From 9af33d7a2ad5ce88fc508bc5c6a56be4650d2621 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Mon, 3 Dec 2018 14:48:46 -0800
Subject: [PATCH 1/5] Number to use double for all types

---
 src/hb-cff-interp-common.hh | 84 ++++++-------------------------------
 1 file changed, 13 insertions(+), 71 deletions(-)

diff --git a/src/hb-cff-interp-common.hh b/src/hb-cff-interp-common.hh
index aa2a1b95b..2ec056ffc 100644
--- a/src/hb-cff-interp-common.hh
+++ b/src/hb-cff-interp-common.hh
@@ -218,80 +218,41 @@ inline unsigned int OpCode_Size (OpCode op) { return Is_OpCode_ESC (op) ? 2: 1;
 struct Number
 {
   inline void init (void)
-  { set_int (0); }
+  { set_real (0.0); }
   inline void fini (void)
   {}
 
-  inline void set_int (int v)	   { format = NumInt; u.int_val = v; }
-  inline int to_int (void) const	{ return is_int ()? u.int_val: (int)to_real (); }
-  inline void set_fixed (int32_t v)     { format = NumFixed; u.fixed_val = v; }
+  inline void set_int (int v)	   { value = (double)v; }
+  inline int to_int (void) const	{ return (int)value; }
+  inline void set_fixed (int32_t v)     { value = v / 65536.0; }
   inline int32_t to_fixed (void) const
   {
-    if (is_fixed ())
-      return u.fixed_val;
-    else if (is_real ())
-      return (int32_t)(u.real_val * 65536.0f);
-    else
-      return (int32_t)(u.int_val << 16);
+    return (int32_t)(value * 65536.0);
   }
-  inline void set_real (float v)	{ format = NumReal; u.real_val = v; }
+  inline void set_real (float v)	{ value = (double)v; }
   inline float to_real (void) const
   {
-    if (is_real ())
-      return u.real_val;
-    if (is_fixed ())
-      return u.fixed_val / 65536.0f;
-    else
-      return (float)u.int_val;
+    return (float)value;
   }
 
   inline int ceil (void) const
   {
-    switch (format)
-    {
-      default:
-      case NumInt:
-	return u.int_val;
-      case NumFixed:
-	return (u.fixed_val + 0xFFFF) >> 16;
-      case NumReal:
-	return (int)ceilf (u.real_val);
-    }
+    return (int)::ceil (value);
   }
 
   inline int floor (void) const
   {
-    switch (format)
-    {
-      default:
-      case NumInt:
-	return u.int_val;
-      case NumFixed:
-	return u.fixed_val >> 16;
-      case NumReal:
-	return (int)floorf (u.real_val);
-    }
+    return (int)::floor (value);
   }
 
   inline bool in_int_range (void) const
   {
-    if (is_int ())
-      return true;
-    if (is_fixed () && ((u.fixed_val & 0xFFFF) == 0))
-      return true;
-    else
-      return ((float)(int16_t)to_int () == u.real_val);
+    return ((double)(int16_t)to_int () == value);
   }
 
   inline bool operator > (const Number &n) const
   {
-    switch (format)
-    {
-      default:
-      case NumInt: return u.int_val > n.to_int ();
-      case NumFixed: return u.fixed_val > n.to_fixed ();
-      case NumReal: return u.real_val > n.to_real ();
-    }
+    return value > n.to_real ();
   }
 
   inline bool operator < (const Number &n) const
@@ -305,32 +266,13 @@ struct Number
 
   inline const Number &operator += (const Number &n)
   {
-    if (format == NumReal || n.format == NumReal)
-      set_real (to_real () + n.to_real ());
-    else if (format == NumFixed || n.format == NumFixed)
-      set_fixed (to_fixed () + n.to_fixed ());
-    else
-      set_int (to_int () + n.to_int ());
+    set_real (to_real () + n.to_real ());
 
     return *this;
   }
 
 protected:
-  enum NumFormat {
-    NumInt,
-    NumFixed,
-    NumReal
-  };
-  NumFormat  format;
-  union {
-    int     int_val;
-    int32_t fixed_val;
-    float   real_val;
-  } u;
-
-  inline bool  is_int (void) const { return format == NumInt; }
-  inline bool  is_fixed (void) const { return format == NumFixed; }
-  inline bool  is_real (void) const { return format == NumReal; }
+  double  value;
 };
 
