Limit OT::Lookup subtables (#2219)

Fixes https://crbug.com/oss-fuzz/13943
2020-03-02 22:41:08 +03:30 · 2020-03-02 22:41:08 +03:30 · d383603976
parent 29efd964f2
commit d383603976
3 changed files with 16 additions and 4 deletions
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@ -1097,6 +1097,10 @@ struct Lookup
  {
    TRACE_SANITIZE (this);
    if (!(c->check_struct (this) && subTable.sanitize (c))) return_trace (false);
+
+    unsigned subtables = get_subtable_count ();
+    if (unlikely (!c->visit_subtables (subtables))) return_trace (false);
+
    if (lookupFlag & LookupFlag::UseMarkFilteringSet)
    {
      const HBUINT16 &markFilteringSet = StructAfter<HBUINT16> (subTable);
@ -1119,8 +1123,7 @@ struct Lookup
       * https://bugs.chromium.org/p/chromium/issues/detail?id=960331
       */
      unsigned int type = get_subtable<TSubTable> (0).u.extension.get_type ();
-      unsigned int count = get_subtable_count ();
-      for (unsigned int i = 1; i < count; i++)
+      for (unsigned int i = 1; i < subtables; i++)
 	if (get_subtable<TSubTable> (i).u.extension.get_type () != type)
 	  return_trace (false);
    }
--- a/src/hb-sanitize.hh
+++ b/src/hb-sanitize.hh
@ -113,6 +113,9 @@
 #ifndef HB_SANITIZE_MAX_OPS_MAX
 #define HB_SANITIZE_MAX_OPS_MAX 0x3FFFFFFF
 #endif
+#ifndef HB_SANITIZE_MAX_SUTABLES
+#define HB_SANITIZE_MAX_SUTABLES 0x4000
+#endif

 struct hb_sanitize_context_t :
       hb_dispatch_context_t<hb_sanitize_context_t, bool, HB_DEBUG_SANITIZE>
@ -120,7 +123,7 @@ struct hb_sanitize_context_t :
  hb_sanitize_context_t () :
 	debug_depth (0),
 	start (nullptr), end (nullptr),
-	max_ops (0),
+	max_ops (0), max_subtables (0),
 	writable (false), edit_count (0),
 	blob (nullptr),
 	num_glyphs (65536),
@ -134,6 +137,12 @@ struct hb_sanitize_context_t :
  static return_t no_dispatch_return_value () { return false; }
  bool stop_sublookup_iteration (const return_t r) const { return !r; }

+  bool visit_subtables (unsigned count)
+  {
+    max_subtables += count;
+    return max_subtables < HB_SANITIZE_MAX_SUTABLES;
+  }
+
  private:
  template <typename T, typename ...Ts> auto
  _dispatch (const T &obj, hb_priority<1>, Ts&&... ds) HB_AUTO_RETURN
@ -380,7 +389,7 @@ struct hb_sanitize_context_t :

  mutable unsigned int debug_depth;
  const char *start, *end;
-  mutable int max_ops;
+  mutable int max_ops, max_subtables;
  private:
  bool writable;
  unsigned int edit_count;
--- a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5666162551029760
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5666162551029760