| commit | a549aa14a0b60436a16f7f8924a5b5f82b4d5b7e | [log] [tgz] |
|---|---|---|
| author | Behdad Esfahbod <behdad@behdad.org> | Mon Nov 12 13:01:22 2018 -0500 |
| committer | Behdad Esfahbod <behdad@behdad.org> | Mon Nov 12 13:02:39 2018 -0500 |
| tree | ab5d115ffd1c92ec49c52f7800271348358a8699 | |
| parent | 3e284e02c2a5da758526360a45364a330b8ab8e9 [diff] |
[kerx] Protect against stack underflow Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11367
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh index 6b61186..4e6c6e4 100644 --- a/src/hb-aat-layout-kerx-table.hh +++ b/src/hb-aat-layout-kerx-table.hh
@@ -260,7 +260,7 @@ depth = 0; /* Probably not what CoreText does, but better? */ } - if (Format1EntryT::performAction (entry)) + if (depth && Format1EntryT::performAction (entry)) { unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152 new file mode 100644 index 0000000..6c73900 --- /dev/null +++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152 Binary files differ