From defe9b6da018bc85750c999454c51fde0cadb9b2 Mon Sep 17 00:00:00 2001
From: Qunxin Liu <qxliu@google.com>
Date: Fri, 25 Oct 2019 10:07:26 -0700
Subject: [PATCH] crash fix : Heap-buffer-overflow READ 2
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513

---
 src/hb-ot-layout-gpos-table.hh                    |  12 ++++++------
 ...se-minimized-hb-subset-fuzzer-5677906231033856 | Bin 0 -> 938 bytes
 2 files changed, 6 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856

diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index e129ae418..024312d61 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -762,7 +762,7 @@ struct PairValueRecord
   friend struct PairSet;
 
   bool serialize (hb_serialize_context_t *c,
-                  unsigned size,
+                  unsigned length,
                   const hb_map_t &glyph_map) const
   {
     TRACE_SERIALIZE (this);
@@ -770,7 +770,7 @@ struct PairValueRecord
     if (unlikely (!c->extend_min (out))) return_trace (false);
     
     out->secondGlyph = glyph_map[secondGlyph];
-    return_trace (c->copy (values, size));
+    return_trace (c->copy (values, length));
   }
 
   protected:
@@ -871,16 +871,16 @@ struct PairSet
     const hb_set_t &glyphset = *c->plan->glyphset ();
     const hb_map_t &glyph_map = *c->plan->glyph_map;
 
-    unsigned len1 = valueFormats[0].get_size ();
-    unsigned len2 = valueFormats[1].get_size ();
-    unsigned record_size = HBUINT16::static_size + len1 + len2;
+    unsigned len1 = valueFormats[0].get_len ();
+    unsigned len2 = valueFormats[1].get_len ();
+    unsigned record_size = HBUINT16::static_size + Value::static_size * (len1 + len2);
 
     const PairValueRecord *record = &firstPairValueRecord;
     unsigned count = len, num = 0;
     for (unsigned i = 0; i < count; i++)
     {
       if (!glyphset.has (record->secondGlyph)) continue;
-      if (record->serialize (c->serializer, record_size, glyph_map)) num++;
+      if (record->serialize (c->serializer, len1 + len2, glyph_map)) num++;
       record = &StructAtOffset<const PairValueRecord> (record, record_size);
     }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856
new file mode 100644
index 0000000000000000000000000000000000000000..72147f60bb6ae40bde18ecf23d653890db495d4e
GIT binary patch
literal 938
zcmchVJx;?w5QV?pERusziijHR0XPB$abt-BBht`XC`m&A@gs2vaswn<PC(5qC^-pQ
z-mF6r<WxZ!YsT~5%+8yYjROX;)2g$2Yz62Y*}F;>*W2a1xwR_z=dP|<7r6m9Z=RNV
z?#0G*t+&D@*#>&sK8oA6;=k+Z=Q6A6y5g7-WwH2vgJR(?BJTC;6T->PyILYa(b1E`
zo>0^~=rLTTq&U*|`^Z=T&w+J^zL=qKn|lUAr`+%$kBn)!=ALsV%y{HV_%3(b4APWo
zPW}d``2}9OzZ<n3KI^y9Hru6KZa!4SP8kb_nMLOf+uhpS<$Ql)cQp_6rQ@=DF_zoy
It+q1p2X2jXqyPW_

literal 0
HcmV?d00001