walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[collect_glyphs] Bail if input data looks like garbage 

Specificaly, when a range or sorted array has unexpected order, we take that as
font data being garbage and bail out.  This fixes significant slowdown on a bad
version of Chandas font which has a 600KB GPOS with garbage inside.

Later on, I like to add a maximum-work counter for collect_glyphs to protect
against malicious fonts as well.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=794896
This commit is contained in:
Behdad Esfahbod 2017-12-16 11:11:18 -05:00
parent 1ce7d6e215
commit a7bd6d7a4c
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/hb-ot-layout-common-private.hh
View File

@ -819,7 +819,7 @@ struct CoverageFormat2
unsigned int count = rangeRecord.len;
for (unsigned int i = 0; i < count; i++)
if (unlikely (!rangeRecord[i].add_coverage (glyphs)))
return true;//XXXXXXXXXXXXfalse;
return false;
return true;
}
@ -934,7 +934,7 @@ struct Coverage
switch (u.format) {
case 1: return u.format1.add_coverage (glyphs);
case 2: return u.format2.add_coverage (glyphs);
default:return true;//XXXXXXXXXXXfalse;
default:return false;
}
}
@ -1030,13 +1030,13 @@ struct ClassDefFormat1
if (start != i)
if (unlikely (!glyphs->add_range (startGlyph + start, startGlyph + i)))
return true;//XXXXXXXXfalse
return false;
start = i + 1;
}
if (start != count)
if (unlikely (!glyphs->add_range (startGlyph + start, startGlyph + count)))
return true;//XXXXXXXXfalse
return false;
return true;
}
@ -1107,7 +1107,7 @@ struct ClassDefFormat2
for (unsigned int i = 0; i < count; i++)
if (rangeRecord[i].value)
if (unlikely (!rangeRecord[i].add_coverage (glyphs)))
return true;//XXXXXXXXXXXXfalse;
return false;
return true;
}
@ -1118,7 +1118,7 @@ struct ClassDefFormat2
{
if (rangeRecord[i].value == klass)
if (unlikely (!rangeRecord[i].add_coverage (glyphs)))
return true;//XXXXXXXXXXXXfalse;
return false;
}
return true;
}
@ -1185,7 +1185,7 @@ struct ClassDef
switch (u.format) {
case 1: return u.format1.add_coverage (glyphs);
case 2: return u.format2.add_coverage (glyphs);
default:return true;//XXXXXXXXXXXfalse;
default:return false;
}
}

4
src/hb-set-private.hh
View File

@ -230,7 +230,7 @@ struct hb_set_t
}
inline bool add_range (hb_codepoint_t a, hb_codepoint_t b)
{
if (unlikely (in_error || a > b || a == INVALID || b == INVALID)) return true;//XXXXXXXfalse;
if (unlikely (in_error || a > b || a == INVALID || b == INVALID)) return false;
unsigned int ma = get_major (a);
unsigned int mb = get_major (b);
if (ma == mb)
@ -283,7 +283,7 @@ struct hb_set_t
template <typename T>
inline bool add_sorted_array (const T *array, unsigned int count, unsigned int stride=sizeof(T))
{
if (unlikely (in_error)) return true;//XXXfalse
if (unlikely (in_error)) return false;
if (!count) return true;
hb_codepoint_t g = *array;
while (count)