Limit buffer max size growth

https://github.com/behdad/harfbuzz/issues/161
This commit is contained in:
Behdad Esfahbod 2015-11-05 23:44:59 -08:00
parent 19300183a6
commit 4301703bdd
4 changed files with 27 additions and 0 deletions

View File

@ -35,6 +35,16 @@
#include "hb-unicode-private.hh" #include "hb-unicode-private.hh"
#ifndef HB_BUFFER_MAX_EXPANSION_FACTOR
#define HB_BUFFER_MAX_EXPANSION_FACTOR 32
#endif
#ifndef HB_BUFFER_MAX_LEN_MIN
#define HB_BUFFER_MAX_LEN_MIN 8192
#endif
#ifndef HB_BUFFER_MAX_LEN_DEFAULT_
#define HB_BUFFER_MAX_LEN_DEFAULT 0x3FFFFFFF /* Shaping more than a billion chars? Let us know! */
#endif
ASSERT_STATIC (sizeof (hb_glyph_info_t) == 20); ASSERT_STATIC (sizeof (hb_glyph_info_t) == 20);
ASSERT_STATIC (sizeof (hb_glyph_info_t) == sizeof (hb_glyph_position_t)); ASSERT_STATIC (sizeof (hb_glyph_info_t) == sizeof (hb_glyph_position_t));
@ -71,6 +81,7 @@ struct hb_buffer_t {
hb_buffer_cluster_level_t cluster_level; hb_buffer_cluster_level_t cluster_level;
hb_codepoint_t replacement; /* U+FFFD or something else. */ hb_codepoint_t replacement; /* U+FFFD or something else. */
hb_buffer_scratch_flags_t scratch_flags; /* Have space-flallback, etc. */ hb_buffer_scratch_flags_t scratch_flags; /* Have space-flallback, etc. */
unsigned int max_len; /* Maximum allowed len. */
/* Buffer contents */ /* Buffer contents */
hb_buffer_content_type_t content_type; hb_buffer_content_type_t content_type;

View File

@ -91,6 +91,11 @@ hb_buffer_t::enlarge (unsigned int size)
{ {
if (unlikely (in_error)) if (unlikely (in_error))
return false; return false;
if (unlikely (size > max_len))
{
in_error = true;
return false;
}
unsigned int new_allocated = allocated; unsigned int new_allocated = allocated;
hb_glyph_position_t *new_pos = NULL; hb_glyph_position_t *new_pos = NULL;
@ -715,6 +720,8 @@ hb_buffer_create (void)
if (!(buffer = hb_object_create<hb_buffer_t> ())) if (!(buffer = hb_object_create<hb_buffer_t> ()))
return hb_buffer_get_empty (); return hb_buffer_get_empty ();
buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
buffer->reset (); buffer->reset ();
return buffer; return buffer;
@ -740,6 +747,7 @@ hb_buffer_get_empty (void)
HB_BUFFER_CLUSTER_LEVEL_DEFAULT, HB_BUFFER_CLUSTER_LEVEL_DEFAULT,
HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT, HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT,
HB_BUFFER_SCRATCH_FLAG_DEFAULT, HB_BUFFER_SCRATCH_FLAG_DEFAULT,
HB_BUFFER_MAX_LEN_DEFAULT,
HB_BUFFER_CONTENT_TYPE_INVALID, HB_BUFFER_CONTENT_TYPE_INVALID,
HB_SEGMENT_PROPERTIES_DEFAULT, HB_SEGMENT_PROPERTIES_DEFAULT,

View File

@ -798,6 +798,11 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c)
{ {
c->buffer->deallocate_var_all (); c->buffer->deallocate_var_all ();
c->buffer->scratch_flags = HB_BUFFER_SCRATCH_FLAG_DEFAULT; c->buffer->scratch_flags = HB_BUFFER_SCRATCH_FLAG_DEFAULT;
if (likely (!_hb_unsigned_int_mul_overflows (c->buffer->len, HB_BUFFER_MAX_EXPANSION_FACTOR)))
{
c->buffer->max_len = MAX (c->buffer->len * HB_BUFFER_MAX_EXPANSION_FACTOR,
(unsigned) HB_BUFFER_MAX_LEN_MIN);
}
/* Save the original direction, we use it later. */ /* Save the original direction, we use it later. */
c->target_direction = c->buffer->props.direction; c->target_direction = c->buffer->props.direction;
@ -827,6 +832,7 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c)
c->buffer->props.direction = c->target_direction; c->buffer->props.direction = c->target_direction;
c->buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
c->buffer->deallocate_var_all (); c->buffer->deallocate_var_all ();
} }

View File

@ -39,6 +39,8 @@ hb_fuzzer_CPPFLAGS = \
-DMAIN \ -DMAIN \
-DHB_MAX_NESTING_LEVEL=3 \ -DHB_MAX_NESTING_LEVEL=3 \
-DHB_SANITIZE_MAX_EDITS=3 \ -DHB_SANITIZE_MAX_EDITS=3 \
-DHB_BUFFER_MAX_EXPANSION_FACTOR=3 \
-DHB_BUFFER_MAX_LEN_MIN=8 \
$(NULL) $(NULL)
-include $(top_srcdir)/git.mk -include $(top_srcdir)/git.mk