From b7023b243b0d74b0538fc5364dd741c9c73d7ff7 Mon Sep 17 00:00:00 2001
From: Chad Brokaw <cbrokaw@gmail.com>
Date: Tue, 10 Dec 2024 14:57:50 -0500
Subject: [PATCH] [read-fonts] var: fix overflow in packed point numbers

first commit contains failing test

ref https://issues.oss-fuzz.com/issues/378159154
---
 read-fonts/src/tables/variations.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/read-fonts/src/tables/variations.rs b/read-fonts/src/tables/variations.rs
index f3d64698d..5dc307692 100644
--- a/read-fonts/src/tables/variations.rs
+++ b/read-fonts/src/tables/variations.rs
@@ -1491,4 +1491,15 @@ mod tests {
         let expected_len = 2 * row_len;
         assert_eq!(ivs.delta_sets().len(), expected_len);
     }
+
+    // Add with overflow when accumulating packed point numbers
+    // https://issues.oss-fuzz.com/issues/378159154
+    #[test]
+    fn packed_point_numbers_avoid_overflow() {
+        // Lots of 1 bits triggers the behavior quite nicely
+        let buf = vec![0xFF; 0xFFFF];
+        let iter = PackedPointNumbersIter::new(0xFFFF, FontData::new(&buf).cursor());
+        // Don't panic!
+        let _ = iter.count();
+    }
 }