[AAT] Fix ankr table access

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=918340
6 years ago · a3fa7d3336
parent 760303d411
commit a3fa7d3336
2 changed files with 4 additions and 3 deletions
--- a/src/hb-aat-layout-ankr-table.hh
+++ b/src/hb-aat-layout-ankr-table.hh
@ -69,8 +69,8 @@ struct ankr
    if (!offset)
      return Null(Anchor);
    const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset);
-    /* TODO Use sanitizer; to avoid overflows and more. */
-    if (unlikely ((const char *) &anchors + anchors.get_size () > end))
+    if (unlikely (end - (const char *) &anchors < anchors.len.static_size ||
+		  end - (const char *) &anchors < anchors.get_size ()))
      return Null(Anchor);
    return anchors[i];
  }
@ -80,7 +80,8 @@ struct ankr
    TRACE_SANITIZE (this);
    return_trace (likely (c->check_struct (this) &&
 			  version == 0 &&
-			  lookupTable.sanitize (c, this)));
+			  lookupTable.sanitize (c, this) &&
+			  anchorData.sanitize (c, this) /* Just one byte. */));
  }

  protected:
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5126525414014976
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5126525414014976