From f0f7f22525d20ba05e9b69ba40b352cb89b506ae Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Mon, 20 Mar 2023 18:39:49 +0000
Subject: [PATCH] [subset] fix fuzzer found null deref.

https://oss-fuzz.com/testcase-detail/5844352760152064
---
 src/hb-subset-plan.cc                            |   9 +++++++--
 ...e-minimized-hb-subset-fuzzer-5844352760152064 | Bin 0 -> 1214 bytes
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5844352760152064

diff --git a/src/hb-subset-plan.cc b/src/hb-subset-plan.cc
index 3a2d5081f..786cbbb72 100644
--- a/src/hb-subset-plan.cc
+++ b/src/hb-subset-plan.cc
@@ -346,7 +346,8 @@ _get_hb_font_with_variations (const hb_subset_plan_t *plan)
   hb_font_t *font = hb_font_create (plan->source);
 
   hb_vector_t<hb_variation_t> vars;
-  vars.alloc (plan->user_axes_location.get_population ());
+  if (!vars.alloc (plan->user_axes_location.get_population ()))
+    return nullptr;
 
   for (auto _ : plan->user_axes_location)
   {
@@ -382,7 +383,9 @@ _collect_layout_variation_indices (hb_subset_plan_t* plan)
   bool collect_delta = plan->pinned_at_default ? false : true;
   if (collect_delta)
   {
-    font = _get_hb_font_with_variations (plan);
+    if (unlikely (!plan->check_success (font = _get_hb_font_with_variations (plan))))
+      return;
+    
     if (gdef->has_var_store ())
     {
       var_store = &(gdef->get_var_store ());
@@ -905,6 +908,8 @@ hb_subset_plan_t::hb_subset_plan_t (hb_face_t *face,
   _populate_unicodes_to_retain (input->sets.unicodes, input->sets.glyphs, this);
 
   _populate_gids_to_retain (this, input->sets.drop_tables);
+  if (unlikely (in_error ()))
+    return;
 
   _create_old_gid_to_new_gid_map (face,
                                   input->flags & HB_SUBSET_FLAGS_RETAIN_GIDS,
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5844352760152064 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5844352760152064
new file mode 100644
index 0000000000000000000000000000000000000000..0228414954428b35b60d00a964050b4eefe53296
GIT binary patch
literal 1214
zcmZWoOK6ip5dQwn|ENh!YpvozG(wS33)<kLN`3UDMM5k#K0u)jeHdyVX{=iHQV>L~
z2T{?39(-JCEuw;uLq$P6coPxo!Gj0!SrimeOPlqZjo@pR+1+nuc6MfV78ZbFPBy}|
zTVh*LWkmts21+|>Gu4gpSo|=RFNmLRs;l2<&7~!*axB4uO^vrlQ&p)RSauQhg=C@k
z)IZ}I+0wK$dhqD6cYu0H+|rb&PF%Qg;vV&<h)Y|$lW7ETp85#!@{R+^%%z7zk9q$v
zao?V<Lmk%w@nRq}kM2+Ip?*cf&ijD38*s-`?a8*;A70T^5o2YFg5bE*N&mNqOH<wb
z11+7tLF&&DZ|>@CO_nc>?5BQ;xU4%lkj5o7lQ>2k?n!pHFAA=E0608vjih_`_3JDu
zxbG4@tTn6^cfZMk1t0SVqLtBAl`B?9OQ2bak0_u<VF6qkw~=jQX-?|9*!9~5cXNIr
z@m2s80!s1{J$>(beazzXG&R)iuy_*(yy59PK*0SmICVKNDw4lwmXY|em_yZVj3rRq
zmF({U-I5q8pg+lM=&H3>g;b{+QD1zOzB|4z_BQ*bv);Mrx^AEQ+AH&pc#q_HnGGL?
zTp}5pl|94NHn{<{S`$@ktsne~$wW3kQggZab8}(USNOaqw7~e-pwu7Z6H_OC3{DRP
zMm@ovxq%xejpfc$%)nW((vt?K(aZG=xmR?~TEw{KIjbK#Svce}v!2qESc&gsMr^;d
zPQ!uil-SZ0=ku!?LsVtOzavwg{;1>t8fp?@Y(O<?rQTM~8&>f!@-f-R83&lX)I%y7
zCx=jE_71amnTrRX{>GZjAoddnXdR^8OyUr6A+Z!z-m92+w(%zZEV4~W0cSZQH%M$n
zlquHVMzCgkz4YvVBnA`6=_#Glxm+QSMc&Xy1djaPOoM5)C4FzfXKGRKFDqm71{tqJ
zZEjgF9c$=HL50OHl4<=qA~>rSnlGYW2mI`Y=M+_$FEV8R+rd<s4xXgP5#!j;uTai^
uB#kI(@q4p0=E}Y88IdJSXD)^-DagpzK}@1@It<L`ej!R(qBq=iK>q|(h0O>6

literal 0
HcmV?d00001