Ebrahim Byagowi
6543d166fd
[fuzz] Remove the not yet fixed timeout, going to investigate
2020-03-03 21:39:22 +03:30
Ebrahim Byagowi
2bbf1c8673
[fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker
2020-03-03 21:39:22 +03:30
Ebrahim Byagowi
f253f06cf3
[fuzz] Add another fixed case
...
https://crbug.com/oss-fuzz/14626
another numerous subtables count which is fixed by d38360397
2020-03-03 19:12:04 +03:30
Ebrahim Byagowi
d383603976
Limit OT::Lookup subtables ( #2219 )
...
Fixes https://crbug.com/oss-fuzz/13943
2020-03-02 22:41:08 +03:30
Ebrahim Byagowi
29efd964f2
[fuzz] Add cases that marked as wontfix
...
Let's see if they were really false alarms, if so, let's just have them.
2020-03-02 14:22:29 +03:30
Michiharu Ariza
5ab50eebd7
collect_unicodes() with clamp, calling add_range()
...
Use add_range instead an inner loop, clamp its input number by
number of glyphs a face has.
Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here
used to make timeout, face's maxp has 16-bit gid limitation at least for now,
using that makes sure we both fix and the timeout and don't need to change
much things here also in order to support 32-bit gids also someday.
Fixes #2204
2020-02-29 13:02:29 +03:30
Garret Rieger
410b4881d0
[subset] Add fuzzer timeout testcase.
2020-02-28 16:10:14 -08:00
Ebrahim Byagowi
e57ced5fc0
[gvar] Add other possibly fixed fuzzer case
...
Speculatively should've been fixed by 61208401
https://crbug.com/oss-fuzz/20924 related
2020-02-28 23:29:05 +03:30
Ebrahim Byagowi
758fda728b
[glyf] Don't accept gids higher than maxp's glyphs number
...
This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.
Fixes https://crbug.com/oss-fuzz/20944
2020-02-28 23:19:06 +03:30
Ebrahim Byagowi
e90213868b
Revert "collect_unicodes() to check gid < num_glyphs with cmap 12"
...
Didn't fix the case actually, making bots to fail.
This reverts commit 15b43a4104
.
2020-02-28 21:24:51 +03:30
Ebrahim Byagowi
61208401f4
[gvar] Use hb_bytes_t.check_range instead having in house one
...
And use TupleVarHeader calculated size for validity check.
Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
2020-02-28 21:09:07 +03:30
Michiharu Ariza
15b43a4104
collect_unicodes() to check gid < num_glyphs with cmap 12
...
fixes #2204
2020-02-28 20:15:39 +03:30
Ebrahim Byagowi
8eba66c1c6
[gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic
...
Fixes https://crbug.com/oss-fuzz/20906
2020-02-27 20:26:54 +03:30
ariza
a99134c5be
add oss-fuzz 20886 test file
2020-02-26 09:58:03 -08:00
Ebrahim Byagowi
1c015d3e9f
[fuzz] minor fuzzer case move, oops
2020-02-12 19:19:37 +03:30
Ebrahim Byagowi
ff984ed3cd
Use multiplication to avoid undefined behaviour per clang
...
Newer versions of MSVC with /we4146 don't like putting negative sign behind a
unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069
That however have made https://crbug.com/1050424 this complain:
src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int';
cast to an unsigned type to negate this value to itself
which apparently can be fixed using this change.
Let's see if this won't make another ubsan complain!
