If the table is kept, when the table is present but only the accelerator
allocation failed, then we run into nullptr dereferences downstream in
hb_ot_map_t::apply when trying to access proxy.accels[i].
To fix this, instead of only setting lookup_count of accelerator_t
itself, drop the whole table to avoid hb-ot-map construction assuming
that the lookups will work correctly despite accelerator allocation
having failed.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24490https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24490
First time we do this in a way that if target object doesn't have the matching
function we basically "ignore". Risky but I feel like is the right decision
for this case.
I'm going to put back the template varargs and use those, which would make
the dispatcher be just that: "dispatcher", and wouldn't need to carry the
call context. That would be a refreshing change I think.
In file included from hb-ot-face.cc:34:
In file included from ./hb-ot-kern-table.hh:30:
In file included from ./hb-aat-layout-kerx-table.hh:31:
In file included from ./hb-kern.hh:32:
In file included from ./hb-ot-layout-gpos-table.hh:32:
./hb-ot-layout-gsubgpos.hh:1878:63: error: loop variable '_' binds to a temporary value produced by a range of type 'decltype((hb_forward<hb_filter_iter_factory_t<hb_map_t &, const (anonymous struct at ./hb-algs.hh:331:1) &>>(rhs)(hb_forward<hb_zip_iter_t<hb_iota_iter_t<unsigned int, unsigned int>, hb_array_t<const OT::OffsetTo<OT::RuleSet, OT::IntType<unsigned short, 2>, true>>>>(lhs))))' (aka 'hb_filter_iter_t<hb_zip_iter_t<hb_iota_iter_t<unsigned int, unsigned int>, hb_array_t<const OT::OffsetTo<OT::RuleSet, OT::IntType<unsigned short, 2>, true>>>, hb_map_t &, const (anonymous struct at ./hb-algs.hh:331:1) &>') [-Werror,-Wrange-loop-bind-reference]
for (const hb_pair_t<unsigned, const OffsetTo<RuleSet>&>& _ : + hb_enumerate (ruleSet)
^
./hb-ot-layout-gsubgpos.hh:1878:10: note: use non-reference type 'hb_pair_t<unsigned int, const OffsetTo<OT::RuleSet> &>'
for (const hb_pair_t<unsigned, const OffsetTo<RuleSet>&>& _ : + hb_enumerate (ruleSet)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
hb_shape_plan_key_t::equal expects hb_ot_shape_plan_key_t be initialized by
hb_ot_layout_table_find_feature_variations calls but it won't get initialized
when HB_NO_VAR build config is used.
Related to https://github.com/harfbuzz/harfbuzz/issues/2280
Behdad Esfahbod
Dominik Röttsches
Garret Rieger
Ebrahim Byagowi
Qunxin Liu
ariza