Commit Graph

386 Commits

Author SHA1 Message Date
Garret Rieger f51b48c8e7 [subset] Fix fuzzer found memory leak.
Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.
2021-11-02 17:00:07 -07:00
Qunxin Liu 0a7563a53f [subset] fuzzer fix: https://oss-fuzz.com/testcase?key=6254792024915968
Make sure input is valid, each gid has a corresponding offset value in
the map
2021-11-02 15:25:18 -07:00
Qunxin Liu 85deddb16e [subset] fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40406 2021-10-27 16:16:15 -07:00
Qunxin Liu 794b00db4b [subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664 2021-09-29 10:29:06 -06:00
Garret Rieger 74f96d9d4b [repacker] fix heap use after free in repacker.
Don't store a reference to the link in overflow records as the link object may be freed if the sorted graph vector is resized.
2021-09-19 09:06:17 -06:00
Garret Rieger fb07f8f876 During subset input creation check for set alloc failures and fail if encountered. 2021-08-24 10:59:14 -06:00
Garret Rieger dc31920bbe Don't serialize null offsets in CPAL.
Fixes https://oss-fuzz.com/testcase-detail/5443213648330752
2021-08-18 16:52:45 -06:00
Garret Rieger c0f3af91b8 [subset] speed up add_gid_and_children and adjust op limit.
Fix for fuzzer timeout: https://oss-fuzz.com/testcase-detail/5001604901240832.

- Operation limit is per glyph, so 100,000 should still be far more than needed.
- Switches from for(...) to while(...) loop for iteration. for(...) calls it.end() which in this case triggers a complete iteration.
- Cache CompositeGlyph size in the iterator to avoid needing to recalculate it.
2021-08-12 14:50:42 -06:00
Garret Rieger c08f1b8903 [map] fix incorrect population count in hash map.
If the same key was set twice the population was being incorrectly incremented.
2021-08-10 14:00:55 -06:00
Garret Rieger 8c0c217b5a [subset] fail reference blob in face builder if allocation for table sorting fails.
Fixes https://oss-fuzz.com/testcase-detail/5041767803125760
2021-08-06 15:54:41 -06:00
Behdad Esfahbod 5086e10538 [test] Add failing fuzzer test case
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236
https://oss-fuzz.com/testcase-detail/5061207689134080
2021-08-04 11:55:53 -06:00
Garret Rieger f9d8e4a976 [subset] switch ..._set_flags to not take a mask. 2021-07-29 18:30:27 -07:00
Garret Rieger 3d534b146c [subset] convert subset input flags into bit flags.
Store the flags in a bit set. Updates the public api to work with the bit set directly.
2021-07-29 18:02:34 -07:00
Behdad Esfahbod 0ded6a70c8 [subset] Fix another fuzzer issue
Addition could overflow on 32bit arch.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
2021-07-28 11:35:27 -06:00
Garret Rieger 09474d8d7b [subset] Fix fuzzer timeout in add_gid_and_children.
The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.
2021-07-27 13:30:06 -06:00
Behdad Esfahbod c68a00b92e [subset] Fix possible overflows in VarRegionList serialize
Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
2021-07-27 13:28:09 -06:00
Garret Rieger 9ab751ac9f [subset] Remove hb_subset(). Leaving just hb_subset_or_fail(). 2021-07-22 12:14:47 -07:00
Garret Rieger 942636ae13 [subset] Remove hb_subset_input_get/set_retain_gids. 2021-07-22 12:12:36 -07:00
Garret Rieger 8bf5d4d4f7 [subset] Remove hb_subset_input_get/set_drop_hints. 2021-07-22 12:12:36 -07:00
Qunxin Liu 7416faceeb [subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/5715464591376384 2021-07-08 09:09:30 -07:00
Garret Rieger bc06af977f [subset] speed up feature collection when tags are specified.
Precompute a feature index filter to avoid needing to iterate the feature tag list for each encountered feature index. For this particular fuzzer case speeds up feature collection from 50s to 2s.
2021-06-20 17:45:19 -07:00
Garret Rieger 675ebbeb3a [subset] don't alloc zero bytes.
It will be leaked later since hb_blob_create() won't set up the blob to cleanup since it has length zero.
2021-06-16 17:35:39 -06:00
Behdad Esfahbod bdfed8f113 [blob] Add failing versions of create API
Fixes https://github.com/harfbuzz/harfbuzz/issues/2567

New API:
+hb_blob_create_or_fail()
+hb_blob_create_from_file_or_fail()

