Fix invalid buffer access in OOM times

Hopefully fully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1856

Fix invalid buffer access in OOM times
Hopefully fully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1856
e5930722 · Behdad Esfahbod · fcd6c338 · e5930722
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

src/hb-ot-layout-gsubgpos-private.hh src/hb-ot-layout-gsubgpos-private.hh +2 -1

未找到文件。
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@@ -1002,7 +1002,8 @@ static inline bool apply_lookup (hb_apply_context_t *c,
    if (idx == 0 && lookupRecord[i].lookupListIndex == c->lookup_index)
      continue;

-    buffer->move_to (match_positions[idx]);
+    if (unlikely (!buffer->move_to (match_positions[idx])))
+      break;

    unsigned int orig_len = buffer->backtrack_len () + buffer->lookahead_len ();
    if (!c->recurse (lookupRecord[i].lookupListIndex))