Commit Graph

402 Commits

Author SHA1 Message Date
Garret Rieger c5c13006a1 [subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536 2021-03-31 12:37:45 -06:00
Garret Rieger adca4ce071 [subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064.
Caused by incorrect bounds check in glyph closure for context lookups.
2021-03-30 15:44:41 -06:00
Garret Rieger 752e393ad2 [subset] avoid calling clear on null pool set. 2021-03-30 15:12:52 -06:00
Garret Rieger 8741914a80 [subset] fix memory leak when map insert fails. 2021-03-29 18:02:32 -06:00
Garret Rieger 5b6da6d2f0 [subset] add fuzzer test case. 2021-03-29 17:41:07 -06:00
Garret Rieger a804a0c903 [subset] add fuzzer test case. 2021-03-29 17:15:22 -06:00
Khaled Hosny f2d08578e7 [tests] Increase shape-fuzzer timeout 2021-03-16 01:15:40 +02:00
Garret Rieger 5ca353a2d0 [subset] fix heap buffer overflow found by fuzzer. 2021-02-16 12:43:02 -07:00
Behdad Esfahbod 33a0f0b686 [test] Remove fuzzed test font that triggers virus alert
Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
2021-02-09 12:55:45 -07:00
Garret Rieger f94bf9f06f [set fuzzer] limit the total number of set members in a fuzzing input.
Currently the fuzzer can create arbitarily long inputs which once big enough will trigger a timeout.
2021-01-26 10:22:07 -08:00
Garret Rieger a4c3732f59 [ENOMEM] fix set clear() causing corruption if the set is in_error(). 2021-01-21 12:12:05 -07:00
Khaled Hosny 84dd65a874 [test] Remove timeout from test runners
See https://github.com/harfbuzz/harfbuzz/issues/2707#issuecomment-707744079

This wasn’t inconsistent as well, HB_TEST_SUBSET_FUZZER_TIMEOUT defaulted
to 12 in the test runner, but it was overridden to 50 in meson.build,
and then meson has its own test timeout.
2020-10-15 00:49:02 -07:00
Garret Rieger bbbcad0dbb Revert "[ENOMEM] don't perform set process operations if the other set is in an error state."
This reverts commit f3929abafe.
2020-09-16 12:23:38 -06:00
Garret Rieger f3929abafe [ENOMEM] don't perform set process operations if the other set is in an error state.
Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
2020-09-16 10:36:30 -07:00
Garret Rieger 8c3d4de796 [subset] Fix integer underflow in ContextFormat2. 2020-09-11 15:52:46 -07:00
Garret Rieger 9825e3dd2e [ENOMEM] fix access to unitialized memory.
If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688.
2020-09-02 11:01:07 -07:00
ebraminio 1e48225ca3
[ENOMEM] Check whether serialize context isn't in error 2020-08-13 23:22:14 +04:30
Ebrahim Byagowi 6e32145dc9 [meson] Make compatbile with 0.47.0 2020-08-13 18:28:42 +04:30
Garret Rieger 9562239f05 [ENOMEM] check for error in lookup visited set. 2020-08-13 01:43:11 +04:30
Garret Rieger 6f754852c1 [ENOMEM] skip asserts in to_bias if serializer is in an error state. 2020-08-12 11:25:30 +04:30
Ebrahim Byagowi 057769b1a3 [fuzzer] minor 2020-08-12 02:40:55 +04:30
Ebrahim Byagowi 0417938011 [fuzzer] Mark alloc_state as unused
It is really unused when failing-alloc isn't on.
2020-08-12 02:40:55 +04:30
Ebrahim Byagowi 5193357832 Revert "Remove autotools build support"
This reverts commit 01ac32aab2.
2020-08-11 23:51:59 +04:30
Ebrahim Byagowi ffe06c8f04 [glyf] Guard all the public APIs against null pool runs
Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
2020-08-08 13:43:49 +04:30
Ebrahim Byagowi 01ac32aab2 Remove autotools build support 2020-08-07 23:28:12 +04:30
Ebrahim Byagowi 679fac87df Skip hb_shape if buffer object is immutable 2020-08-06 23:47:35 +04:30
Garret Rieger 18ab8029d5 [ENOMEM] check vector status in cmap subsetting. 2020-08-02 00:30:17 +04:30
Garret Rieger 06dbb6acbb [ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors. 2020-08-01 09:21:22 +04:30
Garret Rieger fb1477795c [ENOMEM] Check result of vector resize in CBDT subsetting. 2020-08-01 09:20:52 +04:30
Ebrahim Byagowi efd716de3f [cff] Check for scalars array resize result
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
2020-07-31 09:27:27 +04:30
Garret Rieger 040ed094ef [ENOMEM] popragate packed/packed_map errors to the serializer.
Will disable further modifications based on a bad state.
2020-07-31 08:39:26 +04:30
Garret Rieger 7f358a55f4 [ENOMEM] unchecked resize in CFF2. 2020-07-31 02:04:06 +04:30
Garret Rieger 32f052b033 [ENOMEM] Fix several instances of not checking resize in CFF. 2020-07-31 02:04:06 +04:30
Garret Rieger 15644ee60e [ENOMEM] fix memory leak if allocation fails during pop_pack(). 2020-07-30 04:15:35 +04:30
Garret Rieger 42237adffc [ENOMEM] make serializer modification operations no-ops if it's in an error state. 2020-07-30 03:59:49 +04:30
Garret Rieger 4ba8e3c6fd [ENOMEM] Fix failure to check calloc return.
Fixes https://oss-fuzz.com/testcase-detail/6246465148813312.
2020-07-30 00:08:08 +04:30
Garret Rieger d307c24abf [ENOMEM] check resize() return.
Fixes https://oss-fuzz.com/testcase-detail/5641892164009984.
2020-07-30 00:08:08 +04:30
Ebrahim Byagowi 48ad745996 [ENOMEM] Fix buffer's content check logic
So now rest of shape fuzzer also can be enabled.

