From ffe06c8f0498d7f5fe53c76e9d6fba9127997258 Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Sat, 8 Aug 2020 13:17:34 +0430
Subject: [PATCH] [glyf] Guard all the public APIs against null pool runs

Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
---
 src/hb-ot-glyf-table.hh                        |  17 ++++++++++++-----
 ...e-minimized-hb-draw-fuzzer-5103082208493568 | Bin 0 -> 1069 bytes
 ...e-minimized-hb-draw-fuzzer-5641612227772416 | Bin 0 -> 1069 bytes
 3 files changed, 12 insertions(+), 5 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5103082208493568
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5641612227772416

diff --git a/src/hb-ot-glyf-table.hh b/src/hb-ot-glyf-table.hh
index e42ef6475..6118df396 100644
--- a/src/hb-ot-glyf-table.hh
+++ b/src/hb-ot-glyf-table.hh
@@ -839,10 +839,10 @@ struct glyf
       loca_table = nullptr;
       glyf_table = nullptr;
 #ifndef HB_NO_VAR
-      gvar = &Null (gvar_accelerator_t);
+      gvar = nullptr;
 #endif
-      hmtx = &Null (hmtx_accelerator_t);
-      vmtx = &Null (vmtx_accelerator_t);
+      hmtx = nullptr;
+      vmtx = nullptr;
       face = face_;
       const OT::head &head = *face->table.head;
       if (head.indexToLocFormat > 1 || head.glyphDataFormat > 0)
@@ -901,7 +901,6 @@ struct glyf
       return true;
     }
 
-    public:
 #ifndef HB_NO_VAR
     struct points_aggregator_t
     {
@@ -960,9 +959,12 @@ struct glyf
       contour_point_t *get_phantoms_sink () { return phantoms; }
     };
 
+    public:
     unsigned
     get_advance_var (hb_font_t *font, hb_codepoint_t gid, bool is_vertical) const
     {
+      if (unlikely (gid >= num_glyphs)) return 0;
+
       bool success = false;
 
       contour_point_t phantoms[PHANTOM_COUNT];
@@ -980,6 +982,8 @@ struct glyf
 
     int get_side_bearing_var (hb_font_t *font, hb_codepoint_t gid, bool is_vertical) const
     {
+      if (unlikely (gid >= num_glyphs)) return 0;
+
       hb_glyph_extents_t extents;
 
       contour_point_t phantoms[PHANTOM_COUNT];
@@ -992,9 +996,11 @@ struct glyf
     }
 #endif
 
+    public:
     bool get_extents (hb_font_t *font, hb_codepoint_t gid, hb_glyph_extents_t *extents) const
     {
       if (unlikely (gid >= num_glyphs)) return false;
+
 #ifndef HB_NO_VAR
       if (font->num_coords && font->num_coords == gvar->get_axis_count ())
 	return get_points (font, gid, points_aggregator_t (font, this, extents, nullptr));
@@ -1005,9 +1011,10 @@ struct glyf
     const Glyph
     glyph_for_gid (hb_codepoint_t gid, bool needs_padding_removal = false) const
     {
-      unsigned int start_offset, end_offset;
       if (unlikely (gid >= num_glyphs)) return Glyph ();
 
+      unsigned int start_offset, end_offset;
+
       if (short_offset)
       {
 	const HBUINT16 *offsets = (const HBUINT16 *) loca_table->dataZ.arrayZ;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5103082208493568 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5103082208493568
new file mode 100644
index 0000000000000000000000000000000000000000..dc419f0aa0f5cc25aa2fbeb41d9bfa9dfa1f2fe8
GIT binary patch
literal 1069
zcmds0JxD@P6#ni@MJ+1GF~vfnDI*#Ua)_j;pu(-__DCh(D={%^2m_O74VrC@XmBZ-
z8XF?$XK!z6X$pFM_h~5&QAA4z?$7s~bI&{X-0wjE=n#mb7(;(_8gNC(!~`_=+FrT>
zh$3-hY9>4|H?cvVxFTMdnT^gCLi>JTI7mDhk4LA2;ZP5tsc}zEmpPfSjL;^~G)UZ|
zn=*}(c1yefych}kcXzHIiS3+8V<TbtT@0lK#a5F3llzAN;H+{G((Jo2Ez7yZI&4mC
ziy^=rBM7C;^}K5lWjNeM0$uIKsxHL{j_5mP2CpgeX?QTA4*K|o6=^OVo>m%4ua`Ye
ze=fBo-OFvP7ieexoSDrxpE*VqcK8Y&h&!NDrNXe{KCH#Au9GEd7q}o@!T|!x=IuFf
zU0u{{)vV6cc0BgauFD%~$yBx(Vx3!b54K_q^T^okVY9-oxKxhs%a4us2N~b^hJPWy
zCsrQEYW`h*XJ5(>zmy+zYNBkF*^;VJe6-#wfW}qUhKkVn|0tKP^hTjRbM?UmZ-ZbR
Q6luXzP~kri?D;2q0|3F@AOHXW

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5641612227772416 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5641612227772416
new file mode 100644
index 0000000000000000000000000000000000000000..094f7d3ba006b49e2b5eb48904ddaf0939ff4cb1
GIT binary patch
literal 1069
zcma)4Pe_wt9Dd$!-~KN)aXOGSK4D0Qn4&}%!>zJ}kb%lNC4SA#5t|NMYwJ)8Dxy;m
zU1MH4M0N0zM~@yNC_L36gdlKGqIgi5U(Y)?Svtxe?EU?o-}C<de9t=w0PQ?f^o_(K
zW1{m)5wHw0JHo8(_Ot9FARZA9M#p>mZ;TeniI2on;}emIQt-uTAgmED##pcQ273Ty
zl{l{F^?4&5ya$*Dh<oB0J&PyG7vd@6bdvnj$Dh`TYyD=@#iZdmzX5p9LKF9A$iH9x
z9stbDDKXYKH$tB?hGAY}d@hwr=$7l^0%O2~->J-<g5@U4Ds1T_x;^Q+xIQ$DH)P+M
z0Y^qJWMRj!yzT|GSv`|j_|SUoYvl9nZ@cB@zOp@n`An|hTvD%6ES8t-pg<-+ev%H$
zJBQ|?LV%x#vW#V>0}Y#O1oZw|Y}BoZsE5KFKAsE&j6mRlv9{KVI?QqYBnAXuMo}#$
zvuaip6>w|Z3V0{VebOUx`C^ot>xfT(-QVO_xkOZhSdg6fro5ul!X|!&Ky69S-`4$b
zNVt4mKCidK=XSNZyK3DbF1`F^a$s-2I#yM7cegg%oEEFqYIpfU)=H(aBiKdVTUR@)
z9qlH_>1<v$%A9gwl$v(t06?MF>pyuTPR%71M~SBg+pP1#0>|ASsT@|YvU9|wC^`Oz
zs7QaaBBxHIi2s-(94{5IVJs3G^}<Sx{c<5{l-1`Gv*|=K*Lc)c{>XZSvRDX(jsKxY
g<phdIeOfCrEoVHJ2VVc*=9;b}Bp;?^U`yEk0Ne-@D*ylh

literal 0
HcmV?d00001