[CFF] bad offset in Index (#1476)

* Update hb-ot-cff-common.hh * fix bug * bummer fix wasn't hit. refix * additional sanity check * Added test cases for oss-fuzz issues 11805, 11806
6 years ago · 798e98c47b
parent bcb4ecaf68
commit 798e98c47b
3 changed files with 8 additions and 2 deletions
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@ -200,7 +200,13 @@ struct CFFIndex
  }

  inline unsigned int length_at (unsigned int index) const
-  { return offset_at (index + 1) - offset_at (index); }
+  {
+  	if (likely ((offset_at (index + 1) >= offset_at (index)) &&
+		    (offset_at (index + 1) <= offset_at (count))))
+	  return offset_at (index + 1) - offset_at (index);
+	else
+	  return 0;
+  }

  inline const char *data_base (void) const
  { return (const char *)this + min_size + offset_array_size (); }
@ -211,7 +217,7 @@ struct CFFIndex
  inline ByteStr operator [] (unsigned int index) const
  {
    if (likely (index < count))
-      return ByteStr (data_base () + offset_at (index) - 1, offset_at (index + 1) - offset_at (index));
+      return ByteStr (data_base () + offset_at (index) - 1, length_at (index));
    else
      return Null(ByteStr);
  }
--- a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5643036478930944
--- a/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-hb-subset-fuzzer-5686186874503168