commit defe9b6da018bc85750c999454c51fde0cadb9b2
author Qunxin Liu <qxliu@google.com> Fri Oct 25 10:07:26 2019 -0700
committer Garret Rieger <grieger@google.com> Fri Oct 25 13:09:47 2019 -0700
tree cd696f262099b632f95de8c4dd8ea3ad15a903d3
parent b2fcca6e14afc8085cc1c2491b2d7c780dad1450

crash fix : Heap-buffer-overflow READ 2
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513

src/hb-ot-layout-gpos-table.hh

diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index e129ae4..024312d 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -762,7 +762,7 @@
   friend struct PairSet;
 
   bool serialize (hb_serialize_context_t *c,
-                  unsigned size,
+                  unsigned length,
                   const hb_map_t &glyph_map) const
   {
     TRACE_SERIALIZE (this);
@@ -770,7 +770,7 @@
     if (unlikely (!c->extend_min (out))) return_trace (false);
     
     out->secondGlyph = glyph_map[secondGlyph];
-    return_trace (c->copy (values, size));
+    return_trace (c->copy (values, length));
   }
 
   protected:
@@ -871,16 +871,16 @@
     const hb_set_t &glyphset = *c->plan->glyphset ();
     const hb_map_t &glyph_map = *c->plan->glyph_map;
 
-    unsigned len1 = valueFormats[0].get_size ();
-    unsigned len2 = valueFormats[1].get_size ();
-    unsigned record_size = HBUINT16::static_size + len1 + len2;
+    unsigned len1 = valueFormats[0].get_len ();
+    unsigned len2 = valueFormats[1].get_len ();
+    unsigned record_size = HBUINT16::static_size + Value::static_size * (len1 + len2);
 
     const PairValueRecord *record = &firstPairValueRecord;
     unsigned count = len, num = 0;
     for (unsigned i = 0; i < count; i++)
     {
       if (!glyphset.has (record->secondGlyph)) continue;
-      if (record->serialize (c->serializer, record_size, glyph_map)) num++;
+      if (record->serialize (c->serializer, len1 + len2, glyph_map)) num++;
       record = &StructAtOffset<const PairValueRecord> (record, record_size);
     }