From cc44b3bce0a7be5536df7df910b5bc73a5e4a741 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 29 Jun 2023 16:12:10 -0600
Subject: [PATCH] [subset/cff1] Handle an error condition

Fixes https://oss-fuzz.com/testcase-detail/5191907895279616
---
 src/hb-subset-cff1.cc                            |  11 +++++++----
 ...e-minimized-hb-subset-fuzzer-5191907895279616 | Bin 0 -> 2025 bytes
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5191907895279616

diff --git a/src/hb-subset-cff1.cc b/src/hb-subset-cff1.cc
index fb93448dc..fcd7ba421 100644
--- a/src/hb-subset-cff1.cc
+++ b/src/hb-subset-cff1.cc
@@ -491,7 +491,7 @@ struct cff1_subset_plan
       subset_enc_format = 1;
   }
 
-  void plan_subset_charset (const OT::cff1::accelerator_subset_t &acc, hb_subset_plan_t *plan)
+  bool plan_subset_charset (const OT::cff1::accelerator_subset_t &acc, hb_subset_plan_t *plan)
   {
     unsigned int  size0, size_ranges;
     unsigned last_sid = CFF_UNDEF_CODE - 1;
@@ -499,7 +499,7 @@ struct cff1_subset_plan
     if (unlikely (!subset_charset_ranges.resize (0)))
     {
       plan->check_success (false);
-      return;
+      return false;
     }
 
     code_pair_t glyph_to_sid_cache {0, HB_CODEPOINT_INVALID};
@@ -510,7 +510,7 @@ struct cff1_subset_plan
 							acc.num_charset_entries))))
     {
       plan->check_success (false);
-      return;
+      return false;
     }
 
     glyph_to_sid_map_t *glyph_to_sid_map = acc.cff_accelerator ?
@@ -587,6 +587,8 @@ struct cff1_subset_plan
       subset_charset_format = 1;
     else
       subset_charset_format = 2;
+
+    return true;
   }
 
   bool collect_sids_in_dicts (const OT::cff1::accelerator_subset_t &acc)
@@ -673,7 +675,8 @@ struct cff1_subset_plan
       if (unlikely (sidmap.get_population () > 0x8000))	/* assumption: a dict won't reference that many strings */
 	return false;
 
-      if (subset_charset) plan_subset_charset (acc, plan);
+      if (subset_charset && !plan_subset_charset (acc, plan))
+        return false;
 
       topdict_mod.reassignSIDs (sidmap);
     }
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5191907895279616 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5191907895279616
new file mode 100644
index 0000000000000000000000000000000000000000..a1936d04ff82f68b8b066d5f3e18f3aa23785c9d
GIT binary patch
literal 2025
zcmds0OAdlC6r3h5OcXyicro!L8n(D#=gI?^xb%=Ny@yNLl|pH?uYyn{A$HOB&6}A{
z9wAB71am6aE{@9+z@4PVy6r|}PB8hN)epDUGHKN3)AdpiRGynA9vR;-H4Geph)B?c
zAOuY-wz{u2uF_T+mXr~m+cjpwqC`CDTZ><%4a_<~1t1d6Jl)u&42s3nKP;{FBEZxQ
zrlY>nBEYdh;y%_u9H3>V6zp9&^f&SognJGc%8xk)#2=N9j3MV=XK42$*Ra}ruY%Kt
W*Kf)lU+75xmaW!KHEMgGO=S*=-!QfS

literal 0
HcmV?d00001