[HarfBuzz] harfbuzz: Branch 'master'
Behdad Esfahbod
behdad at kemper.freedesktop.org
Fri Nov 23 03:02:52 UTC 2018
src/hb-aat-layout-kerx-table.hh | 1 +
src/hb-aat-layout-morx-table.hh | 2 +-
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832 |binary
3 files changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 2c8188bf599e351a4e0804d74612f9643b3d2443
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Thu Nov 22 22:02:19 2018 -0500
[kerx] Make sure subtables are non-zero-length
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11400
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index f075a270..21097276 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -812,6 +812,7 @@ struct KerxSubTable
{
TRACE_SANITIZE (this);
if (!u.header.sanitize (c) ||
+ u.header.length <= u.header.static_size ||
!c->check_range (this, u.header.length))
return_trace (false);
diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh
index 43073270..bbe952fa 100644
--- a/src/hb-aat-layout-morx-table.hh
+++ b/src/hb-aat-layout-morx-table.hh
@@ -915,7 +915,7 @@ struct ChainSubtable
{
TRACE_SANITIZE (this);
if (!length.sanitize (c) ||
- length < min_size ||
+ length <= min_size ||
!c->check_range (this, length))
return_trace (false);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832
new file mode 100644
index 00000000..df1556b5
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832 differ
More information about the HarfBuzz
mailing list