src/hb-aat-layout-kerx-table.hh
| 1 +
src/hb-aat-layout-morx-table.hh
| 2 +-
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832
|binary
3 files changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 2c8188bf599e351a4e0804d74612f9643b3d2443
Author: Behdad Esfahbod <[email protected]>
Date: Thu Nov 22 22:02:19 2018 -0500
[kerx] Make sure subtables are non-zero-length
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11400
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index f075a270..21097276 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -812,6 +812,7 @@ struct KerxSubTable
{
TRACE_SANITIZE (this);
if (!u.header.sanitize (c) ||
+ u.header.length <= u.header.static_size ||
!c->check_range (this, u.header.length))
return_trace (false);
diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh
index 43073270..bbe952fa 100644
--- a/src/hb-aat-layout-morx-table.hh
+++ b/src/hb-aat-layout-morx-table.hh
@@ -915,7 +915,7 @@ struct ChainSubtable
{
TRACE_SANITIZE (this);
if (!length.sanitize (c) ||
- length < min_size ||
+ length <= min_size ||
!c->check_range (this, length))
return_trace (false);
diff --git
a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832
b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832
new file mode 100644
index 00000000..df1556b5
Binary files /dev/null and
b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5722888989048832
differ
_______________________________________________
HarfBuzz mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/harfbuzz