2020-02-11 19:51:52 +03:30
ckitagawa
e128f80278
parent 777ba47b50
...
author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500
committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500
[subset] Add CBLC support
2020-01-31 16:37:30 -05:00
ckitagawa
ed857c4680
[subset] Add COLR support
2020-01-28 15:35:53 -05:00
ckitagawa-work
0e4b2676bd
[subset] sbix fix missed offset is_null() check
2020-01-24 20:46:07 +03:30
ckitagawa
7dc341fe74
[subset] Fix UBSAN issue in sbix
2020-01-23 23:46:22 +03:30
ariza
1ab3924b31
refix PR #2087 subset PairPos1
...
also added oss-fuzz 20211 data fixed by this
2020-01-23 10:50:52 -08:00
ckitagawa
b18cb5b5ee
Add second fixed test
2020-01-22 10:11:15 -08:00
ckitagawa
8614a30bc9
[subset] Fix sbix fuzz problem
2020-01-22 10:11:15 -08:00
ckitagawa
6bcf57eaa3
Simplify copy and add fuzzing coverage
2020-01-15 13:36:01 -08:00
Ebrahim Byagowi
dc03a993d0
Fix collect lookups logic of FeatureTableSubstitution ( #2097 )
...
https://crbug.com/oss-fuzz/20036
2020-01-12 14:21:29 +03:30
Ebrahim Byagowi
a32ecc15ae
Fix collect lookups logic of FeatureVariationRecord
...
As "Offset to a feature table substitution table, from beginning of the FeatureVariations table."
from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should
match its sanitize logic not the reverse way.
Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
2020-01-11 15:37:24 +03:30
Michiharu Ariza
d2ab1ec65b
fixes oss-fuzz 19978: Null-dereference READ ( #2091 )
2020-01-10 07:54:16 +03:30
Ebrahim Byagowi
257a197ae7
Fail serialize when map has incorrect value
...
fixes https://crbug.com/oss-fuzz/19956
am not super happy with the fix, guess we should do some check
before the memcpy anyway as @blueshade7 thinks also,
so let's have it or revert it when we have a better approach for the case.
2020-01-09 22:55:45 +03:30
Ebrahim Byagowi
8ed46c3678
[fuzz] minor, add another already fixed case
...
https://crbug.com/oss-fuzz/19907
2020-01-07 23:43:53 +03:30
Ebrahim Byagowi
341407f7a5
[fuzz] minor, upload another fixed case
...
https://crbug.com/oss-fuzz/19878
2020-01-07 09:10:24 +03:30
Ebrahim Byagowi
7950beecfc
[subset] Fix null pointer dereference in hvar/vvar subset ( #2085 )
...
Rest of the code assumes there is at least one subtable, lets return here if not.
* https://crbug.com/oss-fuzz/19827
* https://crbug.com/oss-fuzz/19847
2020-01-06 21:25:00 +03:30
Ebrahim Byagowi
64a45be519
[ubsan] Don't decrease pointer if match_glyph_data is null ( #2048 )
...
Similar to fix on https://github.com/harfbuzz/harfbuzz/pull/2022
Fixes https://crbug.com/1023070
2019-11-09 12:25:33 +03:30
Ebrahim Byagowi
84b86a12d9
[fuzz] Remove just added case
...
It didn't fail locally but on bots causing timeout, let remove for now.
2019-11-06 09:22:34 +03:30
Ebrahim Byagowi
a8f049c9a1
[fuzz] Upload testcase of https://crbug.com/oss-fuzz/18529
...
Apparently false alarm per last comment and was ok locally also but lets have it here also
2019-11-05 22:26:36 +03:30
Qunxin Liu
defe9b6da0
crash fix : Heap-buffer-overflow READ 2
...
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
2019-10-25 13:09:47 -07:00
Qunxin Liu
b2fcca6e14
fuzzer crash fix
...
https://oss-fuzz.com/testcase-detail/5643107869917184
2019-10-24 16:11:30 -07:00
Garret Rieger
95ab110cd9
Optimize intersects_array to fix fuzzer timeout.
2019-10-22 13:33:50 -07:00
Qunxin Liu
b33a0d628e
fuzzer crash fix: Null-dereference WRITE
...
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18363
2019-10-22 01:01:08 +03:30
Ebrahim Byagowi
e766783152
[fuzz] Add https://crbug.com/oss-fuzz/17898 testcase
2019-10-21 22:17:06 +03:30
Garret Rieger
831daf4c76
Enforce HB_MAX_LANGSYS limit during layout subsetting.
