From bcb4ecaf68c7219e89a801352bfc6a682b1581ef Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Wed, 12 Dec 2018 17:36:01 -0800
Subject: [PATCH] [CFF] check out of range FD index (#1477)

* add fd index checks to subr subsetter

also added oss-fuzz test case

* undid SubrSubsetParam::is_valid

because already validated by SubrClosures.valid
---
 src/hb-subset-cff-common.hh                              |  10 ++++++++++
 ...lusterfuzz-testcase-hb-subset-fuzzer-5762137968869376 | Bin 0 -> 2037 bytes
 2 files changed, 10 insertions(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5762137968869376

diff --git a/src/hb-subset-cff-common.hh b/src/hb-subset-cff-common.hh
index 7f3a12f..5a17b73 100644
--- a/src/hb-subset-cff-common.hh
+++ b/src/hb-subset-cff-common.hh
@@ -313,6 +313,8 @@ struct SubrFlattener
       hb_codepoint_t  glyph = glyphs[i];
       const ByteStr str = (*acc.charStrings)[glyph];
       unsigned int fd = acc.fdSelect->get_fd (glyph);
+      if (unlikely (fd >= acc.fdCount))
+      	return false;
       CSInterpreter<ENV, OPSET, FlattenParam> interp;
       interp.env.init (str, acc, fd);
       FlattenParam  param = { flat_charstrings[i], drop_hints };
@@ -684,6 +686,8 @@ struct SubrSubsetter
       hb_codepoint_t  glyph = glyphs[i];
       const ByteStr str = (*acc.charStrings)[glyph];
       unsigned int fd = acc.fdSelect->get_fd (glyph);
+      if (unlikely (fd >= acc.fdCount))
+      	return false;
 
