From 0d5695983e8bf3184ecd4cb92f737b9dfe5d6d25 Mon Sep 17 00:00:00 2001 From: Qunxin Liu Date: Sun, 5 Apr 2020 18:44:26 -0700 Subject: [PATCH] [subset] fixes dangling object_t issue in FeatureVariationRecord Fixes https://crbug.com/oss-fuzz/21560 revert () does not clean up useless object_t. Adjust the order of subsetting substitutions and conditions to avoid dangling object_t. --- src/hb-ot-layout-common.hh | 9 +++++---- ...se-minimized-hb-subset-fuzzer-5759725666041856 | Bin 0 -> 114 bytes 2 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5759725666041856 diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh index 019370908..883ccab6a 100644 --- a/src/hb-ot-layout-common.hh +++ b/src/hb-ot-layout-common.hh @@ -2708,11 +2708,12 @@ struct FeatureVariationRecord TRACE_SUBSET (this); auto *out = c->subset_context->serializer->embed (this); if (unlikely (!out)) return_trace (false); - - out->conditions.serialize_subset (c->subset_context, conditions, base); - + bool ret = out->substitutions.serialize_subset (c->subset_context, substitutions, base, c); - return_trace (ret); + if (unlikely (!ret)) return_trace (false); + + out->conditions.serialize_subset (c->subset_context, conditions, base); + return_trace (true); } bool sanitize (hb_sanitize_context_t *c, const void *base) const diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5759725666041856 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5759725666041856 new file mode 100644 index 0000000000000000000000000000000000000000..b23c11afb01dc2861fb41c60ca7bc6fde5b59668 GIT binary patch literal 114 zcmZQzWME)mQost_gF~G_5