Garret Rieger
647b024784
[subset] Fix fuzzer issue https://oss-fuzz.com/testcase-detail/6521393809588224
2023-04-18 13:21:46 -06:00
Garret Rieger
2cd81fdfb6
[subset] fix memory leak.
...
Fixes fuzzer issue https://oss-fuzz.com/testcase-detail/6169920089227264
2023-03-30 16:19:41 -06:00
Garret Rieger
be87200106
[subset] fix buffer overflow fuzzer reported issue.
2023-03-25 10:11:46 -04:00
Garret Rieger
79ae6b657f
[subset] Fix fuzzer found memory leaks.
2023-03-25 10:11:46 -04:00
Garret Rieger
f0f7f22525
[subset] fix fuzzer found null deref.
...
https://oss-fuzz.com/testcase-detail/5844352760152064
2023-03-21 11:41:09 -06:00
Garret Rieger
3d05b96181
[subset] track which glyphs have allocated memory so we can clean up correctly.
...
Fixes https://oss-fuzz.com/testcase-detail/5388270411579392
2023-03-13 16:03:58 -06:00
Garret Rieger
7a87b17742
Check for failed subset input creation in the fuzzer.
2023-03-13 15:21:25 -06:00
Garret Rieger
28b05e1cb6
[subset] Fix memory leak in glyf subset.
...
Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/6525813890875392 .
2023-03-08 17:02:04 -07:00
Garret Rieger
9286e12525
Don't subset a glyf table with an unknown format.
...
Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/4875306193518592
2023-03-08 14:51:54 -07:00
Garret Rieger
c0fac016dc
[subset] update the subset fuzzer to be able to reach instancing code.
2023-02-27 15:07:04 -07:00
Garret Rieger
918193ebf9
[subset] fix a class of fuzzer timeouts caused by large shared coverage tables.
...
More acurately estimates the op count for CoverageFormat2 tables as the population size instead of the size in bytes.
2023-02-22 16:57:39 -07:00
Behdad Esfahbod
64fa5cd482
[GPOS] Fix assert fail introduced recently
...
Was introduced in 8708b9e081
.
If these lookups are recursed to from (Chain)Context out-of-order,
it was possible that last_base > buffer->idx, in which case we
were attaching marks to a base after them... and an assertion
was failing fortunately.
Fixes https://oss-fuzz.com/testcase-detail/6377756666757120
2023-02-07 15:52:53 -07:00
Behdad Esfahbod
b63159e8bf
[PairPosFormat1] Fix stride
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55287
and generally the lookup with MediumTypes.
2023-01-21 15:51:40 -07:00
Garret Rieger
40342c9437
[subset] check for addition overflow in hdmx size calculation.
...
Fixes https://oss-fuzz.com/testcase-detail/4877336988483584 .
2022-12-21 16:44:06 -07:00
Garret Rieger
b5acde43ed
[subset] check pending/subsetted tag sets for alloc failure.
2022-12-13 15:31:40 -07:00
Garret Rieger
dd1ba328a8
[repacker] fix fuzzer timeout.
...
For https://oss-fuzz.com/testcase-detail/5845846876356608 . Only process the set of unique overflows.
2022-11-21 16:24:48 -07:00
Behdad Esfahbod
e854739b2d
[fuzzing] Add test font for previous commit
2022-10-26 13:12:56 -06:00
Qunxin Liu
7fde6ab025
fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49790
2022-08-05 15:10:31 -06:00
Behdad Esfahbod
bdbb8c297e
Add test for previous commit
2022-07-29 12:04:28 -06:00
Behdad Esfahbod
e2cc34e190
[subset/GPOS] Fix a fuzzer timeout test
...
Fixes https://oss-fuzz.com/testcase-detail/5234369031176192
2022-07-26 12:31:40 -06:00
Behdad Esfahbod
4cb83967aa
[subset/ClassDefFormat2] Fix timeout
...
Fixes https://oss-fuzz.com/testcase-detail/5417800474165248
2022-07-23 11:00:20 -06:00
Behdad Esfahbod
32c85b8c8c
[avar2] Fix mapping when coords length don't match
...
Ouch.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49407
2022-07-23 10:50:26 -06:00
Behdad Esfahbod
9eab3ac72d
[CoverageFormat2] Remove hand-written loop
...
While on a fuzzer-found test case (added) that loop was faster,
on real fonts, including NotoNastaliq in our benchmark, it was
actually slower, which intuitively I would have expected.
Still no idea why on that fuzzer case it's faster though. :(
2022-07-21 12:36:53 -06:00
Behdad Esfahbod
3c84aa8416
[cff] Add a max work counter
...
Set to 10,000 per interpretation right now.
Fixes https://github.com/harfbuzz/harfbuzz/issues/3700
Fixes https://oss-fuzz.com/testcase-detail/5667125715927040
2022-07-18 13:57:59 -06:00
Garret Rieger
311413f16b
[subset] Fix fuzzer issue.
...
Fixes https://oss-fuzz.com/testcase-detail/5693568490012672 . new_index should be set from new_index2 when the entry is present in the map.
2022-06-14 17:49:13 +01:00
Behdad Esfahbod
62e803b361
[sbix] Limit glyph extents
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/3557
2022-06-01 07:39:20 -06:00
Garret Rieger
8f9f0c494b
[subset] Enforce cmap12 group ordering constraints in collect_mapping.
