walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

crash fix : Heap-buffer-overflow READ 2 

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
This commit is contained in:
Qunxin Liu 2019-10-25 10:07:26 -07:00 committed by Garret Rieger
parent b2fcca6e14
commit defe9b6da0
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/hb-ot-layout-gpos-table.hh
View File

@ -762,7 +762,7 @@ struct PairValueRecord
friend struct PairSet;
bool serialize (hb_serialize_context_t *c,
unsigned size,
unsigned length,
const hb_map_t &glyph_map) const
{
TRACE_SERIALIZE (this);
@ -770,7 +770,7 @@ struct PairValueRecord
if (unlikely (!c->extend_min (out))) return_trace (false);
out->secondGlyph = glyph_map[secondGlyph];
return_trace (c->copy (values, size));
return_trace (c->copy (values, length));
}
protected:
@ -871,16 +871,16 @@ struct PairSet
const hb_set_t &glyphset = *c->plan->glyphset ();
const hb_map_t &glyph_map = *c->plan->glyph_map;
unsigned len1 = valueFormats[0].get_size ();
unsigned len2 = valueFormats[1].get_size ();
unsigned record_size = HBUINT16::static_size + len1 + len2;
unsigned len1 = valueFormats[0].get_len ();
unsigned len2 = valueFormats[1].get_len ();
unsigned record_size = HBUINT16::static_size + Value::static_size * (len1 + len2);
const PairValueRecord *record = &firstPairValueRecord;
unsigned count = len, num = 0;
for (unsigned i = 0; i < count; i++)
{
if (!glyphset.has (record->secondGlyph)) continue;
if (record->serialize (c->serializer, record_size, glyph_map)) num++;
if (record->serialize (c->serializer, len1 + len2, glyph_map)) num++;
record = &StructAtOffset<const PairValueRecord> (record, record_size);
}

BIN
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856 Normal file
View File

Binary file not shown.