2019-10-18 15:10:30 -07:00
Ebrahim Byagowi
d3b984d379
Revert in-house pow10 ( d80a3ea
) and fix oss-fuzz/16922
...
Probably can be fixed but merging it was wrong so let's revert.
2019-09-02 18:28:03 +04:30
Ebrahim Byagowi
875985cd48
[subset] Don't allow malicious fonts to insert unlimited table headers
...
Fixes https://crbug.com/oss-fuzz/16810
2019-08-29 14:51:22 +04:30
Ebrahim Byagowi
269a120f13
[subset] Raise the bar in new vs old table size
...
https://crbug.com/oss-fuzz/16740
This is actually an interesting thing that {h,v}mtx allocates as
much as a font pretends to have glyphs but the solution is not
that obvious as regular fonts can have less than actually containing
metrics in their {h,v}mtx. This change raises the bar to consider this
hmtx 4 byte for every glyph case.
Initially we wanted to just find things allocating crazy amount of
memory but having the assert has led to interesting findings also
so let's don't remove the assert and see what we can find elsewhere.
2019-08-25 20:37:00 +04:30
Ebrahim Byagowi
28aba780c4
[subset] Fix blob leak of _subset2 when returns early
...
Fixes https://crbug.com/oss-fuzz/16639
2019-08-24 16:11:21 +04:30
Ebrahim Byagowi
b65bad18aa
[fuzz] Don't fail when blob is empty
...
And enable more tests able to trig the issue.
2019-07-11 14:31:55 +04:30
Michiharu Ariza
8341c0b304
add test case file
2019-06-27 08:43:31 -07:00
Michiharu Ariza
90872a29ee
change assert(false) to failure
2019-06-11 12:42:28 -07:00
Michiharu Ariza
65e66a2d37
added test data
2019-06-03 16:31:41 -07:00
Qunxin Liu
e1a5ce6aa6
Fix fuzzer crash testcase
...
Add a check for stringOffSet(uint16) overflow,
return early if overflow happens
2019-05-24 15:26:20 -04:00
Behdad Esfahbod
9ef241cd40
[test] Add one more
2019-05-20 11:38:02 -04:00
Behdad Esfahbod
3efb7af7e2
[STAT] Fix sanitize condition
...
Oops!
Fixes https://oss-fuzz.com/testcase-detail/5696825891225600
2019-05-20 11:37:16 -04:00
Behdad Esfahbod
25a5b287f2
Fix sanitize fail of extension sublookups
...
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
2019-05-10 16:03:20 -07:00
Ebrahim Byagowi
df237d2fe7
[test] Add https://crbug.com/oss-fuzz/14641 testcase
...
As 503748d
fix
2019-05-08 14:17:14 -07:00
Ebrahim Byagowi
62c6e17072
[test] Add crbug.com/oss-fuzz/14474 testcase
...
Fixed at 6977a95f
2019-04-28 10:55:07 -07:00
Michiharu Ariza
ba0386060d
fix oss-fuzz issue 14345
2019-04-18 18:18:05 -04:00
Behdad Esfahbod
ec2a5dc859
Use class templates for Null objects
...
This allows partial-instantiating custom Null object for template Lookup<T>.
Before, this had to be handcoded per instantiation. Apparently I missed
adding one for AAT::ankr.lookupTable, so it was getting the wrong (generic)
null for Lookup object, which is wrong and unsafe.
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=944346
2019-03-26 16:23:40 -07:00
Michiharu Ariza
bcb4e505d6
cff2 subset fuzzer issues ( #1619 )
...
* add check to FDArray::serialize
* add test files
* fix off by one
2019-03-15 13:46:25 -07:00
Behdad Esfahbod
6879efc2c1
[AAT] Fix anchor bound checking, again
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12532
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=922303
2019-01-17 14:08:02 -05:00
Behdad Esfahbod
91d774712f
[test] Add test for previous commit
2019-01-14 15:31:31 -05:00
Behdad Esfahbod
7a6686a589
[AAT] Fix mort ContextualSubtable offset access
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12312
2019-01-14 15:09:14 -05:00
Behdad Esfahbod
a3fa7d3336
[AAT] Fix ankr table access
...
