projects / platform / upstream / libHarfBuzzSharp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d100cca)
Fix fuzzer crash testcase
authorQunxin Liu <qxliu@google.com>
Fri, 24 May 2019 17:58:52 +0000 (10:58 -0700)
committerBehdad Esfahbod <behdad@behdad.org>
Fri, 24 May 2019 19:26:20 +0000 (15:26 -0400)
Add a check for stringOffSet(uint16) overflow,
return early if overflow happens

src/hb-ot-name-table.hh patch | blob | history
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160 [new file with mode: 0644] patch | blob
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280 [new file with mode: 0644] patch | blob

diff --git a/src/hb-ot-name-table.hh b/src/hb-ot-name-table.hh
index 6c75cc3..4eda467 100644 (file)
--- a/src/hb-ot-name-table.hh
+++ b/src/hb-ot-name-table.hh
@@ -186,7 +186,7 @@ struct name
 
     auto snap = c->snapshot ();
     this->nameRecordZ.serialize (c, this->count);
-    this->stringOffset = c->length ();
+    if (unlikely (!c->check_assign (this->stringOffset, c->length ()))) return_trace (false);
     c->revert (snap);
 
     const void *dst_string_pool = &(this + this->stringOffset);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160
new file mode 100644 (file)
index 0000000..37bb009
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160 differ
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280
new file mode 100644 (file)
index 0000000..0060ade
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280 differ
Domain: Dotnet / API;