Merge pull request #1449 from harfbuzz/cff-fixcharset
[CFF] fix for oss-fuzz 11657: Charset overrun
diff --git a/src/hb-ot-cff1-table.hh b/src/hb-ot-cff1-table.hh
index 0539403..39da8fa 100644
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@@ -392,13 +392,15 @@
return 0;
}
- inline hb_codepoint_t get_glyph (hb_codepoint_t sid) const
+ inline hb_codepoint_t get_glyph (hb_codepoint_t sid, unsigned int num_glyphs) const
{
if (sid == 0) return 0;
hb_codepoint_t glyph = 1;
for (unsigned int i = 0;; i++)
{
- if ((ranges[i].first <= sid) && sid <= ranges[i].first + ranges[i].nLeft)
+ if (glyph >= num_glyphs)
+ return 0;
+ if ((ranges[i].first <= sid) && (sid <= ranges[i].first + ranges[i].nLeft))
return glyph + (sid - ranges[i].first);
glyph += (ranges[i].nLeft + 1);
}
@@ -550,9 +552,9 @@
if (format == 0)
return u.format0.get_glyph (sid, num_glyphs);
else if (format == 1)
- return u.format1.get_glyph (sid);
+ return u.format1.get_glyph (sid, num_glyphs);
else
- return u.format2.get_glyph (sid);
+ return u.format2.get_glyph (sid, num_glyphs);
}
HBUINT8 format;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5700264032468992 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5700264032468992
new file mode 100644
index 0000000..82a462b
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5700264032468992
Binary files differ