[cff] Add a max work counter

Set to 10,000 per interpretation right now. Fixes https://github.com/harfbuzz/harfbuzz/issues/3700 Fixes https://oss-fuzz.com/testcase-detail/5667125715927040
2022-07-18 13:57:59 -06:00 · 2022-07-18 13:57:59 -06:00 · 3c84aa8416
parent 89de8c700f
commit 3c84aa8416
3 changed files with 8 additions and 0 deletions
--- a/src/hb-cff-interp-cs-common.hh
+++ b/src/hb-cff-interp-cs-common.hh
@ -57,6 +57,7 @@ struct call_context_t

 /* call stack */
 const unsigned int kMaxCallLimit = 10;
+const unsigned int kMaxOps = 10000;
 struct call_stack_t : cff_stack_t<call_context_t, kMaxCallLimit> {};

 template <typename SUBRS>
@ -882,6 +883,11 @@ struct cs_interpreter_t : interpreter_t<ENV>
    SUPER::env.set_endchar (false);

    for (;;) {
+      if (unlikely (!--max_ops))
+      {
+	SUPER::env.set_error ();
+	break;
+      }
      OPSET::process_op (SUPER::env.fetch_op (), SUPER::env, param);
      if (unlikely (SUPER::env.in_error ()))
 	return false;
@ -894,6 +900,7 @@ struct cs_interpreter_t : interpreter_t<ENV>

  private:
  typedef interpreter_t<ENV> SUPER;
+  unsigned max_ops = kMaxOps;
 };

 } /* namespace CFF */
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5667125715927040
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-draw-fuzzer-5667125715927040
--- a/test/fuzzing/hb-draw-fuzzer.cc
+++ b/test/fuzzing/hb-draw-fuzzer.cc
@ -14,6 +14,7 @@ struct _draw_data_t
  float path_last_y;
 };

+#include <cstdio>
 static void
 _move_to (hb_draw_funcs_t *dfuncs, void *draw_data_,
 	  hb_draw_state_t *st,