From df698f3299d92867e3305715f675b2621c316acd Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Tue, 3 Nov 2015 12:15:12 -0800
Subject: [PATCH] [ot-font] Fix hmtx table length checking, *again*

Exactly the same problem that I fixed in
63ef0b41dc48d6112d1918c1b1de9de8ea90adb5

I rewrote the table checking yesterday in
67f8821fb25d9bd55719f5e29a582ae1af4b02b3
and introduced the exact same issue again. :(
Good thing we have ongoing fuzzing going now.  Was discovered
immediately by libFuzzer.  Thanks kcc!

https://github.com/behdad/harfbuzz/issues/139#issuecomment-153449473
Fixes https://github.com/behdad/harfbuzz/issues/156
---
 src/hb-ot-font.cc                                         |   4 ++--
 .../sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf  | Bin 0 -> 633 bytes
 test/shaping/fonts/sha1sum/MANIFEST                       |   1 +
 test/shaping/tests/fuzzed.tests                           |   1 +
 4 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf

diff --git a/src/hb-ot-font.cc b/src/hb-ot-font.cc
index bde63fa..94c31b3 100644
--- a/src/hb-ot-font.cc
+++ b/src/hb-ot-font.cc
@@ -59,11 +59,11 @@ struct hb_ot_face_metrics_accelerator_t
 
     /* Cap num_metrics() and num_advances() based on table length. */
     unsigned int len = hb_blob_get_length (this->blob);
-    if (unlikely (this->num_advances * 4 < len))
+    if (unlikely (this->num_advances * 4 > len))
       this->num_advances = len / 4;
     this->num_metrics = this->num_advances + (len - 4 * this->num_advances) / 2;
 
-    /* We MUSt set num_metrics to zero if num_advances is zero.
+    /* We MUST set num_metrics to zero if num_advances is zero.
      * Our get_advance() depends on that. */
     if (unlikely (!this->num_advances))
     {
diff --git a/test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf b/test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..8eed14d94e07b2eba586d9fe23c1846d88f078a9
GIT binary patch
literal 633
zcmZuvOG_J36#njGLgHJA3u%Q}1Ya9p#Z?M|;;N9Lb)l;|j7p%42^cY}AV>*1g6+a?
z6x`}BaMK?lwDcEr8E8Q?Gf+GI?nLoH&z-sF`_AK@bM8!Gaj}35cA(HRx3FL@Uw!-q
zh~EI}g?HnxCT?=y$w{%|`ED7VxFA0vpDM1otM1Ra&%`IAz)X>b)EDuVoH@u9{Yq7y
z5kXeDrG2+rhIEV}<eS=X{Wb6WL!IZXkmt*#%?kTqF>y(5CuPZ|-|Q{D@6KNXn&xMc
zjT`c7QY8&}=VOj){AK04>PZhz@)*fJOuT{=pIQSxiTEGkxesE$9<?!x8fx+^Ziso+
z5KHtvj;STl8dDIn28#QMh$XQy)9MUSiy17rv<Ht*lA&-&-NDg^s5O_VP>bW%9`7cc
zgkn4@L4f%xl*jF~xMmkZw0m2dm6E?++Nc<6hc6Jml%Wa-2K7Pb>2~BqdF!(KTlPoq
zakIS-S_rAMHR*X~D6!8ZUfjs3=<gcdmO<oLQ9iJOTgSSkZjLp_`okU?!kqPox+@4$
QL4p5TkUna|QRHO)0WE20TL1t6

literal 0
HcmV?d00001

diff --git a/test/shaping/fonts/sha1sum/MANIFEST b/test/shaping/fonts/sha1sum/MANIFEST
index 902fa00..785e6ef 100644
--- a/test/shaping/fonts/sha1sum/MANIFEST
+++ b/test/shaping/fonts/sha1sum/MANIFEST
@@ -17,6 +17,7 @@
 757ebd573617a24aa9dfbf0b885c54875c6fe06b.ttf
 7e14e7883ed152baa158b80e207b66114c823a8b.ttf
 813c2f8e5512187fd982417a7fb4286728e6f4a8.ttf
+8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf
 8454d22037f892e76614e1645d066689a0200e61.ttf
 8a9fea2a7384f2116e5b84a9b31f83be7850ce21.ttf
 a919b33197965846f21074b24e30250d67277bce.ttf
diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index 6bb30b0..64e96d7 100644
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests
@@ -3,3 +3,4 @@ fonts/sha1sum/5a5daf5eb5a4db77a2baa3ad9c7a6ed6e0655fa8.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/0509e80afb379d16560e9e47bdd7d888bebdebc6.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/641bd9db850193064d17575053ae2bf8ec149ddc.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/375d6ae32a3cbe52fbf81a4e5777e3377675d5a3.ttf:--font-funcs=ot:U+0041:[gid0=0+4352]
+fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf:--font-funcs=ot:U+0041:[gid0=0+2304]
-- 
2.7.4