Merge pull request #1448 from harfbuzz/cff-leak

[CFF] fix leak: oss-fuzz 11662

Merge pull request #1448 from harfbuzz/cff-leak
[CFF] fix leak: oss-fuzz 11662
cf4b7db6 · Ebrahim Byagowi · GitHub · 32cc46c7 · 803d2f92 · cf4b7db6
3 changed file
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@@ -1092,6 +1092,7 @@ struct cff1
 	  CFF1FontDict_Interpreter font_interp;
 	  font_interp.env.init (fontDictStr);
 	  font = fontDicts.push ();
+	  if (unlikely (font == &Crap(CFF1FontDictValues))) { fini (); return; }
 	  font->init ();
 	  if (unlikely (!font_interp.interpret (*font))) { fini (); return; }
 	  PRIVDICTVAL  *priv = &privateDicts[i];
@@ -1131,7 +1132,7 @@ struct cff1
    {
      sc.end_processing ();
      topDict.fini ();
-      fontDicts.fini ();
+      fontDicts.fini_deep ();
      privateDicts.fini_deep ();
      hb_blob_destroy (blob);
      blob = nullptr;

--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -486,6 +486,7 @@ struct cff2
 	CFF2FontDict_Interpreter font_interp;
 	font_interp.env.init (fontDictStr);
 	font = fontDicts.push ();
+	if (unlikely (font == &Crap(CFF2FontDictValues))) { fini (); return; }
 	font->init ();
 	if (unlikely (!font_interp.interpret (*font))) { fini (); return; }

@@ -506,7 +507,7 @@ struct cff2
    inline void fini (void)
    {
      sc.end_processing ();
-      fontDicts.fini ();
+      fontDicts.fini_deep ();
      privateDicts.fini_deep ();
      hb_blob_destroy (blob);
      blob = nullptr;

--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5175735354916864
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5175735354916864