From 3c84aa8416cac7aba1430cc18ec76a393c47f3cd Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 18 Jul 2022 13:57:59 -0600
Subject: [PATCH] [cff] Add a max work counter

Set to 10,000 per interpretation right now.

Fixes https://github.com/harfbuzz/harfbuzz/issues/3700
Fixes https://oss-fuzz.com/testcase-detail/5667125715927040
---
 src/hb-cff-interp-cs-common.hh                    |   7 +++++++
 ...case-minimized-hb-draw-fuzzer-5667125715927040 | Bin 0 -> 472 bytes
 test/fuzzing/hb-draw-fuzzer.cc                    |   1 +
 3 files changed, 8 insertions(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5667125715927040

diff --git a/src/hb-cff-interp-cs-common.hh b/src/hb-cff-interp-cs-common.hh
index 2983ae54a..14abf3e80 100644
--- a/src/hb-cff-interp-cs-common.hh
+++ b/src/hb-cff-interp-cs-common.hh
@@ -57,6 +57,7 @@ struct call_context_t
 
 /* call stack */
 const unsigned int kMaxCallLimit = 10;
+const unsigned int kMaxOps = 10000;
 struct call_stack_t : cff_stack_t<call_context_t, kMaxCallLimit> {};
 
 template <typename SUBRS>
@@ -882,6 +883,11 @@ struct cs_interpreter_t : interpreter_t<ENV>
     SUPER::env.set_endchar (false);
 
     for (;;) {
+      if (unlikely (!--max_ops))
+      {
+	SUPER::env.set_error ();
+	break;
+      }
       OPSET::process_op (SUPER::env.fetch_op (), SUPER::env, param);
       if (unlikely (SUPER::env.in_error ()))
 	return false;
@@ -894,6 +900,7 @@ struct cs_interpreter_t : interpreter_t<ENV>
 
   private:
   typedef interpreter_t<ENV> SUPER;
+  unsigned max_ops = kMaxOps;
 };
 
 } /* namespace CFF */
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5667125715927040 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5667125715927040
new file mode 100644
index 0000000000000000000000000000000000000000..179122557804f69c9d42251f4bde5c06aa5c08bb
GIT binary patch
literal 472
zcmeYd3Grv(XR!Ir{J+52&CMvuF=h<|1H&Iq9)?o))hVU^L3-;Hud`fu@rz-fhvxiu
zavZ^q46pv>-(~n4?HkD8aBor9<b^;D3<3=IO{e=i`22?gK^_K%7xVu!FfuS4nb6<#
zUg+0<m1ee|Y`=f}|M|1F_UHfqJV6=d4HgV6Ud#+!=7tuQvfuwRy#VTd@Xh}m!`~l!
z&*dgo6fp1xNCQnj<Hx}8_y6NkbB5>K0)`CC+CLpCXV>TVmi%W2S<b*XIhSDp1496i
zRmW)c5NJ0;UgC;WA-2@Fm-86(J~1(9vT6d|(xf+$LD!)kq=i9&sgadISQf~#=TQMs
z4uY}_OibLSK&B)kgB%NxmT^=pc5W~*^flDW%P(~{GFfWS`TzTS28RZIAD}b?BQpbo
z0RzK?fT&ylKJ)MbArLH$0s;Z`C<Y)I6{Q{#RR`o7M&*Kpf#4&Aiu#zK@eu^%e||iI
v0zQ6x`0*P^=JE*xeOVAN0ux|T3&=DzG?uWju(p5*BgrxRX8?My4(Kod@xP@v

literal 0
HcmV?d00001

diff --git a/test/fuzzing/hb-draw-fuzzer.cc b/test/fuzzing/hb-draw-fuzzer.cc
index 3c1e68c4e..5c53eb271 100644
--- a/test/fuzzing/hb-draw-fuzzer.cc
+++ b/test/fuzzing/hb-draw-fuzzer.cc
@@ -14,6 +14,7 @@ struct _draw_data_t
   float path_last_y;
 };
 
+#include <cstdio>
 static void
 _move_to (hb_draw_funcs_t *dfuncs, void *draw_data_,
 	  hb_draw_state_t *st,