| commit | 6879efc2c1596d11a6a6ad296f80063b558d5e0f | [log] [tgz] |
|---|---|---|
| author | Behdad Esfahbod <[email protected]> | Thu Jan 17 14:06:37 2019 -0500 |
| committer | Behdad Esfahbod <[email protected]> | Thu Jan 17 14:08:02 2019 -0500 |
| tree | 2da5f149a4c08929b1870186c65bf0d43a34ad8b | |
| parent | a262eb3d0b7009aabd9e0beebc77e5c0a2a65548 [diff] |
[AAT] Fix anchor bound checking, again Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12532 Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=922303
diff --git a/src/hb-aat-layout-ankr-table.hh b/src/hb-aat-layout-ankr-table.hh index 497b2ea..69e2706 100644 --- a/src/hb-aat-layout-ankr-table.hh +++ b/src/hb-aat-layout-ankr-table.hh
@@ -69,7 +69,8 @@ if (!offset) return Null(Anchor); const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset); - if (unlikely (end - (const char *) &anchors < anchors.len.static_size || + if (unlikely (end < (const char *) &anchors || + end - (const char *) &anchors < anchors.len.static_size || end - (const char *) &anchors < anchors.get_size ())) return Null(Anchor); return anchors[i];
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600 new file mode 100644 index 0000000..b79765a --- /dev/null +++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5166320261529600 Binary files differ
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864 new file mode 100644 index 0000000..0c40dd8 --- /dev/null +++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5667182741028864 Binary files differ