       CSInterpreter<ENV, OPSET, SubrSubsetParam> interp;
       interp.env.init (str, acc, fd);
@@ -707,6 +711,8 @@ struct SubrSubsetter
       for (unsigned int i = 0; i < glyphs.len; i++)
       {
 	unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
+	if (unlikely (fd >= acc.fdCount))
+	  return false;
 	SubrSubsetParam  param;
 	param.init (&parsed_charstrings[i],
 		    &parsed_global_subrs,  &parsed_local_subrs[fd],
@@ -727,6 +733,8 @@ struct SubrSubsetter
       for (unsigned int i = 0; i < glyphs.len; i++)
       {
 	unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
+	if (unlikely (fd >= acc.fdCount))
+	  return false;
 	SubrSubsetParam  param;
 	param.init (&parsed_charstrings[i],
 		    &parsed_global_subrs,  &parsed_local_subrs[fd],
@@ -748,6 +756,8 @@ struct SubrSubsetter
     for (unsigned int i = 0; i < glyphs.len; i++)
     {
       unsigned int  fd = acc.fdSelect->get_fd (glyphs[i]);
+      if (unlikely (fd >= acc.fdCount))
+      	return false;
       if (unlikely (!encode_str (parsed_charstrings[i], fd, buffArray[i])))
 	return false;
     }
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5762137968869376 b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5762137968869376
new file mode 100644
index 0000000000000000000000000000000000000000..dca0b7d5c85a09e856f4f6c98482e045a5dd3932
GIT binary patch
literal 2037
zcmaJ?Yj6|S6+TzH-d#&uTUe42Anc9nBqR`-P(r7Kq;?=srVREVhetvj3rV(QuvU>)
zeh_0DVdDpqumv)<gTW8dG{s<uVqQsjq+x0@nT|V6AJaM=I+@I*GwF{uCF^=!)Uy_(
zX@}{Vx%Zs!J7@1bd(V9omzEX-56wV9;o9}<g@eC)_Ywen43M_1*jBJ&>jCZe0GOS~
zm2WNHvVnRP;5`H!1K_B(`+C=GUWEP+k=o;S*`4X1e|H9PKH^nwB=~vhH{l|?9C5z8
zTB_3)KnDO@ikPpq*ZF`dL6a@Vj`7;7UCSTah(6X0pxN#d15)xJ5cHw2LJf|W-Z)<X
zNWYClehrRCzXnSHv@~Ll08IlSB-<ti{SMcU>|UGQ8+c-it1`I9?pHlKEu_;z4jtli
zEToNCNV~>DIw%Wip_OW$y4!enbTNR=haIaY;hx11Iq*hC&O#{WbCF9X`8-ra$;4g*
z{KKls;PX}W!+F4IFx8LYGx$5mki^l~kg~O+uio#ebW6gD<xj3$ruI(>MNV;-OR&`k
zBv*An*yweLexK;KOD?Cd#4Sm_)ddB$wY65e8fJBf)di0&6KXw@TiD_XxcoI3wqEo~
z!e(49;nCE;K57+GhTsVZc0uynovv!Tf43l3{J-fuUO{rZgcrOXb#j}8IpF7BXMyM!
zMD+LthZyv>M|%1L)_ddQstUG;ya7yRZdt!g<7&_S+eW9$D|w{)l<$A)@Wcj}*X8#(
z9_++V#Y(^3=MFsBU*Z>Wtt5}=weL|Y$}%IXhM(2}<mFQU*RTQ6fQI0HrU=PgywpO%
z{38~~!6MP;vMeO>4f-XbsEX7&(qCo)r4|tDs;SI)NSmjXZSqw?YrC=S`=ifty+xsk
zmJ3~P9l!3rarXU_w>;OfCWohPNFQGL;PS<Zo0lg#e*Vf0IsJk$@v>m#h6|08L~k?!
z7{*^JnR#w{++-jnf|8sQNXk{$@|eC8{eyi&n+MFz!TPGbeoo0`nomii!IAAX=Dzy=
zU{4LF%-<&Oeo3+IkZmt0wOgl;Gls{{Oeof!rZd5}-6#F$N6odTc8yk@<o>ngdDERK
zwyLwTy&~sXdB8N4x0;dnWUqc_ictpWRZR3;cx-gx6eI7NeZ&-MZ)@IP)fukLIo;p(
zddpB~Xu(u}ntc0?sn#v-uJUmPJ#e9)wT%5@oRfcWl`&*NiSi87HrA0CUua{(_K34W
z;SSS`VI@r7V&Cd|^T_a#ig(OA>Z}dV(A|x(`bg91$hpI3ySZ&j)^<5-EnC^@Y4aXz
zJ$A6S^_Zu@oGr!0_^XA@=7F)3SNg8(8ZbB6e8sJe2VQI0AL{ICi1{K-TqoNT8|eOO
zAR3D9kAxy&bF3j&6Wz;QJrh1MlsgoU^`2e$8T;w+j!RGPOS>hfv$4|ni@grcFu7Fk
z5X+>p`lHSL{_dv4iSeQHZ*n_EPK$3ZiXROhj^(;TH3w{qX6G|PUC)JF`QqQE%}OrY
z^V8n3W1|~-%&of{%bPrENemNOde$uK*#<>#R~9_1KyT<oFuw2eFE7jK!!pAu73``+
zoxCJx+Q`WC$jD!Ma`#6XBTZeg<6Rli(S6-}<4wo7()QM1!=n1Sfzu7S7tfs^|H->t
zh7vu5J1=ehAts?s=n{YAd2HVa^YdmJj9;7n<Grc<NOv=Kg6BVqzkc7}*gKu*lh^ez
zN_3E&)ZW%j#*gy+Z8c!}E8{;iO}MQM>JeDEy3jNx({KD~<PXDtUT|1g{NURzEp^+a
z$%9PBV2v#OMxOnxjzp*bO5xd3Z(u^0e?aDpad6EYpr|j9fnS}{NAK&|Y~>4`kJTfl
z@C>DdqJB-fAPuj_PR(|tew@;z3|5fmk=3E=z7X!dg}P|nbHz{yMVqXYFWHW#vz-){
zTM4U%XmT~5q7r~n^P+qzhjXTy1uZpORcleN16q9_U?!;~?|!XOM@%LW&*|j##3ysn
zNZ=c&iW;km`UgeOteR@XCTpr8kBDx+dmW#NOS9R@jXK{qBg_S3r>>4u^U9pg1Hku9
z%?_Uwcu~!cPDlIq*itqDE25OGfegajvnkj_jQ4E%TQO-Mk@9;y1CNtWU@eI7U%THS
dl}+l!vZd<ohn27l1Xuyf;YoN3ts-!8{{~vzdcyz!

literal 0
HcmV?d00001

-- 
2.7.4