From db23be642ff13706333069ef895f7b6559a9036b Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 2 May 2023 00:06:08 +0000
Subject: [PATCH] [subset] clamp head *Min/*Max values to fit within 16 bit
 signed int.

Fixes fuzzer https://oss-fuzz.com/testcase-detail/4549472192692224.
---
 src/OT/glyf/Glyph.hh                             |  11 +++++++----
 ...e-minimized-hb-subset-fuzzer-4549472192692224 | Bin 0 -> 1634 bytes
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4549472192692224

diff --git a/src/OT/glyf/Glyph.hh b/src/OT/glyf/Glyph.hh
index 9c7c2fdbd..aa2a41c7a 100644
--- a/src/OT/glyf/Glyph.hh
+++ b/src/OT/glyf/Glyph.hh
@@ -168,10 +168,13 @@ struct Glyph
       }
     }
 
-    int rounded_xMin = roundf (xMin);
-    int rounded_xMax = roundf (xMax);
-    int rounded_yMin = roundf (yMin);
-    int rounded_yMax = roundf (yMax);
+
+    // These are destined for storage in a 16 bit field to clamp the values to
+    // fit into a 16 bit signed integer.
+    int rounded_xMin = hb_clamp (roundf (xMin), -32768.0f, 32767.0f);
+    int rounded_xMax = hb_clamp (roundf (xMax), -32768.0f, 32767.0f);
+    int rounded_yMin = hb_clamp (roundf (yMin), -32768.0f, 32767.0f);
+    int rounded_yMax = hb_clamp (roundf (yMax), -32768.0f, 32767.0f);
 
     update_mtx (plan, rounded_xMin, rounded_xMax, rounded_yMin, rounded_yMax, all_points);
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4549472192692224 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-4549472192692224
new file mode 100644
index 0000000000000000000000000000000000000000..14ce218d77db61c58662e27561f80cb86199c797
GIT binary patch
literal 1634
zcmb_cOA5k341H5wxN_wIdKAH}D0qWXs4fbE3&Bfx4i71g$xJ`fbUrN_!Q>@xUeakO
z6oA~??zlg31T41fwdVh@CCcH0O{El!>R#M9Mg3pw&-J6SSUuTGyU0WW*VnRO3ZUNX
zr_4Wv!&;6dkAw+uWH<~n1+j<br6EV3p-Aeq7yyOYIvcQOf^JQ0pgTNMCqQp!4U|n<
zawLwO{jEkfNc)6?@j{BHn0FbZ0wK~sDB4?!kzs=+M^V%C%Hx+XZ?I@HF8*0A*)K`(
zKfTD(u8NF#6gNlr=t6&A)*<s3r)B+zovi+}4HW1{sw+6sc7mQip2r=q=Q$F?a2edi
MA#eP3vGuma7nDK`Bme*a

literal 0
HcmV?d00001