[repacker] fix fuzzer found memory leak.

Fixes https://oss-fuzz.com/testcase-detail/5196242811748352
2 years ago · b3fed4fa64
parent 247ffe389f
commit b3fed4fa64
2 changed files with 4 additions and 1 deletions
--- a/src/graph/markbasepos-graph.hh
+++ b/src/graph/markbasepos-graph.hh
@ -319,7 +319,8 @@ struct MarkBasePosFormat1 : public OT::Layout::GPOS_impl::MarkBasePosFormat1_2<S
    hb_vector_t<class_info_t> class_to_info;

    unsigned class_count= classCount;
-    class_to_info.resize (class_count);
+    if (!class_to_info.resize (class_count))
+      return hb_vector_t<class_info_t>();

    auto mark_array = c.graph.as_table<MarkArray> (this_index, &markArray);
    if (!mark_array) return hb_vector_t<class_info_t> ();
@ -327,6 +328,7 @@ struct MarkBasePosFormat1 : public OT::Layout::GPOS_impl::MarkBasePosFormat1_2<S
    for (unsigned mark = 0; mark < mark_count; mark++)
    {
      unsigned klass = (*mark_array.table)[mark].get_class ();
+      if (klass >= class_count) continue;
      class_to_info[klass].marks.add (mark);
    }

@ -335,6 +337,7 @@ struct MarkBasePosFormat1 : public OT::Layout::GPOS_impl::MarkBasePosFormat1_2<S
      unsigned mark = (link.position - 2) /
                     OT::Layout::GPOS_impl::MarkRecord::static_size;
      unsigned klass = (*mark_array.table)[mark].get_class ();
+      if (klass >= class_count) continue;
      class_to_info[klass].child_indices.push (link.objidx);
    }

--- a/test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-5196242811748352
+++ b/test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-5196242811748352