organicmaps/harfbuzz
13
Fork 0
mirror of https://github.com/harfbuzz/harfbuzz.git synced 2025-04-14 17:13:40 +00:00
Code Issues 1 Projects Releases Wiki Activity Actions

[graph] Fix invalid read when map gets resized

Browse source 
I don't fully understand how the old code was wrong, since
*v should be evaluated before the set() method call.
Yet this seems to fix a bug that could be reproduced
with HB_DEBUG_SUBSET_REPACK enabled and the following:

$ hb-repacker-fuzzer test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6419865171525632
This commit is contained in:
Behdad Esfahbod 2023-08-01 15:16:16 -06:00
parent 94d4283b12
commit 70b3fbed28
1 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/graph/graph.hh
View file

@ -188,8 +188,10 @@ struct graph_t
unsigned incoming_edges () const
{
if (HB_DEBUG_SUBSET_REPACK)
{
assert (incoming_edges_ == (single_parent != (unsigned) -1) +
(parents.values_ref () | hb_reduce (hb_add, 0)));
}
return incoming_edges_;
}
@ -304,10 +306,13 @@ struct graph_t
return;
}
const unsigned *v;
if (parents.has (old_index, &v) &&
parents.set (new_index, *v))
const unsigned *pv;
if (parents.has (old_index, &pv))
{
unsigned v = *pv;
parents.set (new_index, v);
parents.del (old_index);
}
}
bool is_leaf () const