...
Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/6365271012540416
2022-05-10 12:15:09 -06:00
Garret Rieger
b051f3fa83
[subset] Fix cpal subsetting when there are partial palette overlaps.
...
The existing code doesn't correctly handle the case where palettes partially overlap in the color record array. This changes the subsetting to only share entries in the color record array when palettes have the same first color index. Partially overlapping palettes will be converted to disjoint segments in the color record array.
Updates one of the color tests to use multiple palettes.
Also fixes fuzzer: https://oss-fuzz.com/testcase-detail/5568200165687296 .
2022-05-09 12:25:05 -06:00
Behdad Esfahbod
ca8a0f3ea3
[gvar] Protect against out-of-range access
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47281
Fixes https://oss-fuzz.com/testcase-detail/5508865908670464
2022-05-06 11:54:38 -06:00
Behdad Esfahbod
a665e29ed7
[use] Avoid O(n^2) in the machine
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/3502
2022-03-25 15:17:55 -06:00
Behdad Esfahbod
03085132ba
[buffer] Fix out-buffer under memory-alloc failure
...
This was broken in July refactoring of the buffer, and exposed to
ReverseChainSingleSubstFormat1 in 3807061d63
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38800
https://bugs.chromium.org/p/chromium/issues/detail?id=1303552
2022-03-21 18:09:06 -06:00
Behdad Esfahbod
af407dd24d
Add a fuzzer font
2022-02-12 14:22:35 -06:00
Garret Rieger
4e2f409bce
[subset] Don't hold references to members of the active_glyph_stack.
...
These references may get invalidated after the vector for the stack is resized. Fixes: https://oss-fuzz.com/testcase-detail/5422577634377728
2022-01-31 22:58:53 +02:00
Garret Rieger
87496bf63e
[subset] fix fuzzer timeout if visisted_paint goes into error.
2022-01-13 11:08:24 -08:00
Garret Rieger
067f90a820
[subset] Fix for fuzzer timeout.
...
Fixes https://oss-fuzz.com/testcase-detail/5549945449480192
In prune_langsys: move LangSys visited check up before any work is done for a LangSys. In this particular case the compare() method is responsible for the majority of the time spent and wasn't being guarded with a visisted check.
2021-12-14 17:34:21 -07:00
Garret Rieger
c4573c2ec7
[repacker] don't infinite loop if visited or roots is in error.
...
Fixes https://oss-fuzz.com/testcase-detail/5205038086094848
2021-12-14 15:57:48 -07:00
Garret Rieger
ace98cc65f
[subset] Only sanitize recursion depth in COLR.
2021-11-10 10:34:46 -07:00
Garret Rieger
f51b48c8e7
[subset] Fix fuzzer found memory leak.
...
Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.
2021-11-02 17:00:07 -07:00
Qunxin Liu
0a7563a53f
[subset] fuzzer fix: https://oss-fuzz.com/testcase?key=6254792024915968
...
Make sure input is valid, each gid has a corresponding offset value in
the map
2021-11-02 15:25:18 -07:00
Qunxin Liu
85deddb16e
[subset] fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40406
2021-10-27 16:16:15 -07:00
Qunxin Liu
794b00db4b
[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664
2021-09-29 10:29:06 -06:00
Garret Rieger
74f96d9d4b
[repacker] fix heap use after free in repacker.
...
Don't store a reference to the link in overflow records as the link object may be freed if the sorted graph vector is resized.
2021-09-19 09:06:17 -06:00
Garret Rieger
fb07f8f876
During subset input creation check for set alloc failures and fail if encountered.
2021-08-24 10:59:14 -06:00
Garret Rieger
dc31920bbe
Don't serialize null offsets in CPAL.
...
Fixes https://oss-fuzz.com/testcase-detail/5443213648330752
2021-08-18 16:52:45 -06:00
Garret Rieger
c0f3af91b8
[subset] speed up add_gid_and_children and adjust op limit.
...
Fix for fuzzer timeout: https://oss-fuzz.com/testcase-detail/5001604901240832 .
- Operation limit is per glyph, so 100,000 should still be far more than needed.
- Switches from for(...) to while(...) loop for iteration. for(...) calls it.end() which in this case triggers a complete iteration.
- Cache CompositeGlyph size in the iterator to avoid needing to recalculate it.
2021-08-12 14:50:42 -06:00
Garret Rieger
c08f1b8903
[map] fix incorrect population count in hash map.
...
If the same key was set twice the population was being incorrectly incremented.
2021-08-10 14:00:55 -06:00
Garret Rieger
8c0c217b5a
[subset] fail reference blob in face builder if allocation for table sorting fails.
...
Fixes https://oss-fuzz.com/testcase-detail/5041767803125760
2021-08-06 15:54:41 -06:00
Behdad Esfahbod
5086e10538
[test] Add failing fuzzer test case
...
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236
https://oss-fuzz.com/testcase-detail/5061207689134080
2021-08-04 11:55:53 -06:00
Behdad Esfahbod
0ded6a70c8
[subset] Fix another fuzzer issue
...
Addition could overflow on 32bit arch.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
2021-07-28 11:35:27 -06:00
Garret Rieger
09474d8d7b
[subset] Fix fuzzer timeout in add_gid_and_children.
...
The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.
2021-07-27 13:30:06 -06:00