[subset] Fix possible overflows in VarRegionList serialize

Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
4 years ago · c68a00b92e
parent 7b8464b655
commit c68a00b92e
3 changed files with 6 additions and 2 deletions
--- a/src/harfbuzz.cc
+++ b/src/harfbuzz.cc
@ -9,6 +9,7 @@
 #include "hb-fallback-shape.cc"
 #include "hb-font.cc"
 #include "hb-map.cc"
+#include "hb-ms-feature-ranges.cc"
 #include "hb-number.cc"
 #include "hb-ot-cff1-table.cc"
 #include "hb-ot-cff2-table.cc"
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@ -2517,7 +2517,8 @@ struct VarRegionList
  {
    TRACE_SANITIZE (this);
    return_trace (c->check_struct (this) &&
-		  axesZ.sanitize (c, (unsigned int) axisCount * (unsigned int) regionCount));
+		  !hb_unsigned_mul_overflows (axisCount * regionCount, VarRegionAxis::static_size) &&
+		  axesZ.sanitize (c, axisCount * regionCount));
  }

  bool serialize (hb_serialize_context_t *c, const VarRegionList *src, const hb_bimap_t &region_map)
@ -2527,7 +2528,9 @@ struct VarRegionList
    if (unlikely (!out)) return_trace (false);
    axisCount = src->axisCount;
    regionCount = region_map.get_population ();
-    if (unlikely (!c->allocate_size<VarRegionList> (get_size () - min_size))) return_trace (false);
+    if (unlikely (hb_unsigned_mul_overflows (axisCount * regionCount,
+					     VarRegionAxis::static_size))) return_trace (false);
+    if (unlikely (!c->extend<VarRegionList> (out))) return_trace (false);
    unsigned int region_count = src->get_region_count ();
    for (unsigned int r = 0; r < regionCount; r++)
    {
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5362189182566400
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5362189182566400