From 83780308b41b029513ac2568b6688d3eaad77338 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Wed, 17 Oct 2018 22:34:16 -0700 Subject: [PATCH] [aat] Fix sanitize slowdown Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11034 --- src/hb-aat-layout-common.hh | 4 ++++ src/hb-machinery.hh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh index 741e5020d..69768e5eb 100644 --- a/src/hb-aat-layout-common.hh +++ b/src/hb-aat-layout-common.hh @@ -422,6 +422,8 @@ struct StateTable num_states, num_classes * states[0].static_size))) return_trace (false); + if ((c->max_ops -= num_states - state) < 0) + return_trace (false); { /* Sweep new states. */ const HBUINT16 *stop = &states[num_states * num_classes]; for (const HBUINT16 *p = &states[state * num_classes]; p < stop; p++) @@ -431,6 +433,8 @@ struct StateTable if (unlikely (!c->check_array (entries, num_entries))) return_trace (false); + if ((c->max_ops -= num_entries - entry) < 0) + return_trace (false); { /* Sweep new entries. */ const Entry *stop = &entries[num_entries]; for (const Entry *p = &entries[entry]; p < stop; p++) diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh index a6ff6e7b9..3bdbb2eb4 100644 --- a/src/hb-machinery.hh +++ b/src/hb-machinery.hh @@ -443,10 +443,10 @@ struct hb_sanitize_context_t : mutable unsigned int debug_depth; const char *start, *end; + mutable int max_ops; private: bool writable; unsigned int edit_count; - mutable int max_ops; hb_blob_t *blob; unsigned int num_glyphs; bool num_glyphs_set;