From b22f61d86a27e1dcbcab5ecdbbff579175dc5aaf Mon Sep 17 00:00:00 2001
From: ckitagawa <ckitagawa@chromium.org>
Date: Tue, 21 Apr 2020 11:49:05 -0400
Subject: [PATCH] Fix bug

---
 src/hb-ot-color-cbdt-table.hh                    |   7 ++++++-
 ...e-minimized-hb-subset-fuzzer-5684014636859392 | Bin 0 -> 7148 bytes
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5684014636859392

diff --git a/src/hb-ot-color-cbdt-table.hh b/src/hb-ot-color-cbdt-table.hh
index 5bf23457c..cd33651dd 100644
--- a/src/hb-ot-color-cbdt-table.hh
+++ b/src/hb-ot-color-cbdt-table.hh
@@ -572,7 +572,12 @@ struct IndexSubtableArray
     for (unsigned int start = 0; start < lookup.length;)
     {
       if (unlikely (!lookup[start].second->add_new_record (c, bitmap_size_context, &lookup, this, &start, &records)))
-	return_trace (false);
+      {
+        // Discard any leftover pushes to the serializer from successful records.
+        for (unsigned int i = 0; i < records.length; i++)
+          c->serializer->pop_discard ();
+        return_trace (false);
+      }
     }
 
     // Workaround to ensure offset ordering is from least to greatest when
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5684014636859392 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5684014636859392
new file mode 100644
index 0000000000000000000000000000000000000000..f7d3c0d21dcc166f4da5e5304d77b1121936e809
GIT binary patch
literal 7148
zcmeHLc~Fx_6o0uOgaiRaE`w1Jv|2zp1v&x=gHbNIDjpFuAXH+Y+#@OtN<%@6S7|^P
zr9uUYXtmTq)IvasB8Nv6bwCBBqCi!kfDUw*U~8w-zdD_<)9=mf@!r0-yKnc~-@g5T
z1OQA(0}8lu-Fbo8lwxlrX#z0Z#C7-Lt_bjM0Wh+j0U-1Zuv(JnES-b+gGeWIlPE04
zf*Wp!_(8;rBE!RkI*Y5j0E~r*w~s^u9U+~H_``@dixkBtYYd|r82^YehA1pK2A0E8
z#G~<mvo%Z<uD97b8u8BoNVYNJxcJu=unU0A!R?8tKP>_E3gTT6Z<dJrt4B3p<M9~C
z2S}4bxD<d=km={+$zm8WPy>s<oac{9B!@IQQi2|bHWn)E{k#G_yrN=V|4gy5u?mHv
zv$JzxU|?`?aBOU>wY7C*WTdL9s;8$%CX<zvlvKEJ+fWa>@%}ymz?g2bz{WMMu(5Mu
z*UO00-XT4Djx}f!R6frwFqzbsSNmN7hnb=I%K~!Ig^8<)P9MdU9~Jm&D?<*7`?4?c
z$^53hwV~DqOto}WoV+}$ZECfV*|DAHA&svOt!VJrDs2{Avi)XWu6_#tm2lBK@XNh^
zDi9=la_D|>qYJl?rNK^XEPv=$;~BF{Q&*CUcIQ;Mob>KpA!&_O6tPeBH(Tvz#Z>3W
zudZz>Ykpz<_~p!JRKX2Ssk6fq_VCh*?Y+DPy8Ng91gnyp`SnkWz0O~F{-8cpFJ#Wo
zDG>`c8)=_^9VF)+yYg+1@sU?q%j7GmvOMuDTSJ;fm%5>w_d;=v^|*QT?1rNU&PdGY
z_gWt8ZjCVIrM}SeDV%szmub$Y#MjpB5J*!W?9`qs8EUr+4jFBy(v{~N<jQiT$Sg(E
z-Kf6$3%6)(Wo($O?C^RsUk}a(Hx1dij>8kKpz?mYZec}UV_W`QS$k3w|JPeB<<FMp
zy(xS6LJ%H&d}q>N#GxuhQmgFgNYq}f#97qOtaIY-uAQCbtg~|MAt%Y)feEU!nQ?Ht
z!d44y8b>*i<(HA~ayGLhDo@j?c-yg{%VL9L{Wc%US&H+^R_W)RJMKD^nLi8ZBHAVt
zENk*CZwWKVVU4FU%;om8E1&NRb}kZLj&-!Bm@KdTdRl%;&~5R2c1J^v57Q(;Xj33#
z@gF`eAq#xhN1dI>E?~^;lz-AeE1UE1K=VLd_UGRl>%tp$gQ8ON+QrnyJ&|9MySUP}
zD=a1HPH`w{U0+5w=~A&ZIk_xEGmv}Nou2s7spK=awnkb~zq*}n=pHj<yq}q3C(h_|
zH>KSu3>NL^I`dR%e#u}*e%i96+9#%DXH!j`(Y^U*4yoH*+U2bD_{DMiJFTNTJi6Zm
zS4J6Sh#jvFPCpXZdm4Ml_weDJa1WKBPZqO)F~Jd~MJSO`g7C-q?5OD7I?|+wL>v+-
zv7R=v$31XRu7gT+@+l=c_@q%_3}6h&=>9;}7$(Vp20*i+$<bgYs*-XWBFMUUKs60y
zp&~q!-^tV0*Ara9k;7My9%llmN0Tt_OzEg2+(08^4$lSkkFbS;Pyt{DLO4velex;v
z`KXS4#QG<u60+m)RS8+*Pi5Yu#yDOGJ(MsZ2eBQp!McbhM<ln!ZDPl4nC3DBn)FHW
zwYr;IaOLi5`4WI}rpEB(4C$&BRoSWhP+=m<aZm3ON!2nX!mU(zYma@z>keo|ET=To
zVGTrsKZL_(NI<nP_;jk}ZSmerp4jbwbGJ)rCzZQlF?F@%CYV=hMS77MXLNI}nmV-W
zOV-`bg?0~Z82VsmH>0Vej(kVRZ8UJVbTfLXztQ5}K3f{+ECJ5{2%Jj|ROgKV=eHj@
z0nUKId6Kj`Igo*_5fW7c-33~ZJXNOvmPbJx#Dn<naJ;nF(}ZUyIUMwQ*P*fetm;*2
z-H&pq?WKw1#{<}9OSC^`@Jyv;{nr>WowS530tbj74TlLtkcI;#^7|g7{YOGf0>y}@
yCh^qdOvX0EQ}ZuRO(N(Zf(|0+z?bCv6?72SHgRne*Y^M8+WzA|F#ZcXMZW=RV`4l2

literal 0
HcmV?d00001