Fixes #2571
2020-07-29 08:09:10 +04:30
Ebrahim Byagowi c33e8006fd [fuzz] Implement failing allocator 2020-07-29 07:35:34 +04:30
Ebrahim Byagowi 5c46683ab8
[fuzz] increase shape fuzzer timeout
as https://circleci.com/gh/harfbuzz/harfbuzz/149203
2020-07-22 17:23:22 +04:30
Ebrahim Byagowi 945bcd7230
minor 2020-07-15 09:54:32 +04:30
Ebrahim Byagowi fa0436ddd1
[ENOMEM][fuzzer/subset] early return if the result is null
I don't see _or_fail APIs idiomatic for the project but since it is there, let's have this
2020-07-15 09:52:40 +04:30
Ebrahim Byagowi 11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops (#2223)
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.

clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:

Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
 After the change: 0.02s user 0.00s system 98% cpu 0.024 total

Which takes much longer on valgrind and tsan bots.
2020-07-13 18:53:06 -07:00
Ebrahim Byagowi cd6f62d960
[meson] Raise timeout value of subset fuzzer testcases
happens when tsan is enabled
2020-07-12 23:05:11 +04:30
Ebrahim Byagowi e4f9969108 [ci] migrate to meson
two bots, one bot here (distcheck) and one in travis still run autotools and
won't be removed till we decide about autotools
2020-07-08 19:18:31 +04:30
Ebrahim Byagowi e04050e3b8
[meson] split fuzzer_ldflags before use 2020-07-08 01:06:30 +04:30
Ebrahim Byagowi c5def34730 [meson] don't underscorify fuzzers names 2020-07-06 23:51:52 +04:30
Ebrahim Byagowi d608f2ac85 [meson] Add fuzzer_ldflags
As ots, https://github.com/khaledhosny/ots/commit/4d37b9b
2020-07-06 23:51:52 +04:30
Ebrahim Byagowi a470b0b205 Minor, disable strict-aliasing warning in set fuzzer
../test/fuzzing/hb-set-fuzzer.cc: In function ‘int LLVMFuzzerTestOneInput(const uint8_t*, size_t)’:
../test/fuzzing/hb-set-fuzzer.cc:38:82: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
   38 |   const instructions_t &instructions = reinterpret_cast<const instructions_t &> (data);
      |

