From e940530c9723c3a581a5d5b31e5f419865dd6cc7 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Thu, 11 Oct 2018 15:56:17 -0400 Subject: [PATCH] [aat] Fix mul overflow Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10897 --- src/hb-aat-layout-common.hh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh index 78a27a74c..5be3d372e 100644 --- a/src/hb-aat-layout-common.hh +++ b/src/hb-aat-layout-common.hh @@ -386,6 +386,8 @@ struct StateTable const HBUINT16 *states = (this+stateArrayTable).arrayZ; const Entry *entries = (this+entryTable).arrayZ; + unsigned int num_classes = nClasses; + unsigned int num_states = 1; unsigned int num_entries = 0; @@ -393,13 +395,16 @@ struct StateTable unsigned int entry = 0; while (state < num_states) { + if (unlikely (hb_unsigned_mul_overflows (num_classes, states[0].static_size))) + return_trace (false); + if (unlikely (!c->check_array (states, num_states, - states[0].static_size * nClasses))) + num_classes * states[0].static_size))) return_trace (false); { /* Sweep new states. */ - const HBUINT16 *stop = &states[num_states * nClasses]; - for (const HBUINT16 *p = &states[state * nClasses]; p < stop; p++) + const HBUINT16 *stop = &states[num_states * num_classes]; + for (const HBUINT16 *p = &states[state * num_classes]; p < stop; p++) num_entries = MAX (num_entries, *p + 1); state = num_states; }