5ca353a2d0
[subset] fix heap buffer overflow found by fuzzer.
2021-02-16 12:43:02 -07:00
33a0f0b686
[test] Remove fuzzed test font that triggers virus alert
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
2021-02-09 12:55:45 -07:00
a4c3732f59
[ENOMEM] fix set clear() causing corruption if the set is in_error().
2021-01-21 12:12:05 -07:00
bbbcad0dbb
Revert "[ENOMEM] don't perform set process operations if the other set is in an error state."
...
This reverts commit f3929abafe
2020-09-16 12:23:38 -06:00
f3929abafe
[ENOMEM] don't perform set process operations if the other set is in an error state.
...
Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
2020-09-16 10:36:30 -07:00
8c3d4de796
[subset] Fix integer underflow in ContextFormat2.
2020-09-11 15:52:46 -07:00
9825e3dd2e
[ENOMEM] fix access to unitialized memory.
...
If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688 .
2020-09-02 11:01:07 -07:00
1e48225ca3
[ENOMEM] Check whether serialize context isn't in error
2020-08-13 23:22:14 +04:30
9562239f05
[ENOMEM] check for error in lookup visited set.
2020-08-13 01:43:11 +04:30
6f754852c1
[ENOMEM] skip asserts in to_bias if serializer is in an error state.
2020-08-12 11:25:30 +04:30
ffe06c8f04
[glyf] Guard all the public APIs against null pool runs
...
Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
2020-08-08 13:43:49 +04:30
18ab8029d5
[ENOMEM] check vector status in cmap subsetting.
2020-08-02 00:30:17 +04:30
06dbb6acbb
[ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors.
2020-08-01 09:21:22 +04:30
fb1477795c
[ENOMEM] Check result of vector resize in CBDT subsetting.
2020-08-01 09:20:52 +04:30
efd716de3f
[cff] Check for scalars array resize result
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
2020-07-31 09:27:27 +04:30
040ed094ef
[ENOMEM] popragate packed/packed_map errors to the serializer.
...
Will disable further modifications based on a bad state.
2020-07-31 08:39:26 +04:30
7f358a55f4
[ENOMEM] unchecked resize in CFF2.
2020-07-31 02:04:06 +04:30
32f052b033
[ENOMEM] Fix several instances of not checking resize in CFF.
2020-07-31 02:04:06 +04:30
15644ee60e
[ENOMEM] fix memory leak if allocation fails during pop_pack().
2020-07-30 04:15:35 +04:30
42237adffc
[ENOMEM] make serializer modification operations no-ops if it's in an error state.
2020-07-30 03:59:49 +04:30
4ba8e3c6fd
[ENOMEM] Fix failure to check calloc return.
...
Fixes https://oss-fuzz.com/testcase-detail/6246465148813312 .
2020-07-30 00:08:08 +04:30
d307c24abf
[ENOMEM] check resize() return.
...
Fixes https://oss-fuzz.com/testcase-detail/5641892164009984 .
2020-07-30 00:08:08 +04:30
11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops ( #2223 )
...
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.
clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:
Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
After the change: 0.02s user 0.00s system 98% cpu 0.024 total
Which takes much longer on valgrind and tsan bots.
2020-07-13 18:53:06 -07:00
b22f61d86a
Fix bug
2020-04-21 16:51:55 -07:00
22f7c61acf
implement SID to glyph ID mapping with predefined Charset
...
Also fixes oss-fuzz 21769
2020-04-18 15:42:30 +04:30
0d5695983e
[subset] fixes dangling object_t issue in FeatureVariationRecord
...
Fixes https://crbug.com/oss-fuzz/21560
revert () does not clean up useless object_t. Adjust the order of
subsetting substitutions and conditions to avoid dangling object_t.
2020-04-06 13:41:33 +04:30
57b7de032f
[subset] Fail ClassDefFormat1 serialization if no space available
...
Fixes https://crbug.com/oss-fuzz/21580
2020-04-05 17:38:04 +04:30
014e038b2c
[subset] Bail out of context lookup expansion once the lookup limit is encountered.
2020-04-01 11:14:41 +04:30
5d345d0cd1
[subset] Limit the number of lookup indices processed subsetting Feature.
