[repacker] don't allow references to the null object in graph.

Fixes fuzzer issue https://oss-fuzz.com/testcase-detail/6714085985353728
2 years ago · 239a5aca02
parent 4ce0f08897
commit 239a5aca02
2 changed files with 4 additions and 3 deletions
--- a/src/graph/graph.hh
+++ b/src/graph/graph.hh
@ -50,12 +50,13 @@ struct graph_t
    unsigned priority = 0;


-    bool link_positions_valid (unsigned num_objects)
+    bool link_positions_valid (unsigned num_objects, bool removed_nil)
    {
      hb_set_t assigned_bytes;
      for (const auto& l : obj.real_links)
      {
-        if (l.objidx >= num_objects)
+        if (l.objidx >= num_objects
+            || (removed_nil && !l.objidx))
        {
          DEBUG_MSG (SUBSET_REPACK, nullptr,
                     "Invalid graph. Invalid object index.");
@ -340,7 +341,7 @@ struct graph_t
      if (check_success (!vertices_.in_error ()))
        v->obj = *objects[i];

-      check_success (v->link_positions_valid (objects.length));
+      check_success (v->link_positions_valid (objects.length, removed_nil));

      if (!removed_nil) continue;
      // Fix indices to account for removed nil object.
--- a/test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6714085985353728
+++ b/test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6714085985353728