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=918340
2019-01-14 14:37:36 -05:00
Michiharu Ariza
798e98c47b
[CFF] bad offset in Index ( #1476 )
...
* Update hb-ot-cff-common.hh
* fix bug
* bummer fix wasn't hit. refix
* additional sanity check
* Added test cases for oss-fuzz issues 11805, 11806
2018-12-12 21:08:15 -05:00
Michiharu Ariza
bcb4ecaf68
[CFF] check out of range FD index ( #1477 )
...
* add fd index checks to subr subsetter
also added oss-fuzz test case
* undid SubrSubsetParam::is_valid
because already validated by SubrClosures.valid
2018-12-12 20:36:01 -05:00
Michiharu Ariza
2941208f1e
[CFF] oss-fuzz issue 11690 ASSERT: substr.offset >= opStart ( #1461 )
...
* fix oss-fuzz 11690: substr.offset >= opStart
detect recursive subroutine call & handle as error
* fix build failure
* add minimized test case for oss-fuzz 11690
* removed asserts
2018-12-11 15:21:24 -05:00
Michiharu Ariza
ae087d10c2
add minimized test case for oss-fuzz issue 11714
2018-12-05 21:47:34 -08:00
Ebrahim Byagowi
f95324a335
Merge pull request #1457 from harfbuzz/cff-varstore-sanitize
...
[CFF] oss-fuzz issue 11713 (CFF2VariationStore::serialize)
2018-12-06 08:33:44 +03:30
Michiharu Ariza
9d8f3b0dfb
add minimized test case for oss-fuzz issue 11713
2018-12-05 17:14:51 -08:00
Michiharu Ariza
34e3ef8ff3
Merge branch 'master' into cff-subr-sanitize
2018-12-05 15:50:05 -08:00
Michiharu Ariza
72d8f76368
add minimized test case for oss-fuzz issue 11691
2018-12-05 15:49:11 -08:00
Behdad Esfahbod
d9dabc00e9
Merge pull request #1454 from harfbuzz/cff-fixbcd
...
[CFF] fix oss-fuzz issue 11674: parse_bcd
2018-12-05 15:39:34 -08:00
Michiharu Ariza
6708c5595f
fix oss-fuzz issue 11675 (ASSERT: count <= str.len)
...
Also added an additional error check to avail ()
2018-12-05 12:51:18 -08:00
Michiharu Ariza
010e2ddb38
minimized test case for oss-fuzz issue 11674
2018-12-05 12:23:58 -08:00
Ebrahim Byagowi
79e7e3445e
Merge pull request #1449 from harfbuzz/cff-fixcharset
...
[CFF] fix for oss-fuzz 11657: Charset overrun
2018-12-05 13:25:18 +03:30
Ebrahim Byagowi
cf4b7db6b1
Merge pull request #1448 from harfbuzz/cff-leak
...
[CFF] fix leak: oss-fuzz 11662
2018-12-05 13:23:23 +03:30
Michiharu Ariza
32cc46c75a
[CFF] fix oss-fuzz issue 11670: NULL dereference ( #1450 )
...
* guard against no subr access
* code tweak
* add minimized testcase for oss-fuzz 11670 (Null deference)
2018-12-05 09:02:34 +03:30
Michiharu Ariza
78f639b8bf
added minimized testcase for oss-fuzz issue 11657
2018-12-04 14:17:03 -08:00
Michiharu Ariza
b61f74f69a
added minimized test case for oss-fuzz issue 11662
2018-12-04 10:30:35 -08:00
Michiharu Ariza
9424e80526
added minimized test cases
2018-12-03 16:18:10 -08:00
Behdad Esfahbod
84efe0438e
[aat] Fix division sign fallout
...
Happened after 11d2f49af8
since now nClasses is unsigned int...
