[subset] fix a class of fuzzer timeouts caused by large shared coverage tables.

More acurately estimates the op count for CoverageFormat2 tables as the population size instead of the size in bytes.
2023-02-22 23:11:29 +00:00 · 2023-02-22 23:11:29 +00:00 · 918193ebf9
parent ddd0f7f40b
commit 918193ebf9
4 changed files with 22 additions and 2 deletions
--- a/src/OT/Layout/GPOS/SinglePosFormat1.hh
+++ b/src/OT/Layout/GPOS/SinglePosFormat1.hh
@ -28,7 +28,13 @@ struct SinglePosFormat1
    TRACE_SANITIZE (this);
    return_trace (c->check_struct (this) &&
                  coverage.sanitize (c, this) &&
-                  valueFormat.sanitize_value (c, this, values));
+                  valueFormat.sanitize_value (c, this, values) &&
+                  // The coverage  table may use a range to represent a set
+                  // of glyphs, which means a small number of bytes can
+                  // generate a large glyph set. Manually modify the
+                  // sanitizer max ops to take this into account.
+                  c->check_ops ((this + coverage).get_population () >> 1));
+
  }

  bool intersects (const hb_set_t *glyphs) const
--- a/src/OT/Layout/GSUB/SingleSubstFormat1.hh
+++ b/src/OT/Layout/GSUB/SingleSubstFormat1.hh
@ -25,7 +25,13 @@ struct SingleSubstFormat1_3
  bool sanitize (hb_sanitize_context_t *c) const
  {
    TRACE_SANITIZE (this);
-    return_trace (coverage.sanitize (c, this) && deltaGlyphID.sanitize (c));
+    return_trace (coverage.sanitize (c, this) &&
+                  deltaGlyphID.sanitize (c) &&
+                  // The coverage  table may use a range to represent a set
+                  // of glyphs, which means a small number of bytes can
+                  // generate a large glyph set. Manually modify the
+                  // sanitizer max ops to take this into account.
+                  c->check_ops ((this + coverage).get_population () >> 1));
  }

  hb_codepoint_t get_mask () const
--- a/src/hb-sanitize.hh
+++ b/src/hb-sanitize.hh
@ -228,6 +228,14 @@ struct hb_sanitize_context_t :

  unsigned get_edit_count () { return edit_count; }

+
+  bool check_ops(int count)
+  {
+    // Manually decrements the ops counter. Used when the automatic op
+    // counting needs adjustment.
+    return (this->max_ops -= count) > 0;
+  }
+
  bool check_range (const void *base,
 		    unsigned int len) const
  {
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5192684970311680
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5192684970311680