From f3b4d35f362efb818959814b741e94facda5fd29 Mon Sep 17 00:00:00 2001 From: Garret Rieger Date: Mon, 29 May 2023 22:38:40 +0000 Subject: [PATCH] [subset] Fix fuzzer crash. https://oss-fuzz.com/testcase-detail/6608005089853440 --- src/hb-serialize.hh | 6 +++++- ...se-minimized-hb-subset-fuzzer-6608005089853440 | Bin 0 -> 999 bytes 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6608005089853440 diff --git a/src/hb-serialize.hh b/src/hb-serialize.hh index 61ec0253a..4bbb9eedc 100644 --- a/src/hb-serialize.hh +++ b/src/hb-serialize.hh @@ -323,6 +323,8 @@ struct hb_serialize_context_t { object_t *obj = current; if (unlikely (!obj)) return; + // Allow cleanup when we've error'd out on int overflows which don't compromise + // the serializer state. if (unlikely (in_error() && !only_overflow ())) return; current = current->next; @@ -340,7 +342,9 @@ struct hb_serialize_context_t { object_t *obj = current; if (unlikely (!obj)) return 0; - if (unlikely (in_error())) return 0; + // Allow cleanup when we've error'd out on int overflows which don't compromise + // the serializer state. + if (unlikely (in_error() && !only_overflow ())) return 0; current = current->next; obj->tail = head; diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6608005089853440 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6608005089853440 new file mode 100644 index 0000000000000000000000000000000000000000..67029198a35c7ae369d7b03f7696569ae7d381cd GIT binary patch literal 999 zcmbVKO-n*S6g^{UCM6Xj5m6_CHo0gOK}67|9}xY3hqh=Th!jLCmw`kCx~gSC|DYey zZ)g>?YU4r(5^wj;)8|ubQFoX(=bdvuX6_6efGkH%L`Es{@aXu!SipgCUHFsxc!H3L zM~?eMY6RjwLu5I)sFO`540Jv%l){Ym%(B`y8Wv-re6(d>r0bbxlw;kHG}z!r#F3lKuq|!0Lr#}B zUT)aW1f4*ut+3#P0k0M3cqPu~4c)m$7FjJCrN%6CL>_pKuJMJR)ZWf(u$o0ZDNJJ7 zFo-3cM9pw$ZVJAeUQ!Jo~@#Z^!GOJ1q4L{5ufw literal 0 HcmV?d00001