From 2e6919d5262e5fc747f6ac18057e8c0e286ade89 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 10 Jun 2023 10:08:56 -0600
Subject: [PATCH] [subset/cff2] Error handling

Fixes https://oss-fuzz.com/testcase-detail/4916785942757376
---
 src/hb-subset-cff2.cc                             |  12 ++++++++++--
 ...se-minimized-hb-subset-fuzzer-4916785942757376 | Bin 0 -> 331 bytes
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4916785942757376

diff --git a/src/hb-subset-cff2.cc b/src/hb-subset-cff2.cc
index 72323f128..07953b320 100644
--- a/src/hb-subset-cff2.cc
+++ b/src/hb-subset-cff2.cc
@@ -597,7 +597,11 @@ static bool _serialize_cff2 (hb_serialize_context_t *c,
 		{ return plan.fdmap.has (&_ - &acc.fontDicts[0]); }),
 	      hb_iter (private_dict_infos))
     ;
-    if (unlikely (!fda->serialize (c, it, fontSzr))) return false;
+    if (unlikely (!fda->serialize (c, it, fontSzr)))
+    {
+      c->pop_discard ();
+      return false;
+    }
     plan.info.fd_array_link = c->pop_pack (false);
   }
 
@@ -607,7 +611,11 @@ static bool _serialize_cff2 (hb_serialize_context_t *c,
   {
     c->push ();
     auto *dest = c->start_embed<CFF2VariationStore> ();
-    if (unlikely (!dest->serialize (c, acc.varStore))) return false;
+    if (unlikely (!dest->serialize (c, acc.varStore)))
+    {
+      c->pop_discard ();
+      return false;
+    }
     plan.info.var_store_link = c->pop_pack (false);
   }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4916785942757376 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4916785942757376
new file mode 100644
index 0000000000000000000000000000000000000000..15b49cef02d9b16c900312299692356cd6419a0e
GIT binary patch
literal 331
zcmZQzWME+6R{#TNH#Z{?11RzbA_67<qwv6-|Nk)rVM3@fFl8_r%_y)i4!PXKiUN>w
zpnJ}sX+z<{v@<XSFfeeUNa5u$DX=mK%K}Yz;86inf-+#EfFcYaji??$GYY5@sEm^l
HF3bP`nh`iM

literal 0
HcmV?d00001