walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
10,418 Commits 16 Branches 166 Tags 114 MiB
Commit Graph

100 Commits

Author SHA1 Message Date
Michiharu Ariza 5ab50eebd7
collect_unicodes() with clamp, calling add_range() 
Use add_range instead an inner loop, clamp its input number by
number of glyphs a face has.

Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here
used to make timeout, face's maxp has 16-bit gid limitation at least for now,
using that makes sure we both fix and the timeout and don't need to change
much things here also in order to support 32-bit gids also someday.

Fixes #2204
 2020-02-29 13:02:29 +03:30
Garret Rieger 410b4881d0 [subset] Add fuzzer timeout testcase. 2020-02-28 16:10:14 -08:00
Ebrahim Byagowi e57ced5fc0
[gvar] Add other possibly fixed fuzzer case 
Speculatively should've been fixed by 61208401

https://crbug.com/oss-fuzz/20924 related
 2020-02-28 23:29:05 +03:30
Ebrahim Byagowi 758fda728b
[glyf] Don't accept gids higher than maxp's glyphs number 
This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.

Fixes https://crbug.com/oss-fuzz/20944
 2020-02-28 23:19:06 +03:30
Ebrahim Byagowi e90213868b Revert "collect_unicodes() to check gid < num_glyphs with cmap 12" 
Didn't fix the case actually, making bots to fail.

This reverts commit 15b43a4104.
 2020-02-28 21:24:51 +03:30
Ebrahim Byagowi 61208401f4
[gvar] Use hb_bytes_t.check_range instead having in house one 
And use TupleVarHeader calculated size for validity check.

Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
 2020-02-28 21:09:07 +03:30
Michiharu Ariza 15b43a4104
collect_unicodes() to check gid < num_glyphs with cmap 12 
fixes #2204
 2020-02-28 20:15:39 +03:30
Ebrahim Byagowi 8eba66c1c6 [gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic 
Fixes https://crbug.com/oss-fuzz/20906
 2020-02-27 20:26:54 +03:30
ariza a99134c5be add oss-fuzz 20886 test file 2020-02-26 09:58:03 -08:00
Ebrahim Byagowi 1c015d3e9f [fuzz] minor fuzzer case move, oops 2020-02-12 19:19:37 +03:30
Ebrahim Byagowi ff984ed3cd Use multiplication to avoid undefined behaviour per clang 
Newer versions of MSVC with /we4146 don't like putting negative sign behind a
unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069
That however have made https://crbug.com/1050424 this complain:
  src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int';
                                        cast to an unsigned type to negate this value to itself
which apparently can be fixed using this change.

Let's see if this won't make another ubsan complain!
 2020-02-11 19:51:52 +03:30
ckitagawa e128f80278 parent 777ba47b50 
author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500
committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500

[subset] Add CBLC support
 2020-01-31 16:37:30 -05:00
ckitagawa ed857c4680 [subset] Add COLR support 2020-01-28 15:35:53 -05:00
ckitagawa-work 0e4b2676bd [subset] sbix fix missed offset is_null() check 2020-01-24 20:46:07 +03:30
ckitagawa 7dc341fe74 [subset] Fix UBSAN issue in sbix 2020-01-23 23:46:22 +03:30
ariza 1ab3924b31 refix PR #2087 subset PairPos1 
also added oss-fuzz 20211 data fixed by this
 2020-01-23 10:50:52 -08:00
ckitagawa b18cb5b5ee Add second fixed test 2020-01-22 10:11:15 -08:00
ckitagawa 8614a30bc9 [subset] Fix sbix fuzz problem 2020-01-22 10:11:15 -08:00
ckitagawa 6bcf57eaa3 Simplify copy and add fuzzing coverage 2020-01-15 13:36:01 -08:00
Ebrahim Byagowi dc03a993d0
Fix collect lookups logic of FeatureTableSubstitution (#2097) 
https://crbug.com/oss-fuzz/20036
 2020-01-12 14:21:29 +03:30
Ebrahim Byagowi a32ecc15ae
Fix collect lookups logic of FeatureVariationRecord 
As "Offset to a feature table substitution table, from beginning of the FeatureVariations table."
from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should
match its sanitize logic not the reverse way.

Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
 2020-01-11 15:37:24 +03:30
Michiharu Ariza d2ab1ec65b fixes oss-fuzz 19978: Null-dereference READ (#2091) 2020-01-10 07:54:16 +03:30
Ebrahim Byagowi 257a197ae7
Fail serialize when map has incorrect value 
fixes https://crbug.com/oss-fuzz/19956

am not super happy with the fix, guess we should do some check
before the memcpy anyway as @blueshade7 thinks also,
so let's have it or revert it when we have a better approach for the case.
 2020-01-09 22:55:45 +03:30
Ebrahim Byagowi 8ed46c3678
[fuzz] minor, add another already fixed case 
https://crbug.com/oss-fuzz/19907
 2020-01-07 23:43:53 +03:30
Ebrahim Byagowi 341407f7a5
[fuzz] minor, upload another fixed case 
https://crbug.com/oss-fuzz/19878
 2020-01-07 09:10:24 +03:30
Ebrahim Byagowi 7950beecfc
[subset] Fix null pointer dereference in hvar/vvar subset (#2085) 
Rest of the code assumes there is at least one subtable, lets return here if not.

* https://crbug.com/oss-fuzz/19827
* https://crbug.com/oss-fuzz/19847
 2020-01-06 21:25:00 +03:30
Ebrahim Byagowi 64a45be519
[ubsan] Don't decrease pointer if match_glyph_data is null (#2048) 
Similar to fix on https://github.com/harfbuzz/harfbuzz/pull/2022

Fixes https://crbug.com/1023070
 2019-11-09 12:25:33 +03:30
Ebrahim Byagowi 84b86a12d9
[fuzz] Remove just added case 
It didn't fail locally but on bots causing timeout, let remove for now.
 2019-11-06 09:22:34 +03:30
Ebrahim Byagowi a8f049c9a1
[fuzz] Upload testcase of https://crbug.com/oss-fuzz/18529 
Apparently false alarm per last comment and was ok locally also but lets have it here also
 2019-11-05 22:26:36 +03:30
Qunxin Liu defe9b6da0 crash fix : Heap-buffer-overflow READ 2 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
 2019-10-25 13:09:47 -07:00
Qunxin Liu b2fcca6e14 fuzzer crash fix 
https://oss-fuzz.com/testcase-detail/5643107869917184
 2019-10-24 16:11:30 -07:00
Garret Rieger 95ab110cd9 Optimize intersects_array to fix fuzzer timeout. 2019-10-22 13:33:50 -07:00
Qunxin Liu b33a0d628e fuzzer crash fix: Null-dereference WRITE 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18363
 2019-10-22 01:01:08 +03:30
Ebrahim Byagowi e766783152 [fuzz] Add https://crbug.com/oss-fuzz/17898 testcase 2019-10-21 22:17:06 +03:30
Garret Rieger 831daf4c76 Enforce HB_MAX_LANGSYS limit during layout subsetting. 2019-10-18 15:10:30 -07:00
Ebrahim Byagowi d3b984d379 Revert in-house pow10 (d80a3ea) and fix oss-fuzz/16922 
Probably can be fixed but merging it was wrong so let's revert.
 2019-09-02 18:28:03 +04:30
Ebrahim Byagowi 875985cd48
[subset] Don't allow malicious fonts to insert unlimited table headers 
Fixes https://crbug.com/oss-fuzz/16810
 2019-08-29 14:51:22 +04:30
Ebrahim Byagowi 269a120f13
[subset] Raise the bar in new vs old table size 
https://crbug.com/oss-fuzz/16740

This is actually an interesting thing that {h,v}mtx allocates as
much as a font pretends to have glyphs but the solution is not
that obvious as regular fonts can have less than actually containing
metrics in their {h,v}mtx. This change raises the bar to consider this
hmtx 4 byte for every glyph case.

Initially we wanted to just find things allocating crazy amount of
memory but having the assert has led to interesting findings also
so let's don't remove the assert and see what we can find elsewhere.
 2019-08-25 20:37:00 +04:30
Ebrahim Byagowi 28aba780c4 [subset] Fix blob leak of _subset2 when returns early 
Fixes https://crbug.com/oss-fuzz/16639
 2019-08-24 16:11:21 +04:30
Ebrahim Byagowi b65bad18aa
[fuzz] Don't fail when blob is empty 
And enable more tests able to trig the issue.
 2019-07-11 14:31:55 +04:30
Michiharu Ariza 8341c0b304 add test case file 2019-06-27 08:43:31 -07:00
Michiharu Ariza 90872a29ee change assert(false) to failure 2019-06-11 12:42:28 -07:00
Michiharu Ariza 65e66a2d37 added test data 2019-06-03 16:31:41 -07:00
Qunxin Liu e1a5ce6aa6 Fix fuzzer crash testcase 
Add a check for stringOffSet(uint16) overflow,
return early if overflow happens
 2019-05-24 15:26:20 -04:00
Behdad Esfahbod 9ef241cd40 [test] Add one more 2019