From 25a5b287f220802728cd3312692f368c45d22862 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 10 May 2019 16:01:39 -0700
Subject: [PATCH] Fix sanitize fail of extension sublookups

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
---
 src/hb-ot-layout-common.hh                                 |  10 ++++++++--
 src/hb-sanitize.hh                                         |   2 ++
 ...uzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296 | Bin 0 -> 94 bytes
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296

diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index ac91451..478e66c 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -751,12 +751,18 @@ struct Lookup
     if (unlikely (!get_subtables<TSubTable> ().sanitize (c, this, get_type ())))
       return_trace (false);
 
-    if (unlikely (get_type () == TSubTable::Extension))
+    if (unlikely (get_type () == TSubTable::Extension && !c->get_edit_count ()))
     {
       /* The spec says all subtables of an Extension lookup should
        * have the same type, which shall not be the Extension type
        * itself (but we already checked for that).
-       * This is specially important if one has a reverse type! */
+       * This is specially important if one has a reverse type!
+       *
+       * We only do this if sanitizer edit_count is zero.  Otherwise,
+       * some of the subtables might have become insane after they
+       * were sanity-checked by the edits of subsequent subtables.
+       * https://bugs.chromium.org/p/chromium/issues/detail?id=960331
+       */
       unsigned int type = get_subtable<TSubTable> (0).u.extension.get_type ();
       unsigned int count = get_subtable_count ();
       for (unsigned int i = 1; i < count; i++)
diff --git a/src/hb-sanitize.hh b/src/hb-sanitize.hh
index 5ecd2d2..5f5b4bd 100644
--- a/src/hb-sanitize.hh
+++ b/src/hb-sanitize.hh
@@ -211,6 +211,8 @@ struct hb_sanitize_context_t :
     this->start = this->end = nullptr;
   }
 
+  unsigned get_edit_count () { return edit_count; }
+
   bool check_range (const void *base,
 		    unsigned int len) const
   {
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296
new file mode 100644
index 0000000000000000000000000000000000000000..9ecc7f16be2128be18d43f5b2173514ec21ce879
GIT binary patch
literal 94
zcmZQzWME)m24bxfyaDbEj0`SXZW4cif>sR1?!lo>(sw<d0%aK*I2bq>1R2<s7}&ov
eG6*wh0U;w0f`ASK6PTp~7S#gsK(g8lT#Nu}$O^##

literal 0
HcmV?d00001

-- 
2.7.4