...
> Also, remove two unnessecary full iterations of the lookup index iterator during serialization of the index array. Fixes fuzzer found timeout.
2020-04-01 11:13:05 +04:30
96d792ae80
[avar] Prevent mul overflow
...
Fixes https://crbug.com/oss-fuzz/21350
2020-03-26 15:01:14 +00:00
4ad686b9c0
[subset] fix fuzzer timeout in layout closure
...
Bail out of chain context lookup expansion once the lookup limit is encountered.
2020-03-26 06:32:28 +00:00
430bf69653
Add potentially crashing font as a fuzzer seed.
2020-03-14 00:55:47 +03:30
834a224a50
[subset] Put a limit on the number of lookup indices that can be visited during closures
...
Fixes https://crbug.com/oss-fuzz/21025
2020-03-12 13:32:36 +03:30
0d729b4b72
[avar] Fix out-of-bound read when input is bigger than all the coords
...
'i' shouldn't become equal to array's length which as the increament
is happened at end of the loop, if the input is bigger than all the
table coords, it will be equal to array's length.
Fixes https://crbug.com/oss-fuzz/21092
2020-03-07 13:20:41 +03:30
446d1e3bbc
[fuzz] Add more of fixed cases
2020-03-05 00:49:03 +03:30
99b5b3f1b1
[gvar] Make sure TupleVarHeader has the needed size
...
Fixes https://crbug.com/oss-fuzz/21026
2020-03-04 12:43:26 +03:30
6543d166fd
[fuzz] Remove the not yet fixed timeout, going to investigate
2020-03-03 21:39:22 +03:30
2bbf1c8673
[fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker
2020-03-03 21:39:22 +03:30
f253f06cf3
[fuzz] Add another fixed case
...
https://crbug.com/oss-fuzz/14626
another numerous subtables count which is fixed by d38360397
2020-03-03 19:12:04 +03:30
d383603976
Limit OT::Lookup subtables ( #2219 )
...
Fixes https://crbug.com/oss-fuzz/13943
2020-03-02 22:41:08 +03:30
29efd964f2
[fuzz] Add cases that marked as wontfix
...
Let's see if they were really false alarms, if so, let's just have them.
2020-03-02 14:22:29 +03:30
5ab50eebd7
collect_unicodes() with clamp, calling add_range()
...
Use add_range instead an inner loop, clamp its input number by
number of glyphs a face has.
Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here
used to make timeout, face's maxp has 16-bit gid limitation at least for now,
using that makes sure we both fix and the timeout and don't need to change
much things here also in order to support 32-bit gids also someday.
Fixes #2204
2020-02-29 13:02:29 +03:30
410b4881d0
[subset] Add fuzzer timeout testcase.
2020-02-28 16:10:14 -08:00
e57ced5fc0
[gvar] Add other possibly fixed fuzzer case
...
Speculatively should've been fixed by 61208401https://crbug.com/oss-fuzz/20924 related
2020-02-28 23:29:05 +03:30
758fda728b
[glyf] Don't accept gids higher than maxp's glyphs number
...
This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.
Fixes https://crbug.com/oss-fuzz/20944
2020-02-28 23:19:06 +03:30
e90213868b
Revert "collect_unicodes() to check gid < num_glyphs with cmap 12"
...
Didn't fix the case actually, making bots to fail.
This reverts commit 15b43a4104
2020-02-28 21:24:51 +03:30
61208401f4
[gvar] Use hb_bytes_t.check_range instead having in house one
...
And use TupleVarHeader calculated size for validity check.
Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
2020-02-28 21:09:07 +03:30
15b43a4104
collect_unicodes() to check gid < num_glyphs with cmap 12
...
fixes #2204
2020-02-28 20:15:39 +03:30
8eba66c1c6
[gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic
...
Fixes https://crbug.com/oss-fuzz/20906
2020-02-27 20:26:54 +03:30
a99134c5be
add oss-fuzz 20886 test file
2020-02-26 09:58:03 -08:00
Garret Rieger
Behdad Esfahbod
ebraminio
ckitagawa
ariza
Qunxin Liu