[subset/cff] Fix an infinite loop

Fixes https://oss-fuzz.com/testcase-detail/5419002026131456
2 years ago · 62f5ed461e
parent 87b573615f
commit 62f5ed461e
3 changed files with 5 additions and 4 deletions
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@ -488,7 +488,7 @@ struct FDSelect3_4
  {
    auto *range = hb_bsearch (glyph, &ranges[0], nRanges () - 1, sizeof (ranges[0]), _cmp_range);
    unsigned fd = range ? range->fd : ranges[nRanges () - 1].fd;
-    hb_codepoint_t end = range ? range[1].first : 0;
+    hb_codepoint_t end = range ? range[1].first : ranges[nRanges () - 1].first;
    return {fd, end};
  }

@ -542,13 +542,13 @@ struct FDSelect
  /* Returns pair of fd and one after last glyph in range. */
  hb_pair_t<unsigned, hb_codepoint_t> get_fd_range (hb_codepoint_t glyph) const
  {
-    if (this == &Null (FDSelect)) return {0, 0};
+    if (this == &Null (FDSelect)) return {0, 1};

    switch (format)
    {
    case 0: return u.format0.get_fd_range (glyph);
    case 3: return u.format3.get_fd_range (glyph);
-    default:return {0, 0};
+    default:return {0, 1};
    }
  }

--- a/src/hb-subset-cff-common.cc
+++ b/src/hb-subset-cff-common.cc
@ -95,7 +95,8 @@ hb_plan_subset_cff_fdselect (const hb_subset_plan_t *plan,
 	prev_fd = fd;
 	fdselect_ranges.push (code_pair_t { fd, gid });

-	gid = hb_min (_.first - 1, last_range.second - 1);
+	if (gid == old_glyph)
+	  gid = hb_min (_.first - 1, last_range.second - 1);
      }
    }

--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5419002026131456
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5419002026131456