2018-12-02 12:39:14 -05:00
Behdad Esfahbod
1204a247a5
[fuzzing] Add tests for previous commit
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11526
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11522
2018-11-24 09:49:21 -05:00
Behdad Esfahbod
2c8188bf59
[kerx] Make sure subtables are non-zero-length
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11400
2018-11-22 22:02:19 -05:00
Garret Rieger
8982830d3e
[subset] add fuzzer testcase.
2018-11-22 21:30:01 -05:00
Behdad Esfahbod
5212cd8af2
[fuzzing] Add new test
2018-11-12 14:25:18 -05:00
Behdad Esfahbod
a549aa14a0
[kerx] Protect against stack underflow
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11367
2018-11-12 13:02:39 -05:00
Behdad Esfahbod
752bd8a192
[kerx] Fix Format1 tupleKern sanitization
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11312
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11305
2018-11-10 21:13:32 -05:00
Behdad Esfahbod
3a9fa8c026
[qsort] Fix O(N^2) behavior if all array elements are the same
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11327
Reported as https://github.com/noporpoise/sort_r/issues/7
2018-11-10 01:58:26 -05:00
Ebrahim Byagowi
c560ca9251
[fuzz] A new testcase
2018-11-03 13:03:36 +03:30
Khaled Hosny
0af3d176a6
[sbix] Fix memory leak in early return
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11210
2018-10-30 17:05:28 +02:00
Behdad Esfahbod
12058e44d1
[fuzzing] Add more test
2018-10-26 21:22:26 -07:00
Ebrahim Byagowi
0229eaea29
[fuzz] Add a found hb-subset testcase
2018-10-22 10:51:37 +03:30
Ebrahim Byagowi
9b3461574f
[fuzz] Add more testcases
...
Fixed already but better to have anyway.
One didn't have minimized but it was only 164 B, so
2018-10-21 11:37:38 +03:30
Behdad Esfahbod
217a3728b4
[fuzzing] Add more font
2018-10-20 20:39:56 -07:00
Ebrahim Byagowi
d39acc5a95
[fuzzing] Add new testcases
2018-10-20 12:20:30 +03:30
Ebrahim Byagowi
fbf665b307
[fuzz] Add more found cases ( #1275 )
2018-10-19 08:09:53 +03:30
Behdad Esfahbod
b9478e28ac
Revert "[test] Remove not-fixed yet testcases ( #1268 )"
...
This reverts commit 191eef823f
.
2018-10-17 22:11:49 -07:00
Ebrahim Byagowi
191eef823f
[test] Remove not-fixed yet testcases ( #1268 )
...
I added them but now that I think, it is a bad idea to have them as
fuzzing bots will find good seeds to tweak in order to find easy new
testcases which causes duplicated issues.
2018-10-18 08:04:18 +03:30
Ebrahim Byagowi
751c10e55e
[fuzz] Add more new testcases
2018-10-18 06:36:48 +03:30
Ebrahim Byagowi
fd282eb328
[fuzz] Add a new testcase
2018-10-18 06:33:39 +03:30
Behdad Esfahbod
3341c7fbfb
[fuzzing] Move fuzzing fonts from api/ here
2018-10-17 15:04:35 -07:00
Behdad Esfahbod
5842756b13
[fuzzing] Delete blink fuzzed data
...
These are text, not font.
2018-10-16 18:28:55 -07:00
Behdad Esfahbod
7b37705fb5
[fuzzing] Rename
2018-10-16 16:33:06 -07:00
Behdad Esfahbod
3676c685d4
[fuzzing] Move rest of fuzzing tests here
2018-10-16 16:32:26 -07:00
Behdad Esfahbod
1147ce2392
[fuzzing] Add more tests
2018-10-16 16:18:32 -07:00
Behdad Esfahbod
e6f267c3df
[fuzzing] Add more clusterfuzz tests I had lying around
2018-10-16 15:16:20 -07:00
Ebrahim Byagowi
e53206271d
Add all the fonts found by fuzzers to the repo ( #1258 )
2018-10-17 01:42:04 +03:30