Fix sanitize fail of extension sublookups
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index ac91451..478e66c 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -751,12 +751,18 @@
if (unlikely (!get_subtables<TSubTable> ().sanitize (c, this, get_type ())))
return_trace (false);
- if (unlikely (get_type () == TSubTable::Extension))
+ if (unlikely (get_type () == TSubTable::Extension && !c->get_edit_count ()))
{
/* The spec says all subtables of an Extension lookup should
* have the same type, which shall not be the Extension type
* itself (but we already checked for that).
- * This is specially important if one has a reverse type! */
+ * This is specially important if one has a reverse type!
+ *
+ * We only do this if sanitizer edit_count is zero. Otherwise,
+ * some of the subtables might have become insane after they
+ * were sanity-checked by the edits of subsequent subtables.
+ * https://bugs.chromium.org/p/chromium/issues/detail?id=960331
+ */
unsigned int type = get_subtable<TSubTable> (0).u.extension.get_type ();
unsigned int count = get_subtable_count ();
for (unsigned int i = 1; i < count; i++)
diff --git a/src/hb-sanitize.hh b/src/hb-sanitize.hh
index 5ecd2d2..5f5b4bd 100644
--- a/src/hb-sanitize.hh
+++ b/src/hb-sanitize.hh
@@ -211,6 +211,8 @@
this->start = this->end = nullptr;
}
+ unsigned get_edit_count () { return edit_count; }
+
bool check_range (const void *base,
unsigned int len) const
{
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296
new file mode 100644
index 0000000..9ecc7f1
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5702671124791296
Binary files differ
