Avoid NULL derefs inside FontHeaderTable::Builder.

As a result IndexToLocFormat() should also return an invalid value.
Fixes https://crbug.com/646347

3 files changed, 9 insertions, 3 deletions

diff --git a/cpp/src/sfntly/table/core/font_header_table.cc b/cpp/src/sfntly/table/core/font_header_table.cc
index 60015ca..a848afd 100644
--- a/cpp/src/sfntly/table/core/font_header_table.cc
+++ b/cpp/src/sfntly/table/core/font_header_table.cc
@@ -239,7 +239,10 @@ void FontHeaderTable::Builder::SetFontDirectionHint(int32_t hint) {
 }
 
 int32_t FontHeaderTable::Builder::IndexToLocFormat() {
-  return down_cast<FontHeaderTable*>(GetTable())->IndexToLocFormat();
+  Table* table = GetTable();
+  if (!table)
+    return IndexToLocFormat::kInvalidOffset;
+  return down_cast<FontHeaderTable*>(table)->IndexToLocFormat();
 }
 
 void FontHeaderTable::Builder::SetIndexToLocFormat(int32_t format) {
diff --git a/cpp/src/sfntly/table/core/font_header_table.h b/cpp/src/sfntly/table/core/font_header_table.h
index 841955b..4851775 100644
--- a/cpp/src/sfntly/table/core/font_header_table.h
+++ b/cpp/src/sfntly/table/core/font_header_table.h
@@ -24,6 +24,7 @@ namespace sfntly {
 
 struct IndexToLocFormat {
   enum {
+    kInvalidOffset = -1,
     kShortOffset = 0,
     kLongOffset = 1
   };
diff --git a/cpp/src/sfntly/table/table_based_table_builder.cc b/cpp/src/sfntly/table/table_based_table_builder.cc
index b505704..51a5a3b 100644
--- a/cpp/src/sfntly/table/table_based_table_builder.cc
+++ b/cpp/src/sfntly/table/table_based_table_builder.cc
@@ -60,8 +60,10 @@ TableBasedTableBuilder::TableBasedTableBuilder(Header* header)
 }
 
 Table* TableBasedTableBuilder::GetTable() {
-  if (table_ == NULL) {
-    table_.Attach(down_cast<Table*>(SubBuildTable(InternalReadData())));
+  if (!table_) {
+    ReadableFontData* data = InternalReadData();
+    if (data)
+      table_.Attach(down_cast<Table*>(SubBuildTable(data)));
   }
   return table_;
 }