From c31092ab34641072606f854408eb1bea18ed2507 Mon Sep 17 00:00:00 2001 From: Michiharu Ariza Date: Wed, 5 Dec 2018 17:04:55 -0800 Subject: [PATCH 1/2] sanitize variationStore in CFF2 against its size --- src/hb-ot-cff2-table.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh index 178acf0b1..de2b1b224 100644 --- a/src/hb-ot-cff2-table.hh +++ b/src/hb-ot-cff2-table.hh @@ -115,7 +115,7 @@ struct CFF2VariationStore inline bool sanitize (hb_sanitize_context_t *c) const { TRACE_SANITIZE (this); - return_trace (likely (c->check_struct (this)) && varStore.sanitize (c)); + return_trace (likely (c->check_struct (this)) && c->check_range (&varStore, size) && varStore.sanitize (c)); } inline bool serialize (hb_serialize_context_t *c, const CFF2VariationStore *varStore) From 9d8f3b0dfbf39f5dfa25d52f47e8af6ad318eb17 Mon Sep 17 00:00:00 2001 From: Michiharu Ariza Date: Wed, 5 Dec 2018 17:14:51 -0800 Subject: [PATCH 2/2] add minimized test case for oss-fuzz issue 11713 --- ...se-minimized-hb-subset-fuzzer-5660711141769216 | Bin 0 -> 383 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 new file mode 100644 index 0000000000000000000000000000000000000000..302a1c4ef86356a72b098b5ebffd80c309f47841 GIT binary patch literal 383 zcmeYd3Grv(V`yMtW=L>$b2FN^W~vDT1H&5z2G%H#FvlS4-1kWg3~UVy49qsZK>q5# zD>4`uIQIb6H2DYX8%3|Hn8U!p9t9wOMMi33ioh%m9-w_5K)zW9P=Gy*X&q4h z1dy+iky}#1mc+0U$OpQQfhRYyqJV)p0L1(OB-rv2b5nmkZ+OALzzgK^#uVfim;ArT zV8p;66$2DdU}9ip5S9h9>UmT^RKFmIRFnV`jEs!T-Ta^I85n^a9x&;{08$SH4h#+q n2Y`@)B_Ava5!Pm40NT#1>jYB