[SingleSubstFormat1] Don't close glyphs in degenerate cases

Fixes https://oss-fuzz.com/testcase-detail/5145429829877760
This commit is contained in:
Behdad Esfahbod 2022-07-29 11:57:57 -06:00
parent 3da50c50aa
commit f7677213d7
1 changed files with 12 additions and 0 deletions

View File

@ -45,6 +45,18 @@ struct SingleSubstFormat1_3
hb_set_t intersection; hb_set_t intersection;
(this+coverage).intersect_set (c->parent_active_glyphs (), intersection); (this+coverage).intersect_set (c->parent_active_glyphs (), intersection);
/* In degenerate fuzzer-found fonts, but not real fonts,
* this table can keep adding new glyphs in each round of closure.
* Refuse to close-over, if it maps glyph range to overlapping range. */
hb_codepoint_t min_before = intersection.get_min ();
hb_codepoint_t max_before = intersection.get_max ();
hb_codepoint_t min_after = (min_before + d) & mask;
hb_codepoint_t max_after = (min_before + d) & mask;
if ((this+coverage).get_population () >= max_before - min_before &&
((min_before <= min_after && min_after <= max_before) ||
(min_before <= max_after && max_after <= max_before)))
return;
+ hb_iter (intersection) + hb_iter (intersection)
| hb_map ([d, mask] (hb_codepoint_t g) { return (g + d) & mask; }) | hb_map ([d, mask] (hb_codepoint_t g) { return (g + d) & mask; })
| hb_sink (c->output) | hb_sink (c->output)