And it is already disabled at project level so let's disable it here also.
2020-07-05 10:49:10 +04:30
Ebrahim Byagowi a07672d353 [py] minor, replace os.environ.get with os.getenv 2020-07-04 16:16:15 +04:30
Ebrahim Byagowi 47a0fbec31 [meson] Mark longer tests with slow
So one can skip them easily by `meson test -Cbuild --no-suite slow`
2020-06-21 08:47:10 +04:30
Ebrahim Byagowi 0881611778 [fuzzer] Make some use for test_font API calls
Making some use for result of some of the test_font calls to make
sure compilers in fuzzers aren't just optimizing the calls.
2020-06-20 22:06:11 +04:30
Christoph Reiter 03bd6ead44 [meson] Only pass required dependencies to everything
Instead of passing dependencies as required we used one giant shared
dependency list containing all dependencies for every library/executable.
While this kinda works, the specified deps are also used for generating
the pkg-config files and this leads to lots of Requires.private and Libs.private
entries which aren't really needed.

This removes the "deps" array and replaces it with a few smaller ones and
makes sure the public libraries only get passed the dependencies actually
needed.

Fixes #2441
2020-06-04 23:28:57 +04:30
Ebrahim Byagowi a9d13463b5 [meson] Categorize tests using `suite: [...]`
So one can run a category of interested tests like

