From a7bd6d7a4c53ff61d7d8286a594aaa0a0e15b1a1 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 16 Dec 2017 11:11:18 -0500
Subject: [PATCH] [collect_glyphs] Bail if input data looks like garbage

Specificaly, when a range or sorted array has unexpected order, we take that as
font data being garbage and bail out.  This fixes significant slowdown on a bad
version of Chandas font which has a 600KB GPOS with garbage inside.

Later on, I like to add a maximum-work counter for collect_glyphs to protect
against malicious fonts as well.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=794896
---
 src/hb-ot-layout-common-private.hh | 14 +++++++-------
 src/hb-set-private.hh              |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/hb-ot-layout-common-private.hh b/src/hb-ot-layout-common-private.hh
index f75f8b4ff..5e699e196 100644
--- a/src/hb-ot-layout-common-private.hh
+++ b/src/hb-ot-layout-common-private.hh
@@ -819,7 +819,7 @@ struct CoverageFormat2
     unsigned int count = rangeRecord.len;
     for (unsigned int i = 0; i < count; i++)
       if (unlikely (!rangeRecord[i].add_coverage (glyphs)))
-        return true;//XXXXXXXXXXXXfalse;
+        return false;
     return true;
   }
 
@@ -934,7 +934,7 @@ struct Coverage
     switch (u.format) {
     case 1: return u.format1.add_coverage (glyphs);
     case 2: return u.format2.add_coverage (glyphs);
-    default:return true;//XXXXXXXXXXXfalse;
+    default:return false;
     }
   }
 
@@ -1030,13 +1030,13 @@ struct ClassDefFormat1
 
       if (start != i)
 	if (unlikely (!glyphs->add_range (startGlyph + start, startGlyph + i)))
-	  return true;//XXXXXXXXfalse
+	  return false;
 
       start = i + 1;
     }
     if (start != count)
       if (unlikely (!glyphs->add_range (startGlyph + start, startGlyph + count)))
-	return true;//XXXXXXXXfalse
+	return false;
 
     return true;
   }
@@ -1107,7 +1107,7 @@ struct ClassDefFormat2
     for (unsigned int i = 0; i < count; i++)
       if (rangeRecord[i].value)
 	if (unlikely (!rangeRecord[i].add_coverage (glyphs)))
-	  return true;//XXXXXXXXXXXXfalse;
+	  return false;
     return true;
   }
 
@@ -1118,7 +1118,7 @@ struct ClassDefFormat2
     {
       if (rangeRecord[i].value == klass)
         if (unlikely (!rangeRecord[i].add_coverage (glyphs)))
-	  return true;//XXXXXXXXXXXXfalse;
+	  return false;
     }
     return true;
   }
@@ -1185,7 +1185,7 @@ struct ClassDef
     switch (u.format) {
     case 1: return u.format1.add_coverage (glyphs);
     case 2: return u.format2.add_coverage (glyphs);
-    default:return true;//XXXXXXXXXXXfalse;
+    default:return false;
     }
   }
 
diff --git a/src/hb-set-private.hh b/src/hb-set-private.hh
index 74a22a033..9d9a7712c 100644
--- a/src/hb-set-private.hh
+++ b/src/hb-set-private.hh
@@ -230,7 +230,7 @@ struct hb_set_t
   }
   inline bool add_range (hb_codepoint_t a, hb_codepoint_t b)
   {
-    if (unlikely (in_error || a > b || a == INVALID || b == INVALID)) return true;//XXXXXXXfalse;
+    if (unlikely (in_error || a > b || a == INVALID || b == INVALID)) return false;
     unsigned int ma = get_major (a);
     unsigned int mb = get_major (b);
     if (ma == mb)
@@ -283,7 +283,7 @@ struct hb_set_t
   template <typename T>
   inline bool add_sorted_array (const T *array, unsigned int count, unsigned int stride=sizeof(T))
   {
-    if (unlikely (in_error)) return true;//XXXfalse
+    if (unlikely (in_error)) return false;
     if (!count) return true;
     hb_codepoint_t g = *array;
     while (count)