Ebrahim Byagowi
11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops ( #2223 )
...
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.
clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:
Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
After the change: 0.02s user 0.00s system 98% cpu 0.024 total
Which takes much longer on valgrind and tsan bots.
2020-07-13 18:53:06 -07:00
ckitagawa
b22f61d86a
Fix bug
2020-04-21 16:51:55 -07:00
ariza
22f7c61acf
implement SID to glyph ID mapping with predefined Charset
...
Also fixes oss-fuzz 21769
2020-04-18 15:42:30 +04:30
Qunxin Liu
0d5695983e
[subset] fixes dangling object_t issue in FeatureVariationRecord
...
Fixes https://crbug.com/oss-fuzz/21560
revert () does not clean up useless object_t. Adjust the order of
subsetting substitutions and conditions to avoid dangling object_t.
2020-04-06 13:41:33 +04:30
Ebrahim Byagowi
57b7de032f
[subset] Fail ClassDefFormat1 serialization if no space available
...
Fixes https://crbug.com/oss-fuzz/21580
2020-04-05 17:38:04 +04:30
Garret Rieger
014e038b2c
[subset] Bail out of context lookup expansion once the lookup limit is encountered.
2020-04-01 11:14:41 +04:30
Garret Rieger
5d345d0cd1
[subset] Limit the number of lookup indices processed subsetting Feature.
...
> Also, remove two unnessecary full iterations of the lookup index iterator during serialization of the index array. Fixes fuzzer found timeout.
2020-04-01 11:13:05 +04:30
Ebrahim Byagowi
96d792ae80
[avar] Prevent mul overflow
...
Fixes https://crbug.com/oss-fuzz/21350
2020-03-26 15:01:14 +00:00
Garret Rieger
4ad686b9c0
[subset] fix fuzzer timeout in layout closure
...
Bail out of chain context lookup expansion once the lookup limit is encountered.
2020-03-26 06:32:28 +00:00
Garret Rieger
430bf69653
Add potentially crashing font as a fuzzer seed.
2020-03-14 00:55:47 +03:30
Garret Rieger
834a224a50
[subset] Put a limit on the number of lookup indices that can be visited during closures
...
Fixes https://crbug.com/oss-fuzz/21025
2020-03-12 13:32:36 +03:30
Ebrahim Byagowi
0d729b4b72
[avar] Fix out-of-bound read when input is bigger than all the coords
...
'i' shouldn't become equal to array's length which as the increament
is happened at end of the loop, if the input is bigger than all the
table coords, it will be equal to array's length.
Fixes https://crbug.com/oss-fuzz/21092
2020-03-07 13:20:41 +03:30
Ebrahim Byagowi
446d1e3bbc
[fuzz] Add more of fixed cases
2020-03-05 00:49:03 +03:30
Ebrahim Byagowi
99b5b3f1b1
[gvar] Make sure TupleVarHeader has the needed size
...
Fixes https://crbug.com/oss-fuzz/21026
2020-03-04 12:43:26 +03:30
Ebrahim Byagowi
6543d166fd
[fuzz] Remove the not yet fixed timeout, going to investigate
2020-03-03 21:39:22 +03:30
Ebrahim Byagowi
2bbf1c8673
[fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker
2020-03-03 21:39:22 +03:30
Ebrahim Byagowi
f253f06cf3
[fuzz] Add another fixed case
...
https://crbug.com/oss-fuzz/14626
another numerous subtables count which is fixed by d38360397
2020-03-03 19:12:04 +03:30
Ebrahim Byagowi
d383603976
Limit OT::Lookup subtables ( #2219 )
...
Fixes https://crbug.com/oss-fuzz/13943
2020-03-02 22:41:08 +03:30
Ebrahim Byagowi
29efd964f2
[fuzz] Add cases that marked as wontfix
...
Let's see if they were really false alarms, if so, let's just have them.
2020-03-02 14:22:29 +03:30
Michiharu Ariza
5ab50eebd7
collect_unicodes() with clamp, calling add_range()
...
Use add_range instead an inner loop, clamp its input number by
number of glyphs a face has.
Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here
used to make timeout, face's maxp has 16-bit gid limitation at least for now,
using that makes sure we both fix and the timeout and don't need to change
much things here also in order to support 32-bit gids also someday.
Fixes #2204
2020-02-29 13:02:29 +03:30
Garret Rieger
410b4881d0
[subset] Add fuzzer timeout testcase.
2020-02-28 16:10:14 -08:00
Ebrahim Byagowi
e57ced5fc0
[gvar] Add other possibly fixed fuzzer case
...
Speculatively should've been fixed by 61208401
https://crbug.com/oss-fuzz/20924 related
2020-02-28 23:29:05 +03:30
Ebrahim Byagowi
758fda728b
[glyf] Don't accept gids higher than maxp's glyphs number
...
This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.
Fixes https://crbug.com/oss-fuzz/20944
2020-02-28 23:19:06 +03:30
Ebrahim Byagowi
e90213868b
Revert "collect_unicodes() to check gid < num_glyphs with cmap 12"
...
Didn't fix the case actually, making bots to fail.
This reverts commit 15b43a4104
.