  meson test -Cbuild --suite aots --suite src --print-errorlogs

Intead issuing particular tests which also is possible like

  meson test -Cbuild test-shape --print-errorlogs
2020-05-30 16:58:46 +04:30
Ebrahim Byagowi 7554f618ec minor, use sys.exit print shorthand 2020-05-28 23:34:37 +04:30
Ebrahim Byagowi f7562672f9 [meson] Use / instead join_paths
We need some of the very recent features of meson, let's use the new features also
2020-05-21 18:52:31 +04:30
Ebrahim Byagowi b8d1760bc0 [meson/ci] Increase cmap fuzzer timeout even more 2020-05-21 14:45:41 +04:30
Ebrahim Byagowi 4b12b8466f [meson] Increase timeout in hope to resolve Actions' bot timeout 2020-05-21 14:23:36 +04:30
Ebrahim Byagowi 1c4dd79cfb [ci] Increase timeout as gh bot issue isn't resolved by serial test 2020-05-21 08:52:05 +04:30
Ebrahim Byagowi 8667df552c [meson] Unbreak the build, oops 2020-05-21 07:19:37 +04:30
Ebrahim Byagowi 791debdc4a
[meson][ci] Don't run subset fuzzer test in parallel
resolves https://github.com/harfbuzz/harfbuzz/runs/695051808#step:6:595 failure
2020-05-21 07:15:09 +04:30
Ebrahim Byagowi 8a5368e2d6 [tests] Enable more gid misc calls on draw fuzzer 2020-05-21 07:00:40 +04:30
Ebrahim Byagowi c68ab4b52b Fix _get_ligature_caret's oob read issue
AAT::Lookup has no other way to detect whether it is returned from
a real and sanitized font data or from a null pool, this checks if
the table has been recognized valid by sanitizer by checking
table's major version which is zero if returned from a null pool and
non-zero if is from a sanitized font data, it is expected the other
calls of the table (unlikely to have more calls however) also do a
similar version check before calling the lookups used on the table.
2020-05-21 06:56:09 +04:30
ckitagawa b22f61d86a Fix bug 2020-04-21 16:51:55 -07:00
ariza 22f7c61acf implement SID to glyph ID mapping with predefined Charset
Also fixes oss-fuzz 21769
2020-04-18 15:42:30 +04:30
Qunxin Liu 0d5695983e [subset] fixes dangling object_t issue in FeatureVariationRecord
Fixes https://crbug.com/oss-fuzz/21560
revert () does not clean up useless object_t. Adjust the order of
subsetting substitutions and conditions to avoid dangling object_t.
2020-04-06 13:41:33 +04:30
Ebrahim Byagowi 57b7de032f [subset] Fail ClassDefFormat1 serialization if no space available
Fixes https://crbug.com/oss-fuzz/21580
2020-04-05 17:38:04 +04:30
Garret Rieger 014e038b2c [subset] Bail out of context lookup expansion once the lookup limit is encountered. 2020-04-01 11:14:41 +04:30
Garret Rieger 5d345d0cd1 [subset] Limit the number of lookup indices processed subsetting Feature.
> Also, remove two unnessecary full iterations of the lookup index iterator during serialization of the index array. Fixes fuzzer found timeout.
2020-04-01 11:13:05 +04:30
Ebrahim Byagowi 96d792ae80 [avar] Prevent mul overflow
Fixes https://crbug.com/oss-fuzz/21350
2020-03-26 15:01:14 +00:00
Garret Rieger 4ad686b9c0
[subset] fix fuzzer timeout in layout closure
Bail out of chain context lookup expansion once the lookup limit is encountered.
2020-03-26 06:32:28 +00:00
Ebrahim Byagowi 7054b12206 [meson] Mark rest of non-install executables explicitly 2020-03-24 19:06:09 +00:00
Ebrahim Byagowi 600bf21fbc [meson] Add draw-fuzzer runner 2020-03-24 19:06:09 +00:00
Ebrahim Byagowi 28deb6b718 [meson] test/fuzzing simplify 2020-03-24 19:06:09 +00:00
Ebrahim Byagowi 78622231ac [meson] More comment on tests are causing timeout failure 2020-03-24 19:06:09 +00:00
Ebrahim Byagowi d57fc627e9 [meson] raise timeout value of subset fuzzer 2020-03-24 19:06:09 +00:00
Ebrahim Byagowi 761695264b [tests] Remove py2 workaround for lack of timeout in subprocess 2020-03-19 10:32:46 +00:00
Ebrahim Byagowi b5526a09ff [tools] Remove in-house 'which' now that we have py3 2020-03-19 10:32:46 +00:00
Garret Rieger 430bf69653 Add potentially crashing font as a fuzzer seed. 2020-03-14 00:55:47 +03:30
Ebrahim Byagowi 755a77d660 Move outline draw API behind HB_EXPERIMENTAL_API directive 2020-03-13 08:25:53 +03:30
Garret Rieger 834a224a50
[subset] Put a limit on the number of lookup indices that can be visited during closures
Fixes https://crbug.com/oss-fuzz/21025
2020-03-12 13:32:36 +03:30
Ebrahim Byagowi c494d7abcd Remove cmake testing and add meson build bot
CMake tests are broken anyway as py3 changes so let's get rid of them
2020-03-11 20:15:10 +03:30
Ebrahim Byagowi 1c3f80ba13 [meson] Minor updates 2020-03-11 20:15:10 +03:30
Khaled Hosny 04438554c8 meson: Update build files after rebase 2020-03-11 19:18:57 +03:30
Tim-Philipp Müller 618584e923 meson: rename incbase to incconfig
Makes it clearer what it's for: config.h. See #4.
2020-03-11 19:18:57 +03:30
Mathieu Duponchelle d4a7237327 meson: all tests passing on Windows / MSVC 2020-03-11 19:18:57 +03:30
Mathieu Duponchelle 7ee650b173 meson: refactor fuzzing test 2020-03-11 19:18:57 +03:30
Mathieu Duponchelle 920efc0ef7 Add Meson build definitions
Fixes #490

http://mesonbuild.com
2020-03-11 19:18:57 +03:30
Ebrahim Byagowi 0d729b4b72 [avar] Fix out-of-bound read when input is bigger than all the coords
'i' shouldn't become equal to array's length which as the increament
is happened at end of the loop, if the input is bigger than all the
table coords, it will be equal to array's length.

