[avar] Fix out-of-bound read when input is bigger than all the coords

'i' shouldn't become equal to array's length which as the increament is happened at end of the loop, if the input is bigger than all the table coords, it will be equal to array's length. Fixes https://crbug.com/oss-fuzz/21092
harfbuzz · Mar 7, 2020 · 0d729b4 · 0d729b4
1 parent 6924e29
commit 0d729b4
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 1 deletion.
diff --git a/src/hb-ot-var-avar-table.hh b/src/hb-ot-var-avar-table.hh
@@ -79,7 +79,7 @@ struct SegmentMaps : ArrayOf<AxisValueMap>
       return value - arrayZ[0].fromCoord + arrayZ[0].toCoord;
 
     unsigned int i;
-    unsigned int count = len;
+    unsigned int count = len - 1;
     for (i = 1; i < count && value > arrayZ[i].fromCoord; i++)
       ;
 

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5681465586352128 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5681465586352128