From 11d583a9eaf5089418d0091a01e8e10be37485e1 Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Tue, 14 Jul 2020 06:23:06 +0430
Subject: [PATCH] [aat] Consume glyph insertion from buffer's max_ops (#2223)

Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.

clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:

Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
 After the change: 0.02s user 0.00s system 98% cpu 0.024 total

Which takes much longer on valgrind and tsan bots.
---
 src/hb-aat-layout-morx-table.hh                   |   2 ++
 ...ase-minimized-harfbuzz_fuzzer-5754958982021120 | Bin 0 -> 319 bytes
 2 files changed, 2 insertions(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120

diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh
index 2342f61d8..3c15e54e8 100644
--- a/src/hb-aat-layout-morx-table.hh
+++ b/src/hb-aat-layout-morx-table.hh
@@ -725,6 +725,7 @@ struct InsertionSubtable
       if (entry.data.markedInsertIndex != 0xFFFF)
       {
 	unsigned int count = (flags & MarkedInsertCount);
+	if ((buffer->max_ops -= count) <= 0) return;
 	unsigned int start = entry.data.markedInsertIndex;
 	const HBGlyphID *glyphs = &insertionAction[start];
 	if (unlikely (!c->sanitizer.check_array (glyphs, count))) count = 0;
@@ -753,6 +754,7 @@ struct InsertionSubtable
       if (entry.data.currentInsertIndex != 0xFFFF)
       {
 	unsigned int count = (flags & CurrentInsertCount) >> 5;
+	if ((buffer->max_ops -= count) <= 0) return;
 	unsigned int start = entry.data.currentInsertIndex;
 	const HBGlyphID *glyphs = &insertionAction[start];
 	if (unlikely (!c->sanitizer.check_array (glyphs, count))) count = 0;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120
new file mode 100644
index 0000000000000000000000000000000000000000..bc9a1c4655c542db5b0bb64b5fc4d382eb9436a8
GIT binary patch
literal 319
zcmZQzWME+6V`yMtX2@`Nadl(hXHaEiaAagiPRx-8N&x|5paMt1S6+sC|KQVW7M-iU
zVwUV-Xw1aG#_;t&Gf<wz;RRTo0FY#2n9nH3AjDt+WP|t&4h&B93P52Xs0U(3hJeSc
z|Npc8WME}r0SdD)D1f9u03;0rV5K||-OMjInEwGaePi4p%^;+en_pBCDaBa;RAmFS
z_0y+M|2_fP4L}M49^~3Gs4_q~pFVx#`Fxk}-~a#2N+5$}ff#80e}?~efHW)6`HVoz
w*cg}-Vu3QcKnw&x^Em$7|7T#xD@x4{28kg1%Iuifk7vik85n@*oEeA#0L8>ir2qf`

literal 0
HcmV?d00001