embed (*this);
     if (unlikely (!c->serializer->extend_min (out))) return_trace (false);
-    
+
     out->version = version;
     out->numColors = retained_color_indices.get_population ();
     out->numPalettes = numPalettes;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5443213648330752 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5443213648330752
new file mode 100644
index 0000000000000000000000000000000000000000..0d38d6d2610e0e7c9c6cf9390506937fa4636071
GIT binary patch
literal 567
zcmZQzWME)WfB<KIpCAy6fq{_&L^}sK`at;_AQ~OG2ZuU=#DMDmqstNI|Noy3RP>(=
zorKJWnVFkdQ2<g4^dSQ_Js_)L)`OJ5F&4!Pj6icLA?5(pVKonnwqYU!@-Ym6y#xSi
C<V<7$

literal 0
HcmV?d00001