- Lookup::closure_lookups also checks if the lookups visited and sets the lookup to visited. If we set visited in 'recurse' then Lookup::closure_lookups will fail to recurse into the children of the lookup.
- Also when copying ChainRule's skip LookupRecord's that point to lookups which aren't retained. This matches FontTool's behaviour.
If the table is kept, when the table is present but only the accelerator
allocation failed, then we run into nullptr dereferences downstream in
hb_ot_map_t::apply when trying to access proxy.accels[i].
To fix this, instead of only setting lookup_count of accelerator_t
itself, drop the whole table to avoid hb-ot-map construction assuming
that the lookups will work correctly despite accelerator allocation
having failed.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24490https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24490
This matches fontTools behaviour. glyphset_gsub does not contain gids added from closing over composite glyphs in glyf, since these cannot particpate in GSUB/GPOS processing.
The backtrack, input, and lookahead sequence must be matched in their entirety so these sequences should not be subset. If any of the coverage tables in a sequence subsets to empty then the whole subtable should be dropped since it's not possible for this lookup to be activated.
First time we do this in a way that if target object doesn't have the matching
function we basically "ignore". Risky but I feel like is the right decision
for this case.
I'm going to put back the template varargs and use those, which would make
the dispatcher be just that: "dispatcher", and wouldn't need to carry the
call context. That would be a refreshing change I think.
In file included from hb-ot-face.cc:34:
In file included from ./hb-ot-kern-table.hh:30:
In file included from ./hb-aat-layout-kerx-table.hh:31:
In file included from ./hb-kern.hh:32:
In file included from ./hb-ot-layout-gpos-table.hh:32:
./hb-ot-layout-gsubgpos.hh:1878:63: error: loop variable '_' binds to a temporary value produced by a range of type 'decltype((hb_forward<hb_filter_iter_factory_t<hb_map_t &, const (anonymous struct at ./hb-algs.hh:331:1) &>>(rhs)(hb_forward<hb_zip_iter_t<hb_iota_iter_t<unsigned int, unsigned int>, hb_array_t<const OT::OffsetTo<OT::RuleSet, OT::IntType<unsigned short, 2>, true>>>>(lhs))))' (aka 'hb_filter_iter_t<hb_zip_iter_t<hb_iota_iter_t<unsigned int, unsigned int>, hb_array_t<const OT::OffsetTo<OT::RuleSet, OT::IntType<unsigned short, 2>, true>>>, hb_map_t &, const (anonymous struct at ./hb-algs.hh:331:1) &>') [-Werror,-Wrange-loop-bind-reference]
for (const hb_pair_t<unsigned, const OffsetTo<RuleSet>&>& _ : + hb_enumerate (ruleSet)
^
./hb-ot-layout-gsubgpos.hh:1878:10: note: use non-reference type 'hb_pair_t<unsigned int, const OffsetTo<OT::RuleSet> &>'
for (const hb_pair_t<unsigned, const OffsetTo<RuleSet>&>& _ : + hb_enumerate (ruleSet)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Behdad Esfahbod
Garret Rieger
Dominik Röttsches
Ebrahim Byagowi
Qunxin Liu