Merge pull request #3432 from harfbuzz/fuzz-verify

[fuzz-shape] Verify shape output https://github.com/harfbuzz/harfbuzz/pull/3432
2022-06-01 12:26:08 +01:00 · 2022-06-01 12:26:08 +01:00 · a31fd97c35
parent 9c0c31dfaa e246723f0c
commit a31fd97c35
4 changed files with 13 additions and 5 deletions
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@ -311,6 +311,7 @@ hb_buffer_t::enter ()
 {
  deallocate_var_all ();
  serial = 0;
+  shaping_failed = false;
  scratch_flags = HB_BUFFER_SCRATCH_FLAG_DEFAULT;
  if (likely (!hb_unsigned_mul_overflows (len, HB_BUFFER_MAX_LEN_FACTOR)))
  {
@ -330,6 +331,7 @@ hb_buffer_t::leave ()
  max_ops = HB_BUFFER_MAX_OPS_DEFAULT;
  deallocate_var_all ();
  serial = 0;
+  // Intentionally not reseting shaping_failed, such that it can be inspected.
 }


--- a/src/hb-ot-shape.cc
+++ b/src/hb-ot-shape.cc
@ -1159,8 +1159,6 @@ hb_propagate_flags (hb_buffer_t *buffer)
 static void
 hb_ot_shape_internal (hb_ot_shape_context_t *c)
 {
-  c->buffer->enter ();
-
  /* Save the original direction, we use it later. */
  c->target_direction = c->buffer->props.direction;

--- a/src/hb-shape.cc
+++ b/src/hb-shape.cc
@ -129,6 +129,8 @@ hb_shape_full (hb_font_t          *font,
  if (unlikely (!buffer->len))
    return true;

+  buffer->enter ();
+
  hb_buffer_t *text_buffer = nullptr;
  if (buffer->flags & HB_BUFFER_FLAG_VERIFY)
  {
@ -140,8 +142,12 @@ hb_shape_full (hb_font_t          *font,
 							      features, num_features,
 							      font->coords, font->num_coords,
 							      shaper_list);
-  buffer->shaping_failed = false;
+
  hb_bool_t res = hb_shape_plan_execute (shape_plan, font, buffer, features, num_features);
+
+  if (buffer->max_ops <= 0)
+    buffer->shaping_failed = true;
+
  hb_shape_plan_destroy (shape_plan);

  if (text_buffer)
@ -157,6 +163,8 @@ hb_shape_full (hb_font_t          *font,
    hb_buffer_destroy (text_buffer);
  }

+  buffer->leave ();
+
  return res;
 }

--- a/test/fuzzing/hb-shape-fuzzer.cc
+++ b/test/fuzzing/hb-shape-fuzzer.cc
@ -33,7 +33,7 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
  {
    const char text[] = "ABCDEXYZ123@_%&)*$!";
    hb_buffer_t *buffer = hb_buffer_create ();
- //   hb_buffer_set_flags (buffer, HB_BUFFER_FLAG_VERIFY);
+    hb_buffer_set_flags (buffer, (hb_buffer_flags_t) (HB_BUFFER_FLAG_VERIFY /* | HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT */));
    hb_buffer_add_utf8 (buffer, text, -1, 0, -1);
    hb_buffer_guess_segment_properties (buffer);
    hb_shape (font, buffer, nullptr, 0);
@ -51,7 +51,7 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
  text32[10] = test_font (font, text32[15]) % 256;

  hb_buffer_t *buffer = hb_buffer_create ();
-//  hb_buffer_set_flags (buffer, HB_BUFFER_FLAG_VERIFY);
+ // hb_buffer_set_flags (buffer, (hb_buffer_flags_t) (HB_BUFFER_FLAG_VERIFY | HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT));
  hb_buffer_add_utf32 (buffer, text32, sizeof (text32) / sizeof (text32[0]), 0, -1);
  hb_buffer_guess_segment_properties (buffer);
  hb_shape (font, buffer, nullptr, 0);