2020-02-28 21:24:51 +03:30
Ebrahim Byagowi
61208401f4
[gvar] Use hb_bytes_t.check_range instead having in house one
...
And use TupleVarHeader calculated size for validity check.
Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
2020-02-28 21:09:07 +03:30
Michiharu Ariza
15b43a4104
collect_unicodes() to check gid < num_glyphs with cmap 12
...
fixes #2204
2020-02-28 20:15:39 +03:30
Ebrahim Byagowi
8eba66c1c6
[gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic
...
Fixes https://crbug.com/oss-fuzz/20906
2020-02-27 20:26:54 +03:30
ariza
a99134c5be
add oss-fuzz 20886 test file
2020-02-26 09:58:03 -08:00
Ebrahim Byagowi
1c015d3e9f
[fuzz] minor fuzzer case move, oops
2020-02-12 19:19:37 +03:30
Ebrahim Byagowi
ff984ed3cd
Use multiplication to avoid undefined behaviour per clang
...
Newer versions of MSVC with /we4146 don't like putting negative sign behind a
unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069
That however have made https://crbug.com/1050424 this complain:
src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int';
cast to an unsigned type to negate this value to itself
which apparently can be fixed using this change.
Let's see if this won't make another ubsan complain!
2020-02-11 19:51:52 +03:30
ckitagawa
e128f80278
parent 777ba47b50
...
author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500
committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500
[subset] Add CBLC support
2020-01-31 16:37:30 -05:00
ckitagawa
ed857c4680
[subset] Add COLR support
2020-01-28 15:35:53 -05:00
ckitagawa-work
0e4b2676bd
[subset] sbix fix missed offset is_null() check
2020-01-24 20:46:07 +03:30
ckitagawa
7dc341fe74
[subset] Fix UBSAN issue in sbix
2020-01-23 23:46:22 +03:30
ariza
1ab3924b31
refix PR #2087 subset PairPos1
...
also added oss-fuzz 20211 data fixed by this
2020-01-23 10:50:52 -08:00
ckitagawa
b18cb5b5ee
Add second fixed test
2020-01-22 10:11:15 -08:00
ckitagawa
8614a30bc9
[subset] Fix sbix fuzz problem
2020-01-22 10:11:15 -08:00
ckitagawa
6bcf57eaa3
Simplify copy and add fuzzing coverage
2020-01-15 13:36:01 -08:00
Ebrahim Byagowi
dc03a993d0
Fix collect lookups logic of FeatureTableSubstitution ( #2097 )
...
https://crbug.com/oss-fuzz/20036
2020-01-12 14:21:29 +03:30
Ebrahim Byagowi
a32ecc15ae
Fix collect lookups logic of FeatureVariationRecord
...
As "Offset to a feature table substitution table, from beginning of the FeatureVariations table."
from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should
match its sanitize logic not the reverse way.
Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
2020-01-11 15:37:24 +03:30
Michiharu Ariza
d2ab1ec65b
fixes oss-fuzz 19978: Null-dereference READ ( #2091 )
2020-01-10 07:54:16 +03:30
Ebrahim Byagowi
257a197ae7
Fail serialize when map has incorrect value
...
fixes https://crbug.com/oss-fuzz/19956
am not super happy with the fix, guess we should do some check
before the memcpy anyway as @blueshade7 thinks also,
so let's have it or revert it when we have a better approach for the case.
2020-01-09 22:55:45 +03:30
Ebrahim Byagowi
8ed46c3678
[fuzz] minor, add another already fixed case
...
https://crbug.com/oss-fuzz/19907
2020-01-07 23:43:53 +03:30
Ebrahim Byagowi
341407f7a5
[fuzz] minor, upload another fixed case
...
https://crbug.com/oss-fuzz/19878
2020-01-07 09:10:24 +03:30
Ebrahim Byagowi
7950beecfc
[subset] Fix null pointer dereference in hvar/vvar subset ( #2085 )
...
Rest of the code assumes there is at least one subtable, lets return here if not.
* https://crbug.com/oss-fuzz/19827
* https://crbug.com/oss-fuzz/19847
2020-01-06 21:25:00 +03:30
Ebrahim Byagowi
64a45be519
[ubsan] Don't decrease pointer if match_glyph_data is null ( #2048 )
...
Similar to fix on https://github.com/harfbuzz/harfbuzz/pull/2022
Fixes https://crbug.com/1023070
2019-11-09 12:25:33 +03:30
Ebrahim Byagowi
84b86a12d9
[fuzz] Remove just added case
...
It didn't fail locally but on bots causing timeout, let remove for now.
2019-11-06 09:22:34 +03:30
Ebrahim Byagowi
a8f049c9a1
[fuzz] Upload testcase of https://crbug.com/oss-fuzz/18529
...
Apparently false alarm per last comment and was ok locally also but lets have it here also
2019-11-05 22:26:36 +03:30
Qunxin Liu
defe9b6da0
crash fix : Heap-buffer-overflow READ 2
...
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
2019-10-25 13:09:47 -07:00
Qunxin Liu
b2fcca6e14
fuzzer crash fix
...
https://oss-fuzz.com/testcase-detail/5643107869917184
2019-10-24 16:11:30 -07:00