Use these in util/ to distinguish empty file from not-found file.
Only err on the latter.
2021-06-15 13:56:30 -06:00
Qunxin Liu 35d6af6943 [subset] fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5965777994907648 2021-06-04 18:16:23 -06:00
Qunxin Liu 1b6008ca62 fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5417934246772736 2021-06-02 17:32:16 -06:00
Qunxin Liu 7ab0f4eda9 fuzzer fix 2021-05-31 12:44:33 -06:00
Garret Rieger 425ba1f4ab [subset] fixes infinite loop in hb_set_get_max().
Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
2021-04-20 13:18:07 -06:00
Garret Rieger ec4321068b [subset] fix infinite loop caused by alloc failure in repacker.
Fixes: https://oss-fuzz.com/testcase-detail/5609112151916544.
2021-04-20 13:18:07 -06:00
Garret Rieger 0e845d973e [subset] fix memory leak in repacker caused by failed alloc.
Fixes: https://oss-fuzz.com/testcase-detail/5616763250278400.
2021-04-20 13:18:07 -06:00
Garret Rieger 3fb62cdc14 [subset] fail on offset overflow in tables that we don't repack.
Fixes: https://oss-fuzz.com/testcase-detail/5229304507138048
2021-04-19 17:01:05 -06:00
Qunxin Liu 9dc9f0385d [subset] fix for fuzzer testcase: https://oss-fuzz.com/testcase-detail/5858518134554624 2021-04-09 11:07:28 -06:00
Qunxin Liu 4af5dacedc [subset] add fuzzer testcase 2021-04-07 13:02:04 -06:00
Garret Rieger 64122b5a44 [subset] don't visit lookup if covered glyph set has failed.
If covered glyph set is in error then the same lookup can be recursed into repeatedly potentially causing a fuzzer timeout. Fixes: https://oss-fuzz.com/testcase-detail/5416421032067072.
2021-04-06 12:34:44 -06:00
Garret Rieger 71d6d15600 [subset] clamp distance to prevent shifting outside of the limits of int64.
Fixes https://oss-fuzz.com/testcase-detail/4961171477233664.
2021-04-06 11:48:39 -06:00
Garret Rieger c5c13006a1 [subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536 2021-03-31 12:37:45 -06:00
Garret Rieger adca4ce071 [subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064.
Caused by incorrect bounds check in glyph closure for context lookups.
2021-03-30 15:44:41 -06:00
Garret Rieger 752e393ad2 [subset] avoid calling clear on null pool set. 2021-03-30 15:12:52 -06:00
Garret Rieger 8741914a80 [subset] fix memory leak when map insert fails. 2021-03-29 18:02:32 -06:00
Garret Rieger 5b6da6d2f0 [subset] add fuzzer test case. 2021-03-29 17:41:07 -06:00
Garret Rieger a804a0c903 [subset] add fuzzer test case. 2021-03-29 17:15:22 -06:00
Khaled Hosny f2d08578e7 [tests] Increase shape-fuzzer timeout 2021-03-16 01:15:40 +02:00
Garret Rieger 5ca353a2d0 [subset] fix heap buffer overflow found by fuzzer. 2021-02-16 12:43:02 -07:00
Behdad Esfahbod 33a0f0b686 [test] Remove fuzzed test font that triggers virus alert
Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
2021-02-09 12:55:45 -07:00
Garret Rieger f94bf9f06f [set fuzzer] limit the total number of set members in a fuzzing input.
Currently the fuzzer can create arbitarily long inputs which once big enough will trigger a timeout.
2021-01-26 10:22:07 -08:00
Garret Rieger a4c3732f59 [ENOMEM] fix set clear() causing corruption if the set is in_error(). 2021-01-21 12:12:05 -07:00
Khaled Hosny 84dd65a874 [test] Remove timeout from test runners
See https://github.com/harfbuzz/harfbuzz/issues/2707#issuecomment-707744079

