Commit Graph

182 Commits

Author SHA1 Message Date
Behdad Esfahbod 03085132ba [buffer] Fix out-buffer under memory-alloc failure
This was broken in July refactoring of the buffer, and exposed to
ReverseChainSingleSubstFormat1 in 3807061d63

Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38800
https://bugs.chromium.org/p/chromium/issues/detail?id=1303552
2022-03-21 18:09:06 -06:00
Behdad Esfahbod af407dd24d Add a fuzzer font 2022-02-12 14:22:35 -06:00
Garret Rieger 4e2f409bce [subset] Don't hold references to members of the active_glyph_stack.
These references may get invalidated after the vector for the stack is resized. Fixes: https://oss-fuzz.com/testcase-detail/5422577634377728
2022-01-31 22:58:53 +02:00
Garret Rieger 87496bf63e [subset] fix fuzzer timeout if visisted_paint goes into error. 2022-01-13 11:08:24 -08:00
Garret Rieger 067f90a820 [subset] Fix for fuzzer timeout.
Fixes https://oss-fuzz.com/testcase-detail/5549945449480192

In prune_langsys: move LangSys visited check up before any work is done for a LangSys. In this particular case the compare() method is responsible for the majority of the time spent and wasn't being guarded with a visisted check.
2021-12-14 17:34:21 -07:00
Garret Rieger c4573c2ec7 [repacker] don't infinite loop if visited or roots is in error.
Fixes https://oss-fuzz.com/testcase-detail/5205038086094848
2021-12-14 15:57:48 -07:00
Garret Rieger ace98cc65f [subset] Only sanitize recursion depth in COLR. 2021-11-10 10:34:46 -07:00
Garret Rieger f51b48c8e7 [subset] Fix fuzzer found memory leak.
Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.
2021-11-02 17:00:07 -07:00
Qunxin Liu 0a7563a53f [subset] fuzzer fix: https://oss-fuzz.com/testcase?key=6254792024915968
Make sure input is valid, each gid has a corresponding offset value in
the map
2021-11-02 15:25:18 -07:00
Qunxin Liu 85deddb16e [subset] fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40406 2021-10-27 16:16:15 -07:00
Qunxin Liu 794b00db4b [subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664 2021-09-29 10:29:06 -06:00
Garret Rieger 74f96d9d4b [repacker] fix heap use after free in repacker.
Don't store a reference to the link in overflow records as the link object may be freed if the sorted graph vector is resized.
2021-09-19 09:06:17 -06:00
Garret Rieger fb07f8f876 During subset input creation check for set alloc failures and fail if encountered. 2021-08-24 10:59:14 -06:00
Garret Rieger dc31920bbe Don't serialize null offsets in CPAL.
Fixes https://oss-fuzz.com/testcase-detail/5443213648330752
2021-08-18 16:52:45 -06:00
Garret Rieger c0f3af91b8 [subset] speed up add_gid_and_children and adjust op limit.
Fix for fuzzer timeout: https://oss-fuzz.com/testcase-detail/5001604901240832.

- Operation limit is per glyph, so 100,000 should still be far more than needed.
- Switches from for(...) to while(...) loop for iteration. for(...) calls it.end() which in this case triggers a complete iteration.
- Cache CompositeGlyph size in the iterator to avoid needing to recalculate it.
2021-08-12 14:50:42 -06:00
Garret Rieger c08f1b8903 [map] fix incorrect population count in hash map.
If the same key was set twice the population was being incorrectly incremented.
2021-08-10 14:00:55 -06:00
Garret Rieger 8c0c217b5a [subset] fail reference blob in face builder if allocation for table sorting fails.
Fixes https://oss-fuzz.com/testcase-detail/5041767803125760
2021-08-06 15:54:41 -06:00
Behdad Esfahbod 5086e10538 [test] Add failing fuzzer test case
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236
https://oss-fuzz.com/testcase-detail/5061207689134080
2021-08-04 11:55:53 -06:00
Behdad Esfahbod 0ded6a70c8 [subset] Fix another fuzzer issue
Addition could overflow on 32bit arch.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
2021-07-28 11:35:27 -06:00
Garret Rieger 09474d8d7b [subset] Fix fuzzer timeout in add_gid_and_children.
The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.
2021-07-27 13:30:06 -06:00
Behdad Esfahbod c68a00b92e [subset] Fix possible overflows in VarRegionList serialize
Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
2021-07-27 13:28:09 -06:00
Qunxin Liu 7416faceeb [subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/5715464591376384 2021-07-08 09:09:30 -07:00
Garret Rieger bc06af977f [subset] speed up feature collection when tags are specified.
Precompute a feature index filter to avoid needing to iterate the feature tag list for each encountered feature index. For this particular fuzzer case speeds up feature collection from 50s to 2s.
2021-06-20 17:45:19 -07:00
Garret Rieger 675ebbeb3a [subset] don't alloc zero bytes.
It will be leaked later since hb_blob_create() won't set up the blob to cleanup since it has length zero.
2021-06-16 17:35:39 -06:00
Qunxin Liu 35d6af6943 [subset] fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5965777994907648 2021-06-04 18:16:23 -06:00
Qunxin Liu 1b6008ca62 fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5417934246772736 2021-06-02 17:32:16 -06:00
Qunxin Liu 7ab0f4eda9 fuzzer fix 2021-05-31 12:44:33 -06:00
Garret Rieger 425ba1f4ab [subset] fixes infinite loop in hb_set_get_max().
Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
2021-04-20 13:18:07 -06:00
Garret Rieger ec4321068b [subset] fix infinite loop caused by alloc failure in repacker.
Fixes: https://oss-fuzz.com/testcase-detail/5609112151916544.
2021-04-20 13:18:07 -06:00
Garret Rieger 0e845d973e [subset] fix memory leak in repacker caused by failed alloc.
Fixes: https://oss-fuzz.com/testcase-detail/5616763250278400.
2021-04-20 13:18:07 -06:00
Garret Rieger 3fb62cdc14 [subset] fail on offset overflow in tables that we don't repack.
Fixes: https://oss-fuzz.com/testcase-detail/5229304507138048
2021-04-19 17:01:05 -06:00
Qunxin Liu 9dc9f0385d [subset] fix for fuzzer testcase: https://oss-fuzz.com/testcase-detail/5858518134554624 2021-04-09 11:07:28 -06:00
Qunxin Liu 4af5dacedc [subset] add fuzzer testcase 2021-04-07 13:02:04 -06:00
Garret Rieger 64122b5a44 [subset] don't visit lookup if covered glyph set has failed.
If covered glyph set is in error then the same lookup can be recursed into repeatedly potentially causing a fuzzer timeout. Fixes: https://oss-fuzz.com/testcase-detail/5416421032067072.
2021-04-06 12:34:44 -06:00
Garret Rieger 71d6d15600 [subset] clamp distance to prevent shifting outside of the limits of int64.
Fixes https://oss-fuzz.com/testcase-detail/4961171477233664.
2021-04-06 11:48:39 -06:00
Garret Rieger c5c13006a1 [subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536 2021-03-31 12:37:45 -06:00
Garret Rieger adca4ce071 [subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064.
Caused by incorrect bounds check in glyph closure for context lookups.
2021-03-30 15:44:41 -06:00
Garret Rieger 752e393ad2 [subset] avoid calling clear on null pool set. 2021-03-30 15:12:52 -06:00
Garret Rieger 8741914a80 [subset] fix memory leak when map insert fails. 2021-03-29 18:02:32 -06:00
Garret Rieger 5b6da6d2f0 [subset] add fuzzer test case. 2021-03-29 17:41:07 -06:00
Garret Rieger a804a0c903 [subset] add fuzzer test case. 2021-03-29 17:15:22 -06:00
Garret Rieger 5ca353a2d0 [subset] fix heap buffer overflow found by fuzzer. 2021-02-16 12:43:02 -07:00
Behdad Esfahbod 33a0f0b686 [test] Remove fuzzed test font that triggers virus alert
Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
2021-02-09 12:55:45 -07:00
Garret Rieger a4c3732f59 [ENOMEM] fix set clear() causing corruption if the set is in_error(). 2021-01-21 12:12:05 -07:00
Garret Rieger bbbcad0dbb Revert "[ENOMEM] don't perform set process operations if the other set is in an error state."
This reverts commit f3929abafe.
2020-09-16 12:23:38 -06:00
Garret Rieger f3929abafe [ENOMEM] don't perform set process operations if the other set is in an error state.
Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
2020-09-16 10:36:30 -07:00
Garret Rieger 8c3d4de796 [subset] Fix integer underflow in ContextFormat2. 2020-09-11 15:52:46 -07:00
Garret Rieger 9825e3dd2e [ENOMEM] fix access to unitialized memory.
If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688.
2020-09-02 11:01:07 -07:00
ebraminio 1e48225ca3
[ENOMEM] Check whether serialize context isn't in error 2020-08-13 23:22:14 +04:30
Garret Rieger 9562239f05 [ENOMEM] check for error in lookup visited set. 2020-08-13 01:43:11 +04:30