From 62f5ed461ea5fa4fd63631ddeb505ea16e2becb4 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 28 Jun 2023 12:02:52 -0600
Subject: [PATCH] [subset/cff] Fix an infinite loop

Fixes https://oss-fuzz.com/testcase-detail/5419002026131456
---
 src/hb-ot-cff-common.hh                          |   6 +++---
 src/hb-subset-cff-common.cc                      |   3 ++-
 ...e-minimized-hb-subset-fuzzer-5419002026131456 | Bin 0 -> 1718 bytes
 3 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5419002026131456

diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh
index 299caf683..a04479d79 100644
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@@ -488,7 +488,7 @@ struct FDSelect3_4
   {
     auto *range = hb_bsearch (glyph, &ranges[0], nRanges () - 1, sizeof (ranges[0]), _cmp_range);
     unsigned fd = range ? range->fd : ranges[nRanges () - 1].fd;
-    hb_codepoint_t end = range ? range[1].first : 0;
+    hb_codepoint_t end = range ? range[1].first : ranges[nRanges () - 1].first;
     return {fd, end};
   }
 
@@ -542,13 +542,13 @@ struct FDSelect
   /* Returns pair of fd and one after last glyph in range. */
   hb_pair_t<unsigned, hb_codepoint_t> get_fd_range (hb_codepoint_t glyph) const
   {
-    if (this == &Null (FDSelect)) return {0, 0};
+    if (this == &Null (FDSelect)) return {0, 1};
 
     switch (format)
     {
     case 0: return u.format0.get_fd_range (glyph);
     case 3: return u.format3.get_fd_range (glyph);
-    default:return {0, 0};
+    default:return {0, 1};
     }
   }
 
diff --git a/src/hb-subset-cff-common.cc b/src/hb-subset-cff-common.cc
index ad5fb2ded..5e4ea5fe7 100644
--- a/src/hb-subset-cff-common.cc
+++ b/src/hb-subset-cff-common.cc
@@ -95,7 +95,8 @@ hb_plan_subset_cff_fdselect (const hb_subset_plan_t *plan,
 	prev_fd = fd;
 	fdselect_ranges.push (code_pair_t { fd, gid });
 
-	gid = hb_min (_.first - 1, last_range.second - 1);
+	if (gid == old_glyph)
+	  gid = hb_min (_.first - 1, last_range.second - 1);
       }
     }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5419002026131456 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5419002026131456
new file mode 100644
index 0000000000000000000000000000000000000000..5f7fd639e5320f35a91002b3e3c5f20f6a259883
GIT binary patch
literal 1718
zcmeHHU2GIp6h3!mcDL<LT2NX+r*LVCfU>)^QDd};Enu;+c44O^JP>rcd+n@Y=T2vC
zTN;I~f$-BGsF4KuNh45vLU}MICPu^u-*`dv#Y7v!OMNgg{$yLXbUb%k+Zv6$_~=RI
zo_p>&_uPBF@7zgtb|yiGJgCsTy|tBAtvSj8;1+;(CTS+1OwlR}X5j{{_<h?nq;{%3
z=#7S^aV$&cEcczJjz<8(F!6VJ%0A01eP#I<=s$q*^>$7itVqB~w8zlabJjr@)Ll3Y
zUzCGm<ygb!woaT*04RH1J|f^4G~!XSKLOA_n~j$reux5;8xVr}KFp`R4x7-1K@1|G
zX+Q|6F?p|-W-nNdX*qr@#kzYBSf2FkGsuuZhKKdF202a)azZi4N!1`nwc=yCI(K;P
zS}j)R;t(OD`lAM@N3K?`eHfDZI$R3^y$%&AR^h0CzCo%=y<V#4Rw7hD5V*VWGZY}e
z>`i3<cJ2;%*=}3V#;pxcY?0%Wv?ap_88wgj!z_<=J8AB@+_OX|2tu|H?lXx*e}8}6
z%J420PxD-2^A_5l6*f&VpLu;Ov%Zx(f_5NWbfXD_SnI|(oiCbZeQHtRSzRo^+^hMk
zlQ%Amb>VRXzF;|@wk;mVGBoQ@VKchN$pQ=prmzIV?M^1aJ<8GJ(KPRMgqLN0d?7!g
zI(cpUEuYcul!VpfL!%eZQ(UH|#oxx-x>#F=IU*|tmUy`ICl66Cwv(kD6I1>ZNip2Y
zyFJUb{iV(GB--+{*e;JFRwBzC3w!EK5(!^vy!>nwpsqfzViThf1r&l)m5^BN;|3X#
zM23(g?WG3{q*X^+rIkYKlpZmlLRx!%1XU8K{I%sjsxH3qd13db#oeD2Ui+*rd~W>w
z$hk`$@2}1W!B-eAal=-Y=gLL|3A%!x^t8<D_S*pM@zOf3YA5DyVvl`1TNAWJT_BS(
zdP!7u3Np&eAaxx8J`NR&`judXK*~y~7lV}{WiJ{pN}UI?9~#N?Kmn^+6x^~TEjzX)
zp&44*<Ek4RmscUpuf+2a8KJCGzQx;9e9Cx96)%R15>ELcU?p4X3bc2CRw_1(S|WxS
z16g=U2RA?bPk_OE%jG`6{42)G^WgkGsg@IRXw~#Dt7fXIu}L13Kahs%>jmxVcUQi-
z{Qa8KwD!HHKPWCFC&kej2|{u7UQg(UnJ)_>RCqUBDRJ9MNcirdp07_=HT?!^WJ>P1
qJ+b1{f<7`^Q=E#rkrimGpaem14_Ta5?~pP4%fbIF&$s__TK)i^>xSz9

literal 0
HcmV?d00001