Fixes https://crbug.com/oss-fuzz/21092
2020-03-07 13:20:41 +03:30
Ebrahim Byagowi 446d1e3bbc [fuzz] Add more of fixed cases 2020-03-05 00:49:03 +03:30
Ebrahim Byagowi 99b5b3f1b1 [gvar] Make sure TupleVarHeader has the needed size
Fixes https://crbug.com/oss-fuzz/21026
2020-03-04 12:43:26 +03:30
Ebrahim Byagowi 558f922788 [fuzz] Avoid empty memcpy and ubsan complain by length checking before memcpy 2020-03-03 21:39:22 +03:30
Ebrahim Byagowi 6543d166fd [fuzz] Remove the not yet fixed timeout, going to investigate 2020-03-03 21:39:22 +03:30
Ebrahim Byagowi 2bbf1c8673 [fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker 2020-03-03 21:39:22 +03:30
Ebrahim Byagowi f253f06cf3 [fuzz] Add another fixed case
https://crbug.com/oss-fuzz/14626

another numerous subtables count which is fixed by d38360397
2020-03-03 19:12:04 +03:30
Ebrahim Byagowi d383603976
Limit OT::Lookup subtables (#2219)
Fixes https://crbug.com/oss-fuzz/13943
2020-03-02 22:41:08 +03:30
Ebrahim Byagowi 29efd964f2
[fuzz] Add cases that marked as wontfix
Let's see if they were really false alarms, if so, let's just have them.
2020-03-02 14:22:29 +03:30
Ebrahim Byagowi cb65150fec
[draw] minor 2020-02-29 16:12:54 +03:30
Ebrahim Byagowi 86c40b3a1d [fuzz/draw] Call _get_glyph_extents
Other render related APIs also may be added also later such
as ot-color and future rendering things.
2020-02-29 14:53:34 +03:30
Michiharu Ariza 5ab50eebd7
collect_unicodes() with clamp, calling add_range()
Use add_range instead an inner loop, clamp its input number by
number of glyphs a face has.

Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here
used to make timeout, face's maxp has 16-bit gid limitation at least for now,
using that makes sure we both fix and the timeout and don't need to change
much things here also in order to support 32-bit gids also someday.

Fixes #2204
2020-02-29 13:02:29 +03:30
Garret Rieger 410b4881d0 [subset] Add fuzzer timeout testcase. 2020-02-28 16:10:14 -08:00
Ebrahim Byagowi e57ced5fc0
[gvar] Add other possibly fixed fuzzer case
Speculatively should've been fixed by 61208401

https://crbug.com/oss-fuzz/20924 related
2020-02-28 23:29:05 +03:30
Ebrahim Byagowi 758fda728b
[glyf] Don't accept gids higher than maxp's glyphs number
This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.

Fixes https://crbug.com/oss-fuzz/20944
2020-02-28 23:19:06 +03:30
Ebrahim Byagowi e90213868b Revert "collect_unicodes() to check gid < num_glyphs with cmap 12"
Didn't fix the case actually, making bots to fail.

This reverts commit 15b43a4104.
2020-02-28 21:24:51 +03:30
Ebrahim Byagowi 61208401f4
[gvar] Use hb_bytes_t.check_range instead having in house one
And use TupleVarHeader calculated size for validity check.

Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
2020-02-28 21:09:07 +03:30
Michiharu Ariza 15b43a4104
collect_unicodes() to check gid < num_glyphs with cmap 12
fixes #2204
2020-02-28 20:15:39 +03:30
Ebrahim Byagowi 868ecf7b26 [draw] Add fuzzer runner 2020-02-28 19:57:56 +03:30
Ebrahim Byagowi 8eba66c1c6 [gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic
Fixes https://crbug.com/oss-fuzz/20906
2020-02-27 20:26:54 +03:30
ariza a99134c5be add oss-fuzz 20886 test file 2020-02-26 09:58:03 -08:00
Ebrahim Byagowi 1b8b863898 minor 2020-02-26 16:36:48 +03:30
Ebrahim Byagowi 132fcfbc47 [fuzz] minor don't abort main.cc when the file was empty or not found 2020-02-26 16:15:17 +03:30
Ebrahim Byagowi 84163c83d3 [draw] Skip commands and paths not contributing anything
They aren't contributing to rendering and making issue for stroking, let's skip them
ourselves as Skia does also https://skia-review.googlesource.com/c/skia/+/268166

They are useful for extracting extents and so which that functionality won't be effected by this change.
2020-02-26 16:09:28 +03:30
Ebrahim Byagowi 152000d9c7 [fuzz] Practice variations on font object 2020-02-25 21:16:57 +03:30
Ebrahim Byagowi 036d868913 [draw] Add a fuzzer
Specially checks correctness of the API semantics:
* no move happens when a path is already opened with move-to.
* no path will be left open and close-path will happen at the end of opened paths.
* no path opens with a move-to and will be closed with no length.
* paths start and ending points matches.
* no line/quadratic/cubic command will be issued when no path is started.
2020-02-25 19:09:44 +03:30
Ebrahim Byagowi 96b71e802f [fuzz] make the custom loader to handle multiple files
Actually this was the way it used to work :)
2020-02-24 23:01:02 +03:30
Ebrahim Byagowi 8d19907704 Remove python2 support from tests/utils scripts 2020-02-19 16:17:45 +03:30
Ebrahim Byagowi a94d1af193 [fuzz] minor style fixes 2020-02-12 19:30:31 +03:30
Ebrahim Byagowi 1c015d3e9f [fuzz] minor fuzzer case move, oops 2020-02-12 19:19:37 +03:30
Ebrahim Byagowi 49341faee2 [fuzz] minor, move two fuzzer cases to their correct place 2020-02-12 19:17:18 +03:30
Ebrahim Byagowi 97229244eb [fuzzer] Fix hb-set-fuzzer minor overflow issue
Size shouldn't be smaller than the struct not its pointer size.

Fixes https://crbug.com/oss-fuzz/20655
2020-02-12 15:41:51 +03:30
Garret Rieger 7b42403c1c Add explicit values to the set fuzzer enums. 2020-02-11 13:25:44 -08:00
Garret Rieger e805923310 Add a few basic seeds for the set fuzzer. 2020-02-11 13:25:44 -08:00
Ebrahim Byagowi ff984ed3cd Use multiplication to avoid undefined behaviour per clang
Newer versions of MSVC with /we4146 don't like putting negative sign behind a
unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069
That however have made https://crbug.com/1050424 this complain:
  src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int';
                                        cast to an unsigned type to negate this value to itself
which apparently can be fixed using this change.

Let's see if this won't make another ubsan complain!
2020-02-11 19:51:52 +03:30
Garret Rieger bca9bc6b92 Add hb-set-fuzzer.
It fuzzes all of the hb_set process methods (intersection, subtraction, union, and symmetric difference).
2020-02-11 03:08:39 +03:30
ckitagawa e128f80278 parent 777ba47b50
author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500
committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500