This wasn’t inconsistent as well, HB_TEST_SUBSET_FUZZER_TIMEOUT defaulted
to 12 in the test runner, but it was overridden to 50 in meson.build,
and then meson has its own test timeout.
2020-10-15 00:49:02 -07:00
Garret Rieger bbbcad0dbb Revert "[ENOMEM] don't perform set process operations if the other set is in an error state."
This reverts commit f3929abafe.
2020-09-16 12:23:38 -06:00
Garret Rieger f3929abafe [ENOMEM] don't perform set process operations if the other set is in an error state.
Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
2020-09-16 10:36:30 -07:00
Garret Rieger 8c3d4de796 [subset] Fix integer underflow in ContextFormat2. 2020-09-11 15:52:46 -07:00
Garret Rieger 9825e3dd2e [ENOMEM] fix access to unitialized memory.
If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688.
2020-09-02 11:01:07 -07:00
ebraminio 1e48225ca3
[ENOMEM] Check whether serialize context isn't in error 2020-08-13 23:22:14 +04:30
Ebrahim Byagowi 6e32145dc9 [meson] Make compatbile with 0.47.0 2020-08-13 18:28:42 +04:30
Garret Rieger 9562239f05 [ENOMEM] check for error in lookup visited set. 2020-08-13 01:43:11 +04:30
Garret Rieger 6f754852c1 [ENOMEM] skip asserts in to_bias if serializer is in an error state. 2020-08-12 11:25:30 +04:30
Ebrahim Byagowi 057769b1a3 [fuzzer] minor 2020-08-12 02:40:55 +04:30
Ebrahim Byagowi 0417938011 [fuzzer] Mark alloc_state as unused
It is really unused when failing-alloc isn't on.
2020-08-12 02:40:55 +04:30
Ebrahim Byagowi 5193357832 Revert "Remove autotools build support"
This reverts commit 01ac32aab2.
2020-08-11 23:51:59 +04:30
Ebrahim Byagowi ffe06c8f04 [glyf] Guard all the public APIs against null pool runs
Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
2020-08-08 13:43:49 +04:30
Ebrahim Byagowi 01ac32aab2 Remove autotools build support 2020-08-07 23:28:12 +04:30
Ebrahim Byagowi 679fac87df Skip hb_shape if buffer object is immutable 2020-08-06 23:47:35 +04:30
Garret Rieger 18ab8029d5 [ENOMEM] check vector status in cmap subsetting. 2020-08-02 00:30:17 +04:30
Garret Rieger 06dbb6acbb [ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors. 2020-08-01 09:21:22 +04:30
Garret Rieger fb1477795c [ENOMEM] Check result of vector resize in CBDT subsetting. 2020-08-01 09:20:52 +04:30
Ebrahim Byagowi efd716de3f [cff] Check for scalars array resize result
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
2020-07-31 09:27:27 +04:30
Garret Rieger 040ed094ef [ENOMEM] popragate packed/packed_map errors to the serializer.
Will disable further modifications based on a bad state.
2020-07-31 08:39:26 +04:30
Garret Rieger 7f358a55f4 [ENOMEM] unchecked resize in CFF2. 2020-07-31 02:04:06 +04:30
Garret Rieger 32f052b033 [ENOMEM] Fix several instances of not checking resize in CFF. 2020-07-31 02:04:06 +04:30
Garret Rieger 15644ee60e [ENOMEM] fix memory leak if allocation fails during pop_pack(). 2020-07-30 04:15:35 +04:30
Garret Rieger 42237adffc [ENOMEM] make serializer modification operations no-ops if it's in an error state. 2020-07-30 03:59:49 +04:30
Garret Rieger 4ba8e3c6fd [ENOMEM] Fix failure to check calloc return.
Fixes https://oss-fuzz.com/testcase-detail/6246465148813312.
2020-07-30 00:08:08 +04:30
Garret Rieger d307c24abf [ENOMEM] check resize() return.
Fixes https://oss-fuzz.com/testcase-detail/5641892164009984.
2020-07-30 00:08:08 +04:30
Ebrahim Byagowi 48ad745996 [ENOMEM] Fix buffer's content check logic
So now rest of shape fuzzer also can be enabled.

Fixes #2571
2020-07-29 08:09:10 +04:30
Ebrahim Byagowi c33e8006fd [fuzz] Implement failing allocator 2020-07-29 07:35:34 +04:30
Ebrahim Byagowi 5c46683ab8
[fuzz] increase shape fuzzer timeout
as https://circleci.com/gh/harfbuzz/harfbuzz/149203
2020-07-22 17:23:22 +04:30
Ebrahim Byagowi 945bcd7230
minor 2020-07-15 09:54:32 +04:30
Ebrahim Byagowi fa0436ddd1
[ENOMEM][fuzzer/subset] early return if the result is null
I don't see _or_fail APIs idiomatic for the project but since it is there, let's have this
2020-07-15 09:52:40 +04:30
Ebrahim Byagowi 11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops (#2223)
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.

clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:

Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
 After the change: 0.02s user 0.00s system 98% cpu 0.024 total

