[HarfBuzz] harfbuzz: Branch 'master'

Fri Nov 10 02:10:44 UTC 2017

src/hb-ot-kern-table.hh                                                 |    9 +++++----
 test/shaping/fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf |binary
 test/shaping/tests/fuzzed.tests                                         |    1 +
 3 files changed, 6 insertions(+), 4 deletions(-)

New commits:
commit 8eed9cb11e28728a58e265fde5c13f519ccbdb4e
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Thu Nov 9 18:09:40 2017 -0800

    [kern] Fix invalid memory access if offset is zero
    
    If offset is zero, we return Null() object.  Wasn't prepared for that.
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4088

diff --git a/src/hb-ot-kern-table.hh b/src/hb-ot-kern-table.hh
index 074eba32..5fd2e20e 100644
--- a/src/hb-ot-kern-table.hh
+++ b/src/hb-ot-kern-table.hh
@@ -117,10 +117,11 @@ struct KernSubTableFormat2
     unsigned int l = (this+leftClassTable).get_class (left);
     unsigned int r = (this+leftClassTable).get_class (left);
     unsigned int offset = l * rowWidth + r * sizeof (FWORD);
-    const FWORD *v = &StructAtOffset<FWORD> (&(this+array), offset);
-    /* Untested code, as I have not been able to find ANY kern table format-2 yet. */
-    assert (&(this+array) <= v);
-    if (unlikely (v + 1 > (const FWORD *) end))
+    const FWORD *arr = &(this+array);
+    if (unlikely ((const void *) arr < (const void *) this || (const void *) arr >= (const void *) end))
+      return 0;
+    const FWORD *v = &StructAtOffset<FWORD> (arr, offset);
+    if (unlikely ((const void *) v < (const void *) arr || (const void *) (v + 1) > (const void *) end))
       return 0;
     return *v;
   }
diff --git a/test/shaping/fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf b/test/shaping/fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf
new file mode 100644
index 00000000..dd8506ef
Binary files /dev/null and b/test/shaping/fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf differ
diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index 1f51e441..53e9187e 100644
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests
@@ -15,3 +15,4 @@ fonts/sha1sum/a34a9191d9376bda419836effeef7e75c1386016.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/a69118c2c2ada48ff803d9149daa54c9ebdae30e.ttf:--font-funcs=ot:U+0041:[gid0=0+1229]
 fonts/sha1sum/b6acef662e0beb8d5fcf5b61c6b0ca69537b7402.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/e88c339237f52d21e01c55f01b9c1b4cc14a0467.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
+fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
