[subset] Disable glyf accelerator_t methods if it didn't successfully init.

2018-03-20 13:00:49 -07:00 · 2018-03-20 13:00:49 -07:00 · e597436b99
commit e597436b99
parent 7251181b56
3 changed files with 29 additions and 1 deletions
--- a/src/hb-ot-glyf-table.hh
+++ b/src/hb-ot-glyf-table.hh
@ -232,9 +232,11 @@ struct glyf
  {
    inline void init (hb_face_t *face)
    {
+      memset (this, 0, sizeof (accelerator_t));
+
      hb_blob_t *head_blob = Sanitizer<head>().sanitize (face->reference_table (HB_OT_TAG_head));
      const head *head_table = Sanitizer<head>::lock_instance (head_blob);
-      if ((unsigned int) head_table->indexToLocFormat > 1 || head_table->glyphDataFormat != 0)
+      if (!head_table || (unsigned int) head_table->indexToLocFormat > 1 || head_table->glyphDataFormat != 0)
      {
 	/* Unknown format.  Leave num_glyphs=0, that takes care of disabling us. */
 	hb_blob_destroy (head_blob);
@ -266,6 +268,9 @@ struct glyf
    inline bool get_composite (hb_codepoint_t glyph,
 			       CompositeGlyphHeader::Iterator *composite /* OUT */) const
    {
+      if (!this->glyf_table || !num_glyphs)
+	return false;
+
      unsigned int start_offset, end_offset;
      if (!get_offsets (glyph, &start_offset, &end_offset))
        return false; /* glyph not found */
--- a/test/api/fonts/crash-4b60576767ee4d9fe1cc10959d89baf73d4e8249
+++ b/test/api/fonts/crash-4b60576767ee4d9fe1cc10959d89baf73d4e8249
--- a/test/api/test-subset.c
+++ b/test/api/test-subset.c
@ -51,12 +51,35 @@ test_subset_32_tables (void)
  hb_face_destroy (face);
 }

+static void
+test_subset_crash (void)
+{
+  hb_face_t *face = hb_subset_test_open_font("fonts/crash-4b60576767ee4d9fe1cc10959d89baf73d4e8249");
+
+  hb_subset_input_t *input = hb_subset_input_create_or_fail ();
+  hb_set_t *codepoints = hb_subset_input_unicode_set (input);
+  hb_set_add (codepoints, 'a');
+  hb_set_add (codepoints, 'b');
+  hb_set_add (codepoints, 'c');
+
+  hb_subset_profile_t *profile = hb_subset_profile_create();
+  hb_face_t *subset = hb_subset (face, profile, input);
+  g_assert (subset);
+  g_assert (subset == hb_face_get_empty ());
+
+  hb_subset_input_destroy (input);
+  hb_subset_profile_destroy (profile);
+  hb_face_destroy (subset);
+  hb_face_destroy (face);
+}
+
 int
 main (int argc, char **argv)
 {
  hb_test_init (&argc, &argv);

  hb_test_add (test_subset_32_tables);
+  hb_test_add (test_subset_crash);

  return hb_test_run();
 }