Fix invalid buffer access in OOM times

Hopefully fully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1856
2017-11-14 15:47:55 -08:00 · 2017-11-14 15:47:55 -08:00 · e5930722d4
parent fcd6c338ff
commit e5930722d4
1 changed files with 2 additions and 1 deletions
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@ -1002,7 +1002,8 @@ static inline bool apply_lookup (hb_apply_context_t *c,
    if (idx == 0 && lookupRecord[i].lookupListIndex == c->lookup_index)
      continue;

-    buffer->move_to (match_positions[idx]);
+    if (unlikely (!buffer->move_to (match_positions[idx])))
+      break;

    unsigned int orig_len = buffer->backtrack_len () + buffer->lookahead_len ();
    if (!c->recurse (lookupRecord[i].lookupListIndex))