[subset] fail reference blob in face builder if allocation for table sorting fails. Fixes https://oss-fuzz.com/testcase-detail/5041767803125760

commit: 8c0c217b5a1ded98ce62a3c7394942bcb3b95396 [log] [tgz]
author: Garret Rieger <[email protected]> Fri Aug 06 10:45:38 2021 -0700
committer: Garret Rieger <[email protected]> Fri Aug 06 15:54:41 2021 -0600
tree: 3771ee7fa9bac94731b388c3c72177f0ae4b371e
parent: e5bfd49ae5bc711a40e3fac9e3b8230f251e5d67 [diff]
diff --git a/src/hb-face.cc b/src/hb-face.cc
index 2386e87..2c00873 100644
--- a/src/hb-face.cc
+++ b/src/hb-face.cc

@@ -690,6 +690,12 @@
   // Sort the tags so that produced face is deterministic.
   hb_vector_t<hb_pair_t <hb_tag_t, hb_blob_t*>> sorted_entries;
   data->tables.iter () | hb_sink (sorted_entries);
+  if (unlikely (sorted_entries.in_error ()))
+  {
+    hb_free (buf);
+    return nullptr;
+  }
+
   sorted_entries.qsort (compare_entries);
   bool ret = f->serialize_single (&c, sfnt_tag, + sorted_entries.iter());
 

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5041767803125760 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5041767803125760
new file mode 100644
index 0000000..d23fa57
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5041767803125760
Binary files differ
commit	8c0c217b5a1ded98ce62a3c7394942bcb3b95396	[log] [tgz]
author	Garret Rieger <[email protected]>	Fri Aug 06 10:45:38 2021 -0700
committer	Garret Rieger <[email protected]>	Fri Aug 06 15:54:41 2021 -0600
tree	3771ee7fa9bac94731b388c3c72177f0ae4b371e
parent	e5bfd49ae5bc711a40e3fac9e3b8230f251e5d67 [diff]