From e1a5ce6aa661251e998df7b3612a1d5d39e28827 Mon Sep 17 00:00:00 2001
From: Qunxin Liu <qxliu@google.com>
Date: Fri, 24 May 2019 10:58:52 -0700
Subject: [PATCH] Fix fuzzer crash testcase

Add a check for stringOffSet(uint16) overflow,
return early if overflow happens
---
 src/hb-ot-name-table.hh                                |   2 +-
 ...estcase-minimized-hb-subset-fuzzer-5077547978588160 | Bin 0 -> 339602 bytes
 ...estcase-minimized-hb-subset-fuzzer-5761434614497280 | Bin 0 -> 532 bytes
 3 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280

diff --git a/src/hb-ot-name-table.hh b/src/hb-ot-name-table.hh
index 6c75cc3..4eda467 100644
--- a/src/hb-ot-name-table.hh
+++ b/src/hb-ot-name-table.hh
@@ -186,7 +186,7 @@ struct name
 
     auto snap = c->snapshot ();
     this->nameRecordZ.serialize (c, this->count);
-    this->stringOffset = c->length ();
+    if (unlikely (!c->check_assign (this->stringOffset, c->length ()))) return_trace (false);
     c->revert (snap);
 
     const void *dst_string_pool = &(this + this->stringOffset);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5077547978588160
new file mode 100644
index 0000000000000000000000000000000000000000..37bb009553bdeb13e063af538c8ba5fb7c5c8aab
GIT binary patch
literal 339602
zcmeI#&ud&o902g|Zk8Gs?M0E2)7FDj1gYB7MltphZwkeWplm?fOJgIw3QaB*`~&(2
z<S+0K@a|ox_eyV4Bq|$}(C5s1yV)PvY<81$sqmSFee>ST`}LXm&YOu^M6K59rJ|oX
z%QjM~=fAI)>hVS1Y1Lo;@!++H=6m^YeRsc8+}n)WUK9}<Df8>)sC~1snd%>;`t=yC
z|I+UJ>8!GTtFb*=f8_eD<~w88kH+Ek@08acsXz2QtBsup7Z0Mnb?5G044qXyRV1YJ
z1drq4n^DY}y4}eqqzl$}w>rZ&UduO*C+qF~=I!>)>Q%O;z|;pY(TDk~SO2&d?ZJ<|
zVkI%L3EnNA<EOXsCd(X6Gqz65+&Z1{-ZDVCwV?EE?>_DQ_-cKl6U(VrL~JkZ-HX~Q
zn{jzUADOwQ|8Q(iuNpMA8@0{7Xie$qvs)gCyn*GEo*w@`oEnk~?0LIo?9JKpUL5QG
z=P)iTsN+qzP40P{Q(ELouJF9K$oQAw8Mnx6qu|iz=cJ&V;q!Bvpq%)@JI}Vfmioq&
zab0xf;5pCes=k+lDbBoK+Eca2f}`v3+i;%4Y`01$&cddQguUtI;e;g4X;xJG`Jc|}
zgT_woEB#b-bFL^xCu~E*_jB`kojm`Xe6;^|CvGR7KH+G(($GA&oJr>|`Y-Y7`i;-7
zKVJUhqqMgY?Xsj9%jvgL9(g<7DEG>>#7fFGQ^AF@;+2$NF6ZjylzC(YQO(tJ%PcOn
z^4u@d!=<%UwauFsVlBPG)s)NWxAZtwF8}`--=+WUYqxHHd2=J5lnQfkE7f|G_SfR$
zPh$P^8}aF-Ts@_e`rzHY<*}hAt-kVOOdZ`$9WjGx<WQH-;`bx2rb8p^z2AH5y<GmR
z()f%#FKNzrud^=Q`ir~V2!m9Q53A*IK2)xghqe(<i{j~FNs)H1=e?BrRm(Ol_m7K!
zT>IF**ovjNG!j!evYPpvlt#-2!Ip~VIdM2p%j=fiznrL+yW`zIy<7kFs_HosQc&dE
zrbc`eDg38B!3U|ddi0CwLiybX>GhPYb^oqz{v_>GH*f3=svLd)T-G1q$A<W7Xo=!N
zBi(8^rU%!PBS3%v0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB=Dc1Xd%ypQpaM1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
bAV7cs0RjXF5FkK+009C72oNCfzZUopOe7x3

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5761434614497280
new file mode 100644
index 0000000000000000000000000000000000000000..0060ade5731364069ddaa8a460727a027f34a4fa
GIT binary patch
literal 532
zcmZQzWME)mR{(<lAc7<i9O4)P(!jvL$N-`V0FVVROJFp9E&m|^p$N!Fa0s$6)M5w#
j-OeZoG=~A`2OwYsVUQz1aF79LSm2`+kR-`=Jum<O<;r-v

literal 0
HcmV?d00001

-- 
2.7.4