From 798e98c47bd9fa4d434487ae92e2c88ebb8a19a5 Mon Sep 17 00:00:00 2001 From: Michiharu Ariza Date: Wed, 12 Dec 2018 18:08:15 -0800 Subject: [PATCH] [CFF] bad offset in Index (#1476) * Update hb-ot-cff-common.hh * fix bug * bummer fix wasn't hit. refix * additional sanity check * Added test cases for oss-fuzz issues 11805, 11806 --- src/hb-ot-cff-common.hh | 10 ++++++++-- ...clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 | Bin 0 -> 369 bytes ...clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 | Bin 0 -> 962 bytes 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh index efd8545..8bd1319 100644 --- a/src/hb-ot-cff-common.hh +++ b/src/hb-ot-cff-common.hh @@ -200,7 +200,13 @@ struct CFFIndex } inline unsigned int length_at (unsigned int index) const - { return offset_at (index + 1) - offset_at (index); } + { + if (likely ((offset_at (index + 1) >= offset_at (index)) && + (offset_at (index + 1) <= offset_at (count)))) + return offset_at (index + 1) - offset_at (index); + else + return 0; + } inline const char *data_base (void) const { return (const char *)this + min_size + offset_array_size (); } @@ -211,7 +217,7 @@ struct CFFIndex inline ByteStr operator [] (unsigned int index) const { if (likely (index < count)) - return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index)); + return ByteStr (data_base () + offset_at (index) - 1, length_at (index)); else return Null(ByteStr); } diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944 new file mode 100644 index 0000000000000000000000000000000000000000..9a52336e3678d61f4dbc5b7b7e0bdcdab76947f3 GIT binary patch literal 369 zcmeYd3Grv(VQ64rW^izJb5qD_|8$Lkf#C`e&vtilbz=}@U}9ik`U2#Oxd-?MyOjBq zGB7an0Qm~;!J$qoRxHv2@^ygx3I4(QCSlwOmJAH{ZvgoT$+?LI4AM-Cf%;4S{r?}I zk*biwC$E&jz`$4llsC)BNKIrhU=jxMw*dJn8M!4DOoteZfczCeK38sHMF9hI0FcRW z28h{;6LV9UQ@A;R=2-ywRt5RRCI8z%>X|_9RbXHMs$~Z1W?*4tU}R+E2+hkZNi8k` zv6X)CGyITY{2|NqLy!4~1k0Zvp=l*{K0CSjNjsO4v literal 0 HcmV?d00001 diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168 new file mode 100644 index 0000000000000000000000000000000000000000..86f4ad7aedc4cc59aaba8ecda660ba9ceb962300 GIT binary patch literal 962 zcmZvaT}TvB6vxl(x>wU_(`^+ct!tW?l%-e@J%mZE8MV6Gr&u}e+;+!ycb1uHbI~#= zDp2d8=nFHYNPYmjGng)+0=k$;PUE0M7Tw>mwKtzmPkazY4iL5;M9) zK{$Y1jGP;jx)O8N@EMuJr5LN2-1H9hajgF}q3TBZ4Af$OC<9HRUyfF^5bM7}E>EJL zON7(NQ^+_MwwZyMkl_G95WG88Lk&uCy`gFQ>HrHLjY^sw_wgmXxKCWcO9Z~u!I%Bb z{OGi*MCZ(jnR_JwISD*6b6x$HOJLyCl)GPChJkciT+SO8aX;o+VmWWmg9TUx2yS;6 zCg3@|1xv^m*44{u2iqpIxS<%S1~rk=lyJnLwQFnY=&VMADcxW(oojZ159UH(hk}aP(`N_H8e?PF-bc@)x*@Ms^KWJ4XUXWmuXB&(GEs67FN(& zV=`6ZG{iJR!f)qFP0?i~WGHG}uby?ZmqKwXSZQ`E{{`pS+UojfA|iD#LkZ2N`dD1n z=9e1xDzXuoFR58madx{YDQaKuh7Y5^k2&Y=PjG?*Uy%bTL-^!y`7gP5&}?&mL7JGk zX6wk<$oS~fq6=j7;O)aBVbf!^7XBjE02j?}ujN`vtSqY~sib0Bd(l~^0 zErsR8?6#&|?gs@Q$xAbMW$eb}^(W{vc<@@=)$nU8SooD#Yk8JgX{KFkNTb!%tMte{ z61sFx9Dme%Z;RPfSVhcA>!-_&tqBYAib^>ZE6z`sd3dQBdXJb&l&b6)<#JH06X;^NtdI9TwR{4!gI#)cja+kM