 /* byte string */

From 9e5180cd444b6900a0fa0c3df4c8138f9a663383 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Mon, 3 Dec 2018 15:32:42 -0800
Subject: [PATCH 2/5] more double changes

---
 src/hb-cff-interp-common.hh      |  8 ++++----
 src/hb-cff-interp-dict-common.hh | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/hb-cff-interp-common.hh b/src/hb-cff-interp-common.hh
index 2ec056ffc..396bc8c75 100644
--- a/src/hb-cff-interp-common.hh
+++ b/src/hb-cff-interp-common.hh
@@ -229,10 +229,10 @@ struct Number
   {
     return (int32_t)(value * 65536.0);
   }
-  inline void set_real (float v)	{ value = (double)v; }
-  inline float to_real (void) const
+  inline void set_real (double v)	{ value = (double)v; }
+  inline double to_real (void) const
   {
-    return (float)value;
+    return value;
   }
 
   inline int ceil (void) const
@@ -520,7 +520,7 @@ struct ArgStack : Stack<ARG, 513>
     n.set_fixed (v);
   }
 
-  inline void push_real (float v)
+  inline void push_real (double v)
   {
     ARG &n = S::push ();
     n.set_real (v);
diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index aff356259..2822af40c 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -103,9 +103,9 @@ struct DictOpSet : OpSet<Number>
     }
   }
 
-  static inline float parse_bcd (SubByteStr& substr)
+  static inline double parse_bcd (SubByteStr& substr)
   {
-    float v = 0.0f;
+    double v = 0.0;
 
     bool    neg = false;
     double  int_part = 0;
@@ -126,7 +126,7 @@ struct DictOpSet : OpSet<Number>
 	if (!substr.avail ())
 	{
 	  substr.set_error ();
-	  return 0.0f;
+	  return 0.0;
 	}
 	byte = substr[0];
 	substr.inc ();
@@ -152,13 +152,13 @@ struct DictOpSet : OpSet<Number>
 	    else
 	      value *= pow (10.0, (double)exp_part);
 	  }
-	  return (float)value;
+	  return value;
 
 	case NEG:
 	  if (i != 0)
 	  {
 	    substr.set_error ();
-	    return 0.0f;
+	    return 0.0;
 	  }
 	  neg = true;
 	  break;

From 5fff6ab0024547a8ac47723a0047f4b17416d6ce Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Mon, 3 Dec 2018 16:06:58 -0800
Subject: [PATCH 3/5] additional precision made a difference in extents test

---
 src/hb-cff-interp-common.hh    | 2 +-
 src/hb-cff2-interp-cs.hh       | 2 +-
 test/api/test-ot-extents-cff.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/hb-cff-interp-common.hh b/src/hb-cff-interp-common.hh
index 396bc8c75..f2ccc2bdd 100644
--- a/src/hb-cff-interp-common.hh
+++ b/src/hb-cff-interp-common.hh
@@ -229,7 +229,7 @@ struct Number
   {
     return (int32_t)(value * 65536.0);
   }
-  inline void set_real (double v)	{ value = (double)v; }
+  inline void set_real (double v)	{ value = v; }
   inline double to_real (void) const
   {
     return value;
diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index 8d193d621..935a1a1fc 100644
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh
@@ -169,7 +169,7 @@ struct CFF2CSInterpEnv : CSInterpEnv<BlendArg, CFF2Subrs>
     {
       if (likely (scalars.len == arg.deltas.len))
       {
-	float v = arg.to_real ();
+	double v = arg.to_real ();
 	for (unsigned int i = 0; i < scalars.len; i++)
 	{
 	  v += scalars[i] * arg.deltas[i].to_real ();
diff --git a/test/api/test-ot-extents-cff.c b/test/api/test-ot-extents-cff.c
index 49b87997e..bb70a6268 100644
--- a/test/api/test-ot-extents-cff.c
+++ b/test/api/test-ot-extents-cff.c
@@ -171,7 +171,7 @@ test_extents_cff2_vsindex (void)
   g_assert_cmpint (extents.x_bearing, ==, 11);
   g_assert_cmpint (extents.y_bearing, ==, 656);
   g_assert_cmpint (extents.width, ==, 653);
-  g_assert_cmpint (extents.height, ==, -656);
+  g_assert_cmpint (extents.height, ==, -657);
 
   result = hb_font_get_glyph_extents (font, 2, &extents);
   g_assert (result);

