fuzzer fix https://oss-fuzz.com/testcase-detail/5842152921628672
Access TupleVariationData through blob, because we don't sanitize
var_data
diff --git a/src/hb-ot-var-cvar-table.hh b/src/hb-ot-var-cvar-table.hh
index 0814940..381ae3c 100644
--- a/src/hb-ot-var-cvar-table.hh
+++ b/src/hb-ot-var-cvar-table.hh
@@ -54,14 +54,14 @@
bool decompile_tuple_variations (unsigned axis_count,
unsigned point_count,
+ hb_blob_t *blob,
bool is_gvar,
const hb_map_t *axes_old_index_tag_map,
TupleVariationData::tuple_variations_t& tuple_variations /* OUT */) const
{
hb_vector_t<unsigned> shared_indices;
TupleVariationData::tuple_iterator_t iterator;
- unsigned var_data_length = tupleVariationData.get_size (axis_count);
- hb_bytes_t var_data_bytes = hb_bytes_t (reinterpret_cast<const char*> (get_tuple_var_data ()), var_data_length);
+ hb_bytes_t var_data_bytes = blob->as_bytes ().sub_array (4);
if (!TupleVariationData::get_tuple_iterator (var_data_bytes, axis_count, this,
shared_indices, &iterator))
return false;
@@ -151,7 +151,8 @@
unsigned point_count = hb_blob_get_length (cvt_blob) / FWORD::static_size;
hb_blob_destroy (cvt_blob);
- if (!decompile_tuple_variations (axis_count, point_count, false,
+ if (!decompile_tuple_variations (axis_count, point_count,
+ c->source_blob, false,
&(c->plan->axes_old_index_tag_map),
tuple_variations))
return_trace (false);
diff --git a/src/test-tuple-varstore.cc b/src/test-tuple-varstore.cc
index f1286e7..e3787a2 100644
--- a/src/test-tuple-varstore.cc
+++ b/src/test-tuple-varstore.cc
@@ -39,7 +39,21 @@
axis_idx_tag_map.set (0, axis_tag);
OT::TupleVariationData::tuple_variations_t tuple_variations;
- bool result = cvar_table->decompile_tuple_variations (axis_count, point_count, false, &axis_idx_tag_map, tuple_variations);
+ hb_vector_t<unsigned> shared_indices;
+ OT::TupleVariationData::tuple_iterator_t iterator;
+
+ const OT::TupleVariationData* tuple_var_data = reinterpret_cast<const OT::TupleVariationData*> (cvar_data + 4);
+
+ unsigned len = strlen (cvar_data);
+ hb_bytes_t var_data_bytes{cvar_data+4, len - 4};
+ bool result = OT::TupleVariationData::get_tuple_iterator (var_data_bytes, axis_count, cvar_table,
+ shared_indices, &iterator);
+ assert (result);
+
+ result = tuple_var_data->decompile_tuple_variations (point_count, false, iterator, &axis_idx_tag_map,
+ shared_indices, hb_array<const OT::F2DOT14> (),
+ tuple_variations);
+
assert (result);
assert (tuple_variations.tuple_vars.length == 2);
for (unsigned i = 0; i < 2; i++)
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5842152921628672 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5842152921628672
new file mode 100644
index 0000000..c33e2b9
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5842152921628672
Binary files differ
