heap-buffer-overflow in hb_ot_face_metrics_accelerator_t::get_advance #156
Description
Found with libFuzzer+AddressSanitizer, see #139
==35576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fbf9 at pc 0x000000511fb5 bp 0x7ffd57acae30 sp 0x7ffd57acae28
READ of size 1 at 0x61600000fbf9 thread T0
#0 0x511fb4 in OT::BEInt<unsigned short, 2>::operator unsigned short() const src/./hb-open-type-private.hh:584:13
#1 0x511fb4 in OT::IntType<unsigned short, 2u>::operator unsigned short() const src/./hb-open-type-private.hh:632
#2 0x511fb4 in hb_ot_face_metrics_accelerator_t::get_advance(unsigned int) const src/hb-ot-font.cc:98
#3 0x511fb4 in hb_ot_get_glyph_h_advance(hb_font_t*, void*, unsigned int, void*) src/hb-ot-font.cc:294
#4 0x52541a in hb_font_t::get_glyph_h_advance(unsigned int) src/./hb-font-private.hh:164:12
#5 0x52541a in hb_font_t::get_glyph_advance_for_direction(unsigned int, hb_direction_t, int*, int*) src/./hb-font-private.hh:257
#6 0x52541a in hb_ot_position_default(hb_ot_shape_context_t*) src/hb-ot-shape.cc:652
#7 0x52541a in hb_ot_position(hb_ot_shape_context_t*) src/hb-ot-shape.cc:752
#8 0x52541a in hb_ot_shape_internal(hb_ot_shape_context_t*) src/hb-ot-shape.cc:796
#9 0x52541a in _hb_ot_shape src/hb-ot-shape.cc:816
#10 0x50bb8c in hb_shape_plan_execute src/./hb-shaper-list.hh:43:1
#11 0x509570 in hb_shape_full src/hb-shape.cc:375:19
#12 0x509570 in hb_shape src/hb-shape.cc:405
#13 0x4d6936 in LLVMFuzzerTestOneInput
0x61600000fbf9 is located 0 bytes to the right of 633-byte region [0x61600000f980,0x61600000fbf9)
<the buffer passed to LLVMFuzzerTestOneInput>