From: Michiharu Ariza Date: Thu, 13 Dec 2018 02:08:15 +0000 (-0800) Subject: [CFF] bad offset in Index (#1476) X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=798e98c47bd9fa4d434487ae92e2c88ebb8a19a5;p=platform%2Fupstream%2FlibHarfBuzzSharp.git [CFF] bad offset in Index (#1476) * Update hb-ot-cff-common.hh * fix bug * bummer fix wasn't hit. refix * additional sanity check * Added test cases for oss-fuzz issues 11805, 11806 --- diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh index efd8545..8bd1319 100644 --- a/src/hb-ot-cff-common.hh +++ b/src/hb-ot-cff-common.hh @@ -200,7 +200,13 @@ struct CFFIndex } inline unsigned int length_at (unsigned int index) const - { return offset_at (index + 1) - offset_at (index); } + { + if (likely ((offset_at (index + 1) >= offset_at (index)) && + (offset_at (index + 1) <= offset_at (count)))) + return offset_at (index + 1) - offset_at (index); + else + return 0; + } inline const char *data_base (void) const { return (const char *)this + min_size + offset_array_size (); } @@ -211,7 +217,7 @@ struct CFFIndex inline ByteStr operator [] (unsigned int index) const { if (likely (index < count)) - return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index)); + return ByteStr (data_base () + offset_at (index) - 1, length_at (index)); else return Null(ByteStr); } diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 new file mode 100644 index 0000000..9a52336 Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 differ diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 new file mode 100644 index 0000000..86f4ad7 Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 differ