[CFF] bad offset in Index (#1476)

* Update hb-ot-cff-common.hh

* fix bug

* bummer fix wasn't hit. refix

* additional sanity check

* Added test cases for oss-fuzz issues 11805, 11806

diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh
index efd8545..8bd1319 100644 (file)
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@@ -200,7 +200,13 @@ struct CFFIndex
   }
 
   inline unsigned int length_at (unsigned int index) const
-  { return offset_at (index + 1) - offset_at (index); }
+  {
+       if (likely ((offset_at (index + 1) >= offset_at (index)) &&
+                   (offset_at (index + 1) <= offset_at (count))))
+         return offset_at (index + 1) - offset_at (index);
+       else
+         return 0;
+  }
 
   inline const char *data_base (void) const
   { return (const char *)this + min_size + offset_array_size (); }
@@ -211,7 +217,7 @@ struct CFFIndex
   inline ByteStr operator [] (unsigned int index) const
   {
     if (likely (index < count))
-      return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index));
+      return ByteStr (data_base () + offset_at (index) - 1, length_at (index));
     else
       return Null(ByteStr);
   }

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944
new file mode 100644 (file)
index 0000000..9a52336
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 differ

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168
new file mode 100644 (file)
index 0000000..86f4ad7
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 differ