[subset] fix infinite loop bug in looping through tables for subsetting.

2018-03-27 10:42:19 -07:00 · 2018-03-27 10:42:19 -07:00 · 1c3372786c
commit 1c3372786c
parent 8fd55422c3
3 changed files with 24 additions and 1 deletions
--- a/src/hb-subset.cc
+++ b/src/hb-subset.cc
@ -363,8 +363,8 @@ hb_subset (hb_face_t *source,
        continue;
      }
      success = success && _subset_table (plan, tag);
-      offset += count;
    }
+    offset += count;
  } while (count == ARRAY_LENGTH (table_tags));

  hb_face_t *result = success ? hb_face_reference(plan->dest) : hb_face_get_empty();
--- a/test/api/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016
+++ b/test/api/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016
--- a/test/api/test-subset.c
+++ b/test/api/test-subset.c
@ -51,6 +51,28 @@ test_subset_32_tables (void)
  hb_face_destroy (face);
 }

+static void
+test_subset_no_inf_loop (void)
+{
+  hb_face_t *face = hb_subset_test_open_font("fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016");
+
+  hb_subset_input_t *input = hb_subset_input_create_or_fail ();
+  hb_set_t *codepoints = hb_subset_input_unicode_set (input);
+  hb_set_add (codepoints, 'a');
+  hb_set_add (codepoints, 'b');
+  hb_set_add (codepoints, 'c');
+
+  hb_subset_profile_t *profile = hb_subset_profile_create();
+  hb_face_t *subset = hb_subset (face, profile, input);
+  g_assert (subset);
+  g_assert (subset == hb_face_get_empty ());
+
+  hb_subset_input_destroy (input);
+  hb_subset_profile_destroy (profile);
+  hb_face_destroy (subset);
+  hb_face_destroy (face);
+}
+
 static void
 test_subset_crash (void)
 {
@ -79,6 +101,7 @@ main (int argc, char **argv)
  hb_test_init (&argc, &argv);

  hb_test_add (test_subset_32_tables);
+  hb_test_add (test_subset_no_inf_loop);
  hb_test_add (test_subset_crash);

  return hb_test_run();