walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[ENOMEM] Fix buffer's content check logic 

So now rest of shape fuzzer also can be enabled.

Fixes #2571
This commit is contained in:
Ebrahim Byagowi 2020-07-29 08:09:08 +04:30
parent c33e8006fd
commit 48ad745996
3 changed files with 16 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/hb-buffer-serialize.cc
View File

@ -348,8 +348,8 @@ hb_buffer_serialize_glyphs (hb_buffer_t *buffer,
if (buf_size)
*buf = '\0';
assert ((!buffer->len && buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID) ||
buffer->content_type == HB_BUFFER_CONTENT_TYPE_GLYPHS);
assert ((!buffer->len && (buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID)) ||
(buffer->content_type == HB_BUFFER_CONTENT_TYPE_GLYPHS));
if (!buffer->have_positions)
flags |= HB_BUFFER_SERIALIZE_FLAG_NO_POSITIONS;
@ -434,8 +434,8 @@ hb_buffer_deserialize_glyphs (hb_buffer_t *buffer,
end_ptr = &end;
*end_ptr = buf;
assert ((!buffer->len && buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID) ||
buffer->content_type == HB_BUFFER_CONTENT_TYPE_GLYPHS);
assert ((!buffer->len && (buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID)) ||
(buffer->content_type == HB_BUFFER_CONTENT_TYPE_GLYPHS));
if (buf_len == -1)
buf_len = strlen (buf);

12
src/hb-buffer.cc
View File

@ -617,8 +617,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int en
void
hb_buffer_t::guess_segment_properties ()
{
assert (content_type == HB_BUFFER_CONTENT_TYPE_UNICODE ||
(!len && content_type == HB_BUFFER_CONTENT_TYPE_INVALID));
assert ((content_type == HB_BUFFER_CONTENT_TYPE_UNICODE) ||
(!len && (content_type == HB_BUFFER_CONTENT_TYPE_INVALID)));
/* If script is set to INVALID, guess from buffer contents */
if (props.script == HB_SCRIPT_INVALID) {
@ -1513,8 +1513,8 @@ hb_buffer_add_utf (hb_buffer_t *buffer,
typedef typename utf_t::codepoint_t T;
const hb_codepoint_t replacement = buffer->replacement;
assert (buffer->content_type == HB_BUFFER_CONTENT_TYPE_UNICODE ||
(!buffer->len && buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID));
assert ((buffer->content_type == HB_BUFFER_CONTENT_TYPE_UNICODE) ||
(!buffer->len && (buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID)));
if (unlikely (hb_object_is_immutable (buffer)))
return;
@ -1834,8 +1834,8 @@ void
hb_buffer_normalize_glyphs (hb_buffer_t *buffer)
{
assert (buffer->have_positions);
assert (buffer->content_type == HB_BUFFER_CONTENT_TYPE_GLYPHS ||
(!buffer->len && buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID));
assert ((buffer->content_type == HB_BUFFER_CONTENT_TYPE_GLYPHS) ||
(!buffer->len && (buffer->content_type == HB_BUFFER_CONTENT_TYPE_INVALID)));
bool backward = HB_DIRECTION_IS_BACKWARD (buffer->props.direction);

14
test/fuzzing/hb-shape-fuzzer.cc
View File

@ -11,6 +11,8 @@
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
alloc_state = size; /* see src/failing-alloc.c */
hb_blob_t *blob = hb_blob_create ((const char *)data, size,
HB_MEMORY_MODE_READONLY, nullptr, nullptr);
hb_face_t *face = hb_face_create (blob, 0);
@ -33,9 +35,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
hb_buffer_t *buffer = hb_buffer_create ();
hb_buffer_add_utf8 (buffer, text, -1, 0, -1);
hb_buffer_guess_segment_properties (buffer);
alloc_state = size; /* see src/failing-alloc.c TODO: move to top */
hb_shape (font, buffer, nullptr, 0);
alloc_state = 0; /* no failing alloc, TODO: remove */
if (hb_buffer_get_content_type (buffer) != HB_BUFFER_CONTENT_TYPE_INVALID)
hb_shape (font, buffer, nullptr, 0);
hb_buffer_destroy (buffer);
}
@ -47,16 +48,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
memcpy (text32, data + size - len, len);
/* Misc calls on font. */
alloc_state = size; /* see src/failing-alloc.c TODO: move to top */
text32[10] = test_font (font, text32[15]) % 256;
alloc_state = 0; /* no failing alloc, TODO: remove */
hb_buffer_t *buffer = hb_buffer_create ();
hb_buffer_add_utf32 (buffer, text32, sizeof (text32) / sizeof (text32[0]), 0, -1);
hb_buffer_guess_segment_properties (buffer);
alloc_state = size; /* see src/failing-alloc.c TODO: move to top */
hb_shape (font, buffer, nullptr, 0);
alloc_state = 0; /* no failing alloc, TODO: remove */
if (hb_buffer_get_content_type (buffer) != HB_BUFFER_CONTENT_TYPE_INVALID)
hb_shape (font, buffer, nullptr, 0);
hb_buffer_destroy (buffer);
hb_font_destroy (font);