From 9424e8052686a6a93e0d30e38aecbe927db9d787 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Mon, 3 Dec 2018 16:18:10 -0800
Subject: [PATCH 4/5] added minimized test cases

---
 ...ase-minimized-hb-shape-fuzzer-5647267827023872 | Bin 0 -> 655 bytes
 ...ase-minimized-hb-shape-fuzzer-5725855502827520 | Bin 0 -> 655 bytes
 ...ase-minimized-hb-shape-fuzzer-5736657639178240 | Bin 0 -> 459 bytes
 3 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5647267827023872
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5725855502827520
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5736657639178240

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5647267827023872 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5647267827023872
new file mode 100644
index 0000000000000000000000000000000000000000..068e7e8f7a2dd493f7c6174ade1c28d1f0b3633f
GIT binary patch
literal 655
zcmeYd3Grv(VQ64r7IAQPb5qzQ>v)NQf#C|nD~5;eF0O72f(*P23@kCC3=CrK0sg@*
zWj>`qegaU9f_rd+(~U)^CIk6Xfc#DV!DoyjrYE>CFfcm+`3cFniMb5YO!`3n9fsEo
z2^p!0DSRrWF$@e$JAm@W89)IRLuL`6ybO@9l95|dAr#EG87Th&$k)nEtSDgM4FED3
z&Hyo6USe)4vn)3UQ2hc%MvyQA!~Zr0BN&^30jL(}T1EyICI&`EMvl<D%#zgN5)fPI
z2S39P6~-T`Og~hae@L+W`BDBe_!kfBcRBvaKbVBRs|qr3GcvMRa`6fXi%H7Zx`gN%
zhUgiE=ov@p89vZ63e__X(=!ayGYZo)cFr%TEXqvJDE}Xytf^pPU~HzN;F4IDnWEsF
zUzC(uQUbG=fsw<MiLsr7ftQh$nMYVk(>6S{a?--BXLtS2|K9eKMO=Z4?fbzeqKaI6
zdw+U}Dsl0B`=0ajjHoi#GJy{`fdK#ipV$oqhX^QO>`N3hlEsv{0)9(?O#Sgr<VU3F
zWMKvtMnOJ1J)`d-K$ixAT-pE*A!G-^-2-upa=oM!n|}9i-tT7IPrAWj%fQUQAVQ(x
NKwqMo42(07xd0N}&gTFC

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5725855502827520 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5725855502827520
new file mode 100644
index 0000000000000000000000000000000000000000..5781bbad826999f87918e37004e5bdb381b12262
GIT binary patch
literal 655
zcmeYd3Grv(VQ64rW^izJb5qzQ>v)NQf#C`R1LH$?7gsk1K?Yt129_A0n3#Kjf3QoL
zPbrXJ0^}>W2ZuV{SafPKkUvF$fnk$>u)a~m^aK|M24)AKd_r<=VgZ9RlRl7t2gJ`v
zO-$iaDFvFvv;)XD%K!?n7&40h<z;|;m5khy3ZY=e%|Q7NK)zOPVnqQ1Zvc?Va0ZCk
z@)C1XnPs^-fa(_j`Bnw_#U=mS7>t1S+W`3r3=BZEK-V%durM(&GBR?6=4F<o7MFn7
zN<a7+eyA}1P-Xg|%KSru<<F1upTWO)Sij5hPyWFq^j%euft!($g`JC6Kv+yt#?~c7
z&oD&KC`8XVRL?L}&nQ&SI84tlOwTAx&)7M?pt2}4J)=ZHBUw|y$iUD-N5LhrEHg#H
zIlm|=wWI`QFVH2XOpNUu47`ktpFayrY1)RTR!&;D_5XjS7vI}{vWO~h@qIt|L{yQB
zZ|_eJQSR?%-QRhi%Xj~fdeXz%_lJ8IFjhd``d<(99>aeK_`m@)Rs|@-!yv+-4N}3%
zz{Us+GX@R@P9T?yfg32r2xI{T!9bboyU5>SkS#wLf1VLl=K3un1|`0SKqS65{`(J-
z@c%6#sswTrk~)5f7>3>esQ5dPACaPyg&9~F8Tstk;hq4w|Mx`}xcl)qALwFcp!<Pd
F0RRMnt%m>r

