From 7dc341fe745bc1784b08efd4c658de292b958b0d Mon Sep 17 00:00:00 2001
From: ckitagawa <ckitagawa@chromium.org>
Date: Thu, 23 Jan 2020 11:09:15 -0500
Subject: [PATCH] [subset] Fix UBSAN issue in sbix

---
 src/hb-ot-color-sbix-table.hh                     |   5 +++--
 ...se-minimized-hb-subset-fuzzer-5753173985984512 | Bin 0 -> 616 bytes
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5753173985984512

diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
index 7abf4a333..263ae7a3a 100644
--- a/src/hb-ot-color-sbix-table.hh
+++ b/src/hb-ot-color-sbix-table.hh
@@ -337,12 +337,13 @@ struct sbix
                    const void *dst_base,
                    unsigned int i,
                    unsigned int sbix_len) const {
+    // Push first so reverting doesn't fail.
+    c->serializer->push ();
+
     if (strikes[i].is_null () ||
         sbix_len < (unsigned int) strikes[i])
       return false;
 
-    c->serializer->push ();
-
     return (this+strikes[i]).subset (c, sbix_len - (unsigned int) strikes[i]);
   }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5753173985984512 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5753173985984512
new file mode 100644
index 0000000000000000000000000000000000000000..46ec9296dac1c254bc237fdf22cedf483fca337f
GIT binary patch
literal 616
zcmZQzWME+6W@unwW-#y%);AItQtf77V6*@U0|6U@&r1^^e*uuKlb%zVX70k~0OVf*
z^2IVz6H|B|PS*jl_W-e322g;_ky#1I{sP1*8M!4D%nCpj1LF)J!IqPsoCvfF#6JV#
z=O$JZF!3`;1Njm_zCvDNZYs+HUUne=4Uq3wkY8K^bQcgX*?{DWlQJt*-8LKr@?(H%
zSQtQ#1Y&_lp|0`#HeVT}A+}vwz$5_Db^UYTeGtv802b$9U;^=g0O~m;CeRj$UZ^}X
zSPc&Y3xfhsgartJdR{XA{|_O>k<9@42y8MlBUl&2bcmfG89AUI7+E-hat1(^5H{2$
z$Qpoh>zoprG8jsLb~-a;FcdN5GvqQPg4wAI$qd<G-9Q2ZR6;@tD2{9(#05at7&1ab
OfO6M>t!Atu-8BH9e?Kq)

literal 0
HcmV?d00001