walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[PairPosFormat1] Fix stride 

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55287
and generally the lookup with MediumTypes.
This commit is contained in:
Behdad Esfahbod 2023-01-21 15:50:48 -07:00
parent be8a87c453
commit b63159e8bf
5 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/OT/Layout/GPOS/PairPosFormat1.hh
View File

@ -43,7 +43,7 @@ struct PairPosFormat1_3
{ {
valueFormat, valueFormat,
len1, len1,
1 + len1 + len2 Types::HBGlyphID::static_size + HBUINT16::static_size * (len1 + len2)
}; };
return_trace (coverage.sanitize (c, this) && pairSet.sanitize (c, this, &closure)); return_trace (coverage.sanitize (c, this) && pairSet.sanitize (c, this, &closure));
@ -179,7 +179,7 @@ struct PairPosFormat1_3
{ {
unsigned len1 = valueFormat[0].get_len (); unsigned len1 = valueFormat[0].get_len ();
unsigned len2 = valueFormat[1].get_len (); unsigned len2 = valueFormat[1].get_len ();
unsigned record_size = HBUINT16::static_size + Value::static_size * (len1 + len2); unsigned record_size = Types::HBGlyphID::static_size + Value::static_size * (len1 + len2);
unsigned format1 = 0; unsigned format1 = 0;
unsigned format2 = 0; unsigned format2 = 0;

2
src/OT/Layout/GPOS/PairPosFormat2.hh
View File

@ -49,7 +49,7 @@ struct PairPosFormat2_4
unsigned int len1 = valueFormat1.get_len (); unsigned int len1 = valueFormat1.get_len ();
unsigned int len2 = valueFormat2.get_len (); unsigned int len2 = valueFormat2.get_len ();
unsigned int stride = len1 + len2; unsigned int stride = HBUINT16::static_size * (len1 + len2);
unsigned int record_size = valueFormat1.get_size () + valueFormat2.get_size (); unsigned int record_size = valueFormat1.get_size () + valueFormat2.get_size ();
unsigned int count = (unsigned int) class1Count * (unsigned int) class2Count; unsigned int count = (unsigned int) class1Count * (unsigned int) class2Count;
return_trace (c->check_range ((const void *) values, return_trace (c->check_range ((const void *) values,

13
src/OT/Layout/GPOS/PairSet.hh
View File

@ -28,7 +28,7 @@ struct PairSet
{ {
const ValueFormat *valueFormats; const ValueFormat *valueFormats;
unsigned int len1; /* valueFormats[0].get_len() */ unsigned int len1; /* valueFormats[0].get_len() */
unsigned int stride; /* 1 + len1 + len2 */ unsigned int stride; /* bytes */
}; };
bool sanitize (hb_sanitize_context_t *c, const sanitize_closure_t *closure) const bool sanitize (hb_sanitize_context_t *c, const sanitize_closure_t *closure) const
@ -37,7 +37,6 @@ struct PairSet
if (!(c->check_struct (this) if (!(c->check_struct (this)
&& c->check_range (&firstPairValueRecord, && c->check_range (&firstPairValueRecord,
len, len,
HBUINT16::static_size,
closure->stride))) return_trace (false); closure->stride))) return_trace (false);
unsigned int count = len; unsigned int count = len;
@ -51,7 +50,7 @@ struct PairSet
{ {
unsigned int len1 = valueFormats[0].get_len (); unsigned int len1 = valueFormats[0].get_len ();
unsigned int len2 = valueFormats[1].get_len (); unsigned int len2 = valueFormats[1].get_len ();
unsigned int record_size = HBUINT16::static_size * (1 + len1 + len2); unsigned int record_size = Types::HBGlyphID::static_size + Value::static_size * (len1 + len2);
const PairValueRecord *record = &firstPairValueRecord; const PairValueRecord *record = &firstPairValueRecord;
unsigned int count = len; unsigned int count = len;
@ -69,7 +68,7 @@ struct PairSet
{ {
unsigned int len1 = valueFormats[0].get_len (); unsigned int len1 = valueFormats[0].get_len ();
unsigned int len2 = valueFormats[1].get_len (); unsigned int len2 = valueFormats[1].get_len ();
unsigned int record_size = HBUINT16::static_size * (1 + len1 + len2); unsigned int record_size = Types::HBGlyphID::static_size + Value::static_size * (len1 + len2);
const PairValueRecord *record = &firstPairValueRecord; const PairValueRecord *record = &firstPairValueRecord;
c->input->add_array (&record->secondGlyph, len, record_size); c->input->add_array (&record->secondGlyph, len, record_size);
@ -80,7 +79,7 @@ struct PairSet
{ {
unsigned len1 = valueFormats[0].get_len (); unsigned len1 = valueFormats[0].get_len ();
unsigned len2 = valueFormats[1].get_len (); unsigned len2 = valueFormats[1].get_len ();
unsigned record_size = HBUINT16::static_size * (1 + len1 + len2); unsigned int record_size = Types::HBGlyphID::static_size + Value::static_size * (len1 + len2);
const PairValueRecord *record = &firstPairValueRecord; const PairValueRecord *record = &firstPairValueRecord;
unsigned count = len; unsigned count = len;
@ -101,7 +100,7 @@ struct PairSet
hb_buffer_t *buffer = c->buffer; hb_buffer_t *buffer = c->buffer;
unsigned int len1 = valueFormats[0].get_len (); unsigned int len1 = valueFormats[0].get_len ();
unsigned int len2 = valueFormats[1].get_len (); unsigned int len2 = valueFormats[1].get_len ();
unsigned int record_size = HBUINT16::static_size * (1 + len1 + len2); unsigned int record_size = Types::HBGlyphID::static_size + Value::static_size * (len1 + len2);
const PairValueRecord *record = hb_bsearch (buffer->info[pos].codepoint, const PairValueRecord *record = hb_bsearch (buffer->info[pos].codepoint,
&firstPairValueRecord, &firstPairValueRecord,
@ -168,7 +167,7 @@ struct PairSet
unsigned len1 = valueFormats[0].get_len (); unsigned len1 = valueFormats[0].get_len ();
unsigned len2 = valueFormats[1].get_len (); unsigned len2 = valueFormats[1].get_len ();
unsigned record_size = HBUINT16::static_size + Value::static_size * (len1 + len2); unsigned int record_size = Types::HBGlyphID::static_size + Value::static_size * (len1 + len2);
typename PairValueRecord::context_t context = typename PairValueRecord::context_t context =
{ {

2
src/OT/Layout/GPOS/ValueFormat.hh
View File

@ -371,7 +371,7 @@ struct ValueFormat : HBUINT16
for (unsigned int i = 0; i < count; i++) { for (unsigned int i = 0; i < count; i++) {
if (!sanitize_value_devices (c, base, values)) if (!sanitize_value_devices (c, base, values))
return_trace (false); return_trace (false);
values += stride; values = &StructAtOffset<const Value> (values, stride);
} }
return_trace (true); return_trace (true);

BIN
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5965759719538688 Normal file
View File

Binary file not shown.