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5736657639178240 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5736657639178240
new file mode 100644
index 0000000000000000000000000000000000000000..343429cfa9898c397059c55ee123c3c01267c6c5
GIT binary patch
literal 459
zcmeYd3Grv(VQ64rW^izJb5qzQ>v)NQf#C`R1LH$?7gsk1K?Yt129_A0n3#LO#*Hpz
zKBYi@36QVg9vtd)W6`O}K>idUf0KW(zG1}l1Q!MdW(OcYAvrg(fI*r`pMep`1A>gy
z#1uZ2QlME(?jer8W*I;M7DHwcpn4ggv`R*9Nrg}_<7S}z2OwW7H?g9Cfj0o8^$ZZR
z<t65(GB1#oVBiM2mVv>lAiucee;b1l(0&^rUx9%Es21p2Mg|rp21Z6kj?m(g%)HbR
z5L@X7Kf@0d#viIoKUA52NU;3*QT{Xd7Z2-qIsVB%{xf`66=dLMWMpCI;uR1Ula#S_
z3DGkQ(K8CsGY-`QnhgYukM#`0^o+vvjGglfDvL7HGfEURk~I~K3=A!F6kHO^GE)?s
z^FvdUit<WIGD}j6fnmhRV9LbU&cVRT$N)6QFjUVdR4)u@%73Gu*MnG6SiZY=vCi(^
y&A9?(!NuRRyY0JJfh1Ur10*O0bO}(WUKmIL11rP;Jwq0-2C#WyAXohd$pQcm&~1+Z

literal 0
HcmV?d00001


From c48f53d30901dfc20b7432c2947e66642010dc4e Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Mon, 3 Dec 2018 16:59:41 -0800
Subject: [PATCH 5/5] more double changes

---
 src/hb-cff2-interp-cs.hh       | 4 ++--
 test/api/test-ot-extents-cff.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index 935a1a1fc..d258b8148 100644
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh
@@ -49,7 +49,7 @@ struct BlendArg : Number
 
   inline void set_int (int v) { reset_blends (); Number::set_int (v); }
   inline void set_fixed (int32_t v) { reset_blends (); Number::set_fixed (v); }
-  inline void set_real (float v) { reset_blends (); Number::set_real (v); }
+  inline void set_real (double v) { reset_blends (); Number::set_real (v); }
 
   inline void set_blends (unsigned int numValues_, unsigned int valueIndex_,
 			  unsigned int numBlends, const BlendArg *blends_)
@@ -172,7 +172,7 @@ struct CFF2CSInterpEnv : CSInterpEnv<BlendArg, CFF2Subrs>
 	double v = arg.to_real ();
 	for (unsigned int i = 0; i < scalars.len; i++)
 	{
-	  v += scalars[i] * arg.deltas[i].to_real ();
+	  v += (double)scalars[i] * arg.deltas[i].to_real ();
 	}
 	arg.set_real (v);
 	arg.deltas.resize (0);
diff --git a/test/api/test-ot-extents-cff.c b/test/api/test-ot-extents-cff.c
index bb70a6268..49b87997e 100644
--- a/test/api/test-ot-extents-cff.c
+++ b/test/api/test-ot-extents-cff.c
@@ -171,7 +171,7 @@ test_extents_cff2_vsindex (void)
   g_assert_cmpint (extents.x_bearing, ==, 11);
   g_assert_cmpint (extents.y_bearing, ==, 656);
   g_assert_cmpint (extents.width, ==, 653);
-  g_assert_cmpint (extents.height, ==, -657);
+  g_assert_cmpint (extents.height, ==, -656);
 
   result = hb_font_get_glyph_extents (font, 2, &extents);
   g_assert (result);