From 32cc46c75a5f163f254b7998ed9193d5bbc85e4b Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Tue, 4 Dec 2018 21:32:34 -0800
Subject: [PATCH] [CFF] fix oss-fuzz issue 11670: NULL dereference (#1450)

* guard against no subr access

* code tweak

* add minimized testcase for oss-fuzz 11670 (Null deference)
---
 src/hb-cff-interp-cs-common.hh                     |  22 ++++++++++++++++-----
 src/hb-ot-cff-common.hh                            |   2 +-
 ...ase-minimized-hb-subset-fuzzer-5672913680728064 | Bin 0 -> 861 bytes
 3 files changed, 18 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672913680728064

diff --git a/src/hb-cff-interp-cs-common.hh b/src/hb-cff-interp-cs-common.hh
index 85546fc..067dc1c 100644
--- a/src/hb-cff-interp-cs-common.hh
+++ b/src/hb-cff-interp-cs-common.hh
@@ -65,7 +65,7 @@ struct BiasedSubrs
   inline void init (const SUBRS &subrs_)
   {
     subrs = &subrs_;
-    unsigned int  nSubrs = subrs_.count;
+    unsigned int  nSubrs = get_count ();
     if (nSubrs < 1240)
       bias = 107;
     else if (nSubrs < 33900)
@@ -76,8 +76,20 @@ struct BiasedSubrs
 
   inline void fini (void) {}
 
-  const SUBRS   *subrs;
+  inline unsigned int get_count (void) const { return (subrs == nullptr)? 0: subrs->count; }
+  inline unsigned int get_bias (void) const { return bias; }
+
+  inline ByteStr operator [] (unsigned int index) const
+  {
+    if (unlikely ((subrs == nullptr) || index >= subrs->count))
+      return Null(ByteStr);
+    else
+      return (*subrs)[index];
+  }
+
+  protected:
   unsigned int  bias;
+  const SUBRS   *subrs;
 };
 
 struct Point
@@ -137,8 +149,8 @@ struct CSInterpEnv : InterpEnv<ARG>
   inline bool popSubrNum (const BiasedSubrs<SUBRS>& biasedSubrs, unsigned int &subr_num)
   {
     int n = SUPER::argStack.pop_int ();
-    n += biasedSubrs.bias;
-    if (unlikely ((n < 0) || ((unsigned int)n >= biasedSubrs.subrs->count)))
+    n += biasedSubrs.get_bias ();
+    if (unlikely ((n < 0) || ((unsigned int)n >= biasedSubrs.get_count ())))
       return false;
 
     subr_num = (unsigned int)n;
@@ -158,7 +170,7 @@ struct CSInterpEnv : InterpEnv<ARG>
     context.substr = SUPER::substr;
     callStack.push (context);
 
-    context.init ( (*biasedSubrs.subrs)[subr_num], type, subr_num);
+    context.init ( biasedSubrs[subr_num], type, subr_num);
     SUPER::substr = context.substr;
   }
 
diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh
index e824dae..2c16500 100644
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@@ -208,7 +208,7 @@ struct CFFIndex
   inline unsigned int data_size (void) const
   { return HBINT8::static_size; }
 
-  ByteStr operator [] (unsigned int index) const
+  inline ByteStr operator [] (unsigned int index) const
   {
     if (likely (index < count))
       return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index));
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672913680728064 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672913680728064
new file mode 100644
index 0000000000000000000000000000000000000000..fdb5bff278850ce10e42e0f3fe90633942ed02a0
GIT binary patch
literal 861
zcmeYd3Grv(Qvd^JH#acNz`*bYB7#c(N9B^t%OFulZem3NNDI(CZ$LCQ`>~0E)M5h+
z3;_%bED8#Y3M>i?jEo8*SQG)p8Qp&<{7~rTk;5X5Lr50rIEYJr`17d#_|2p8BSDaX
blZinA6*2<t9t9MH00X*S29`k^q6`cGsONP~

literal 0
HcmV?d00001

-- 
2.7.4