[coord-setter] Fix memory access in case of malloc failure

Fixes https://oss-fuzz.com/testcase-detail/5383702943432704
2025-04-17 02:35:52 +00:00 · 2025-02-25 14:54:37 -07:00 · 2025-02-25 14:54:37 -07:00 · e450552d07
commit e450552d07
parent b12612f525
2 changed files with 11 additions and 9 deletions
--- a/src/OT/Var/VARC/coord-setter.hh
+++ b/src/OT/Var/VARC/coord-setter.hh
@ -34,23 +34,25 @@ struct coord_setter_t
 	return static_coords[idx];
      }
      else
-      {
        dynamic_coords.extend (hb_array (static_coords, length));
-      }
    }

-    if (dynamic_coords.length <= idx &&
-	unlikely (!dynamic_coords.resize (idx + 1)))
-      return Crap(int);
+    if (dynamic_coords.length <= idx)
+    {
+      if (unlikely (!dynamic_coords.resize (idx + 1)))
+	return Crap(int);
+      length = idx + 1;
+    }
    return dynamic_coords.arrayZ[idx];
  }

  hb_array_t<int> get_coords ()
-  { return dynamic_coords ? dynamic_coords.as_array () : hb_array (static_coords, length); }
+  { return length <= ARRAY_LENGTH (static_coords) ? hb_array (static_coords, length) : dynamic_coords.as_array (); }

+  private:
+  hb_vector_t<int> dynamic_coords;
  unsigned length;
  int static_coords[64];
-  hb_vector_t<int> dynamic_coords;
 };


--- a/src/hb-vector.hh
+++ b/src/hb-vector.hh
@ -66,8 +66,8 @@ struct hb_vector_t
      alloc (hb_len (iter), true);
    while (iter)
    {
-      if (!alloc (length + 1))
-	break;
+      if (unlikely (!alloc (length + 1)))
+        return;
      unsigned room = allocated - length;
      for (unsigned i = 0; i < room && iter; i++)
 	push_has_room (*iter++);