Which takes much longer on valgrind and tsan bots.
2020-07-13 18:53:06 -07:00
Ebrahim Byagowi cd6f62d960
[meson] Raise timeout value of subset fuzzer testcases
happens when tsan is enabled
2020-07-12 23:05:11 +04:30
Ebrahim Byagowi e4f9969108 [ci] migrate to meson
two bots, one bot here (distcheck) and one in travis still run autotools and
won't be removed till we decide about autotools
2020-07-08 19:18:31 +04:30
Ebrahim Byagowi e04050e3b8
[meson] split fuzzer_ldflags before use 2020-07-08 01:06:30 +04:30
Ebrahim Byagowi c5def34730 [meson] don't underscorify fuzzers names 2020-07-06 23:51:52 +04:30
Ebrahim Byagowi d608f2ac85 [meson] Add fuzzer_ldflags
As ots, https://github.com/khaledhosny/ots/commit/4d37b9b
2020-07-06 23:51:52 +04:30
Ebrahim Byagowi a470b0b205 Minor, disable strict-aliasing warning in set fuzzer
../test/fuzzing/hb-set-fuzzer.cc: In function ‘int LLVMFuzzerTestOneInput(const uint8_t*, size_t)’:
../test/fuzzing/hb-set-fuzzer.cc:38:82: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
   38 |   const instructions_t &instructions = reinterpret_cast<const instructions_t &> (data);
      |

And it is already disabled at project level so let's disable it here also.
2020-07-05 10:49:10 +04:30
Ebrahim Byagowi a07672d353 [py] minor, replace os.environ.get with os.getenv 2020-07-04 16:16:15 +04:30
Ebrahim Byagowi 47a0fbec31 [meson] Mark longer tests with slow
So one can skip them easily by `meson test -Cbuild --no-suite slow`
2020-06-21 08:47:10 +04:30
Ebrahim Byagowi 0881611778 [fuzzer] Make some use for test_font API calls
Making some use for result of some of the test_font calls to make
sure compilers in fuzzers aren't just optimizing the calls.
2020-06-20 22:06:11 +04:30
Christoph Reiter 03bd6ead44 [meson] Only pass required dependencies to everything
Instead of passing dependencies as required we used one giant shared
dependency list containing all dependencies for every library/executable.
While this kinda works, the specified deps are also used for generating
the pkg-config files and this leads to lots of Requires.private and Libs.private
entries which aren't really needed.

This removes the "deps" array and replaces it with a few smaller ones and
makes sure the public libraries only get passed the dependencies actually
needed.

Fixes #2441
2020-06-04 23:28:57 +04:30
Ebrahim Byagowi a9d13463b5 [meson] Categorize tests using `suite: [...]`
So one can run a category of interested tests like

  meson test -Cbuild --suite aots --suite src --print-errorlogs

Intead issuing particular tests which also is possible like

  meson test -Cbuild test-shape --print-errorlogs
2020-05-30 16:58:46 +04:30
Ebrahim Byagowi 7554f618ec minor, use sys.exit print shorthand 2020-05-28 23:34:37 +04:30
Ebrahim Byagowi f7562672f9 [meson] Use / instead join_paths
We need some of the very recent features of meson, let's use the new features also
2020-05-21 18:52:31 +04:30
Ebrahim Byagowi b8d1760bc0 [meson/ci] Increase cmap fuzzer timeout even more 2020-05-21 14:45:41 +04:30
Ebrahim Byagowi 4b12b8466f [meson] Increase timeout in hope to resolve Actions' bot timeout 2020-05-21 14:23:36 +04:30
Ebrahim Byagowi 1c4dd79cfb [ci] Increase timeout as gh bot issue isn't resolved by serial test 2020-05-21 08:52:05 +04:30
Ebrahim Byagowi 8667df552c [meson] Unbreak the build, oops 2020-05-21 07:19:37 +04:30
Ebrahim Byagowi 791debdc4a
[meson][ci] Don't run subset fuzzer test in parallel
resolves https://github.com/harfbuzz/harfbuzz/runs/695051808#step:6:595 failure
2020-05-21 07:15:09 +04:30
Ebrahim Byagowi 8a5368e2d6 [tests] Enable more gid misc calls on draw fuzzer 2020-05-21 07:00:40 +04:30
Ebrahim Byagowi c68ab4b52b Fix _get_ligature_caret's oob read issue
AAT::Lookup has no other way to detect whether it is returned from
a real and sanitized font data or from a null pool, this checks if
the table has been recognized valid by sanitizer by checking
table's major version which is zero if returned from a null pool and
non-zero if is from a sanitized font data, it is expected the other
calls of the table (unlikely to have more calls however) also do a
similar version check before calling the lookups used on the table.
2020-05-21 06:56:09 +04:30
ckitagawa b22f61d86a Fix bug 2020-04-21 16:51:55 -07:00
ariza 22f7c61acf implement SID to glyph ID mapping with predefined Charset
Also fixes oss-fuzz 21769
2020-04-18 15:42:30 +04:30
Qunxin Liu 0d5695983e [subset] fixes dangling object_t issue in FeatureVariationRecord
Fixes https://crbug.com/oss-fuzz/21560
revert () does not clean up useless object_t. Adjust the order of
subsetting substitutions and conditions to avoid dangling object_t.
2020-04-06 13:41:33 +04:30