diff options
| author | Garret Rieger <grieger@google.com> | 2021-11-02 16:16:52 -0700 |
|---|---|---|
| committer | Behdad Esfahbod <behdad@behdad.org> | 2021-11-02 17:00:07 -0700 |
| commit | f51b48c8e780ca918535c7af670818f2166ccf64 (patch) | |
| tree | aa09a012a7bba588431c8628352fa2184fcaa32a | |
| parent | b1cd0dce8ed2fff2b781dfb432777db7de5f3f80 (diff) | |
| download | harfbuzz_ng-f51b48c8e780ca918535c7af670818f2166ccf64.tar.gz | |
[subset] Fix fuzzer found memory leak.
Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.
| -rw-r--r-- | src/hb-ot-layout-gsubgpos.hh | 17 | ||||
| -rw-r--r-- | test/fuzzing/fonts/leak-34f1798a142fd0dfdd71a96fb6aa7de19a62865e | bin | 0 -> 134 bytes |
2 files changed, 9 insertions, 8 deletions
diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh index 2dddb6da2..c0ed2bcc0 100644 --- a/src/hb-ot-layout-gsubgpos.hh +++ b/src/hb-ot-layout-gsubgpos.hh @@ -1632,7 +1632,7 @@ struct Rule const UnsizedArrayOf<LookupRecord> &lookupRecord = StructAfter<UnsizedArrayOf<LookupRecord>> (inputZ.as_array ((inputCount ? inputCount - 1 : 0))); - + unsigned count = serialize_lookuprecord_array (c, lookupRecord.as_array (lookupCount), lookup_map); return_trace (c->check_assign (out->lookupCount, count, HB_SERIALIZE_ERROR_INT_OVERFLOW)); } @@ -2087,7 +2087,7 @@ struct ContextFormat2 const hb_set_t* glyphset = c->plan->glyphset_gsub (); hb_set_t retained_coverage_glyphs; (this+coverage).intersected_coverage_glyphs (glyphset, &retained_coverage_glyphs); - + hb_set_t coverage_glyph_classes; (this+classDef).intersected_classes (&retained_coverage_glyphs, &coverage_glyph_classes); @@ -2262,7 +2262,7 @@ struct ContextFormat3 const UnsizedArrayOf<LookupRecord>& lookupRecord = StructAfter<UnsizedArrayOf<LookupRecord>> (coverageZ.as_array (glyphCount)); const hb_map_t *lookup_map = c->table_tag == HB_OT_TAG_GSUB ? c->plan->gsub_lookups : c->plan->gpos_lookups; - + unsigned count = serialize_lookuprecord_array (c->serializer, lookupRecord.as_array (lookupCount), lookup_map); return_trace (c->serializer->check_assign (out->lookupCount, count, HB_SERIALIZE_ERROR_INT_OVERFLOW)); @@ -3338,7 +3338,7 @@ struct ChainContextFormat3 const Array16Of<LookupRecord> &lookupRecord = StructAfter<Array16Of<LookupRecord>> (lookahead); const hb_map_t *lookup_map = c->table_tag == HB_OT_TAG_GSUB ? c->plan->gsub_lookups : c->plan->gpos_lookups; - + HBUINT16 *lookupCount = c->serializer->copy<HBUINT16> (lookupRecord.len); if (!lookupCount) return_trace (false); @@ -3694,6 +3694,7 @@ struct GSUBGPOS for (unsigned i : feature_indices->iter ()) { hb_tag_t t = get_feature_tag (i); + if (t == unique_features.INVALID_KEY) continue; if (!unique_features.has (t)) { hb_set_t* indices = hb_set_create (); @@ -3723,12 +3724,12 @@ struct GSUBGPOS + hb_iter (f.lookupIndex) | hb_filter (lookup_indices) ; - + auto other_f_iter = + hb_iter (other_f.lookupIndex) | hb_filter (lookup_indices) ; - + bool is_equal = true; for (; f_iter && other_f_iter; f_iter++, other_f_iter++) { @@ -3738,12 +3739,12 @@ struct GSUBGPOS } if (is_equal == false || f_iter || other_f_iter) continue; - + found = true; duplicate_feature_map->set (i, other_f_index); break; } - + if (found == false) { same_tag_features->add (i); diff --git a/test/fuzzing/fonts/leak-34f1798a142fd0dfdd71a96fb6aa7de19a62865e b/test/fuzzing/fonts/leak-34f1798a142fd0dfdd71a96fb6aa7de19a62865e Binary files differnew file mode 100644 index 000000000..0726b939f --- /dev/null +++ b/test/fuzzing/fonts/leak-34f1798a142fd0dfdd71a96fb6aa7de19a62865e |