[subset] Add CBLC support
2020-01-31 16:37:30 -05:00
ckitagawa ed857c4680 [subset] Add COLR support 2020-01-28 15:35:53 -05:00
Ebrahim Byagowi 5897697250
[test] Increase subset timeout
No random timeout please
2020-01-25 00:32:46 +03:30
ckitagawa-work 0e4b2676bd [subset] sbix fix missed offset is_null() check 2020-01-24 20:46:07 +03:30
ckitagawa 7dc341fe74 [subset] Fix UBSAN issue in sbix 2020-01-23 23:46:22 +03:30
ariza 1ab3924b31 refix PR #2087 subset PairPos1
also added oss-fuzz 20211 data fixed by this
2020-01-23 10:50:52 -08:00
ckitagawa b18cb5b5ee Add second fixed test 2020-01-22 10:11:15 -08:00
ckitagawa 8614a30bc9 [subset] Fix sbix fuzz problem 2020-01-22 10:11:15 -08:00
ckitagawa 6bcf57eaa3 Simplify copy and add fuzzing coverage 2020-01-15 13:36:01 -08:00
Ebrahim Byagowi dc03a993d0
Fix collect lookups logic of FeatureTableSubstitution (#2097)
https://crbug.com/oss-fuzz/20036
2020-01-12 14:21:29 +03:30
Ebrahim Byagowi a32ecc15ae
Fix collect lookups logic of FeatureVariationRecord
As "Offset to a feature table substitution table, from beginning of the FeatureVariations table."
from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should
match its sanitize logic not the reverse way.

Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
2020-01-11 15:37:24 +03:30
Michiharu Ariza d2ab1ec65b fixes oss-fuzz 19978: Null-dereference READ (#2091) 2020-01-10 07:54:16 +03:30
Ebrahim Byagowi 257a197ae7
Fail serialize when map has incorrect value
fixes https://crbug.com/oss-fuzz/19956

am not super happy with the fix, guess we should do some check
before the memcpy anyway as @blueshade7 thinks also,
so let's have it or revert it when we have a better approach for the case.
2020-01-09 22:55:45 +03:30
Ebrahim Byagowi 8ed46c3678
[fuzz] minor, add another already fixed case
https://crbug.com/oss-fuzz/19907
2020-01-07 23:43:53 +03:30
Ebrahim Byagowi 341407f7a5
[fuzz] minor, upload another fixed case
https://crbug.com/oss-fuzz/19878
2020-01-07 09:10:24 +03:30
Ebrahim Byagowi 7950beecfc
[subset] Fix null pointer dereference in hvar/vvar subset (#2085)
Rest of the code assumes there is at least one subtable, lets return here if not.

* https://crbug.com/oss-fuzz/19827
* https://crbug.com/oss-fuzz/19847
2020-01-06 21:25:00 +03:30
Ebrahim Byagowi 64a45be519
[ubsan] Don't decrease pointer if match_glyph_data is null (#2048)
Similar to fix on https://github.com/harfbuzz/harfbuzz/pull/2022

Fixes https://crbug.com/1023070
2019-11-09 12:25:33 +03:30
Ebrahim Byagowi 84b86a12d9
[fuzz] Remove just added case
It didn't fail locally but on bots causing timeout, let remove for now.
2019-11-06 09:22:34 +03:30
Ebrahim Byagowi a8f049c9a1
[fuzz] Upload testcase of https://crbug.com/oss-fuzz/18529
Apparently false alarm per last comment and was ok locally also but lets have it here also
2019-11-05 22:26:36 +03:30
Qunxin Liu defe9b6da0 crash fix : Heap-buffer-overflow READ 2
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
2019-10-25 13:09:47 -07:00
Qunxin Liu b2fcca6e14 fuzzer crash fix
https://oss-fuzz.com/testcase-detail/5643107869917184
2019-10-24 16:11:30 -07:00
Ebrahim Byagowi 9815ca0338 [ci] Use custom subset fuzzer timeout for failing sanitizer bots 2019-10-25 00:16:23 +03:30
Garret Rieger 95ab110cd9 Optimize intersects_array to fix fuzzer timeout. 2019-10-22 13:33:50 -07:00
Qunxin Liu b33a0d628e fuzzer crash fix: Null-dereference WRITE
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18363
2019-10-22 01:01:08 +03:30
Ebrahim Byagowi e766783152 [fuzz] Add https://crbug.com/oss-fuzz/17898 testcase 2019-10-21 22:17:06 +03:30
Garret Rieger 831daf4c76 Enforce HB_MAX_LANGSYS limit during layout subsetting. 2019-10-18 15:10:30 -07:00