Commit Graph

133 Commits

Author SHA1 Message Date
Garret Rieger 9562239f05 [ENOMEM] check for error in lookup visited set. 2020-08-13 01:43:11 +04:30
Garret Rieger 6f754852c1 [ENOMEM] skip asserts in to_bias if serializer is in an error state. 2020-08-12 11:25:30 +04:30
Ebrahim Byagowi ffe06c8f04 [glyf] Guard all the public APIs against null pool runs
Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
2020-08-08 13:43:49 +04:30
Garret Rieger 18ab8029d5 [ENOMEM] check vector status in cmap subsetting. 2020-08-02 00:30:17 +04:30
Garret Rieger 06dbb6acbb [ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors. 2020-08-01 09:21:22 +04:30
Garret Rieger fb1477795c [ENOMEM] Check result of vector resize in CBDT subsetting. 2020-08-01 09:20:52 +04:30
Ebrahim Byagowi efd716de3f [cff] Check for scalars array resize result
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
2020-07-31 09:27:27 +04:30
Garret Rieger 040ed094ef [ENOMEM] popragate packed/packed_map errors to the serializer.
Will disable further modifications based on a bad state.
2020-07-31 08:39:26 +04:30
Garret Rieger 7f358a55f4 [ENOMEM] unchecked resize in CFF2. 2020-07-31 02:04:06 +04:30
Garret Rieger 32f052b033 [ENOMEM] Fix several instances of not checking resize in CFF. 2020-07-31 02:04:06 +04:30
Garret Rieger 15644ee60e [ENOMEM] fix memory leak if allocation fails during pop_pack(). 2020-07-30 04:15:35 +04:30
Garret Rieger 42237adffc [ENOMEM] make serializer modification operations no-ops if it's in an error state. 2020-07-30 03:59:49 +04:30
Garret Rieger 4ba8e3c6fd [ENOMEM] Fix failure to check calloc return.
Fixes https://oss-fuzz.com/testcase-detail/6246465148813312.
2020-07-30 00:08:08 +04:30
Garret Rieger d307c24abf [ENOMEM] check resize() return.
Fixes https://oss-fuzz.com/testcase-detail/5641892164009984.
2020-07-30 00:08:08 +04:30
Ebrahim Byagowi 11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops (#2223)
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.

clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:

Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
 After the change: 0.02s user 0.00s system 98% cpu 0.024 total

Which takes much longer on valgrind and tsan bots.
2020-07-13 18:53:06 -07:00
ckitagawa b22f61d86a Fix bug 2020-04-21 16:51:55 -07:00
ariza 22f7c61acf implement SID to glyph ID mapping with predefined Charset
Also fixes oss-fuzz 21769
2020-04-18 15:42:30 +04:30
Qunxin Liu 0d5695983e [subset] fixes dangling object_t issue in FeatureVariationRecord
Fixes https://crbug.com/oss-fuzz/21560
revert () does not clean up useless object_t. Adjust the order of
subsetting substitutions and conditions to avoid dangling object_t.
2020-04-06 13:41:33 +04:30
Ebrahim Byagowi 57b7de032f [subset] Fail ClassDefFormat1 serialization if no space available
Fixes https://crbug.com/oss-fuzz/21580
2020-04-05 17:38:04 +04:30
Garret Rieger 014e038b2c [subset] Bail out of context lookup expansion once the lookup limit is encountered. 2020-04-01 11:14:41 +04:30
Garret Rieger 5d345d0cd1 [subset] Limit the number of lookup indices processed subsetting Feature.
> Also, remove two unnessecary full iterations of the lookup index iterator during serialization of the index array. Fixes fuzzer found timeout.
2020-04-01 11:13:05 +04:30
Ebrahim Byagowi 96d792ae80 [avar] Prevent mul overflow
Fixes https://crbug.com/oss-fuzz/21350
2020-03-26 15:01:14 +00:00
Garret Rieger 4ad686b9c0
[subset] fix fuzzer timeout in layout closure
Bail out of chain context lookup expansion once the lookup limit is encountered.
2020-03-26 06:32:28 +00:00
Garret Rieger 430bf69653 Add potentially crashing font as a fuzzer seed. 2020-03-14 00:55:47 +03:30
Garret Rieger 834a224a50
[subset] Put a limit on the number of lookup indices that can be visited during closures
Fixes https://crbug.com/oss-fuzz/21025
2020-03-12 13:32:36 +03:30
Ebrahim Byagowi 0d729b4b72 [avar] Fix out-of-bound read when input is bigger than all the coords
'i' shouldn't become equal to array's length which as the increament
is happened at end of the loop, if the input is bigger than all the
table coords, it will be equal to array's length.

