From 28aba780c4035cc85a31b778db0f5553c896dd6a Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Fri, 23 Aug 2019 16:47:15 +0430
Subject: [PATCH] [subset] Fix blob leak of _subset2 when returns early

Fixes https://crbug.com/oss-fuzz/16639
---
 src/hb-subset.cc                                  |   2 ++
 ...se-minimized-hb-subset-fuzzer-5754526379802624 | Bin 0 -> 288 bytes
 2 files changed, 2 insertions(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5754526379802624

diff --git a/src/hb-subset.cc b/src/hb-subset.cc
index 6235a5bf5..c0752acc1 100644
--- a/src/hb-subset.cc
+++ b/src/hb-subset.cc
@@ -82,6 +82,7 @@ _subset2 (hb_subset_plan_t *plan)
     if (unlikely (!buf.alloc (buf_size)))
     {
       DEBUG_MSG(SUBSET, nullptr, "OT::%c%c%c%c failed to allocate %u bytes.", HB_UNTAG (tag), buf_size);
+      hb_blob_destroy (source_blob);
       return false;
     }
   retry:
@@ -96,6 +97,7 @@ _subset2 (hb_subset_plan_t *plan)
       if (unlikely (!buf.alloc (buf_size)))
       {
 	DEBUG_MSG(SUBSET, nullptr, "OT::%c%c%c%c failed to reallocate %u bytes.", HB_UNTAG (tag), buf_size);
+	hb_blob_destroy (source_blob);
 	return false;
       }
       goto retry;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5754526379802624 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5754526379802624
new file mode 100644
index 0000000000000000000000000000000000000000..3a7cc9d99a2897a00801b395da8fec771fe049c2
GIT binary patch
literal 288
zcmZQzWME)mSHKF=b1Kt75<nFm3jhEAM^}`AB*4G`<1jG7SULI0i6Axu1EUCt&P}W+
efbtnYG#voQ%~)KHu$h4oC=CWkVhjvyFdhJKeKF4f

literal 0
HcmV?d00001