Fixes https://crbug.com/oss-fuzz/21092
2020-03-07 13:20:41 +03:30
Ebrahim Byagowi 446d1e3bbc [fuzz] Add more of fixed cases 2020-03-05 00:49:03 +03:30
Ebrahim Byagowi 99b5b3f1b1 [gvar] Make sure TupleVarHeader has the needed size
Fixes https://crbug.com/oss-fuzz/21026
2020-03-04 12:43:26 +03:30
Ebrahim Byagowi 6543d166fd [fuzz] Remove the not yet fixed timeout, going to investigate 2020-03-03 21:39:22 +03:30
Ebrahim Byagowi 2bbf1c8673 [fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker 2020-03-03 21:39:22 +03:30
Ebrahim Byagowi f253f06cf3 [fuzz] Add another fixed case
https://crbug.com/oss-fuzz/14626

another numerous subtables count which is fixed by d38360397
2020-03-03 19:12:04 +03:30
Ebrahim Byagowi d383603976
Limit OT::Lookup subtables (#2219)
Fixes https://crbug.com/oss-fuzz/13943
2020-03-02 22:41:08 +03:30
Ebrahim Byagowi 29efd964f2
[fuzz] Add cases that marked as wontfix
Let's see if they were really false alarms, if so, let's just have them.
2020-03-02 14:22:29 +03:30
Michiharu Ariza 5ab50eebd7
collect_unicodes() with clamp, calling add_range()
Use add_range instead an inner loop, clamp its input number by
number of glyphs a face has.

Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here
used to make timeout, face's maxp has 16-bit gid limitation at least for now,
using that makes sure we both fix and the timeout and don't need to change
much things here also in order to support 32-bit gids also someday.

Fixes #2204
2020-02-29 13:02:29 +03:30
Garret Rieger 410b4881d0 [subset] Add fuzzer timeout testcase. 2020-02-28 16:10:14 -08:00
Ebrahim Byagowi e57ced5fc0
[gvar] Add other possibly fixed fuzzer case
Speculatively should've been fixed by 61208401

https://crbug.com/oss-fuzz/20924 related
2020-02-28 23:29:05 +03:30
Ebrahim Byagowi 758fda728b
[glyf] Don't accept gids higher than maxp's glyphs number
This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.

Fixes https://crbug.com/oss-fuzz/20944
2020-02-28 23:19:06 +03:30
Ebrahim Byagowi e90213868b Revert "collect_unicodes() to check gid < num_glyphs with cmap 12"
Didn't fix the case actually, making bots to fail.

This reverts commit 15b43a4104.
2020-02-28 21:24:51 +03:30
Ebrahim Byagowi 61208401f4
[gvar] Use hb_bytes_t.check_range instead having in house one
And use TupleVarHeader calculated size for validity check.

Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
2020-02-28 21:09:07 +03:30
Michiharu Ariza 15b43a4104
collect_unicodes() to check gid < num_glyphs with cmap 12
fixes #2204
2020-02-28 20:15:39 +03:30
Ebrahim Byagowi 8eba66c1c6 [gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic
Fixes https://crbug.com/oss-fuzz/20906
2020-02-27 20:26:54 +03:30
ariza a99134c5be add oss-fuzz 20886 test file 2020-02-26 09:58:03 -08:00
Ebrahim Byagowi 1c015d3e9f [fuzz] minor fuzzer case move, oops 2020-02-12 19:19:37 +03:30
Ebrahim Byagowi ff984ed3cd Use multiplication to avoid undefined behaviour per clang
Newer versions of MSVC with /we4146 don't like putting negative sign behind a
unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069
That however have made https://crbug.com/1050424 this complain:
  src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int';
                                        cast to an unsigned type to negate this value to itself
which apparently can be fixed using this change.

Let's see if this won't make another ubsan complain!
2020-02-11 19:51:52 +03:30
ckitagawa e128f80278 parent 777ba47b50
author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500
committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500

[subset] Add CBLC support
2020-01-31 16:37:30 -05:00
ckitagawa ed857c4680 [subset] Add COLR support 2020-01-28 15:35:53 -05:00
ckitagawa-work 0e4b2676bd [subset] sbix fix missed offset is_null() check 2020-01-24 20:46:07 +03:30
ckitagawa 7dc341fe74 [subset] Fix UBSAN issue in sbix 2020-01-23 23:46:22 +03:30
ariza 1ab3924b31 refix PR #2087 subset PairPos1
also added oss-fuzz 20211 data fixed by this
2020-01-23 10:50:52 -08:00
ckitagawa b18cb5b5ee Add second fixed test 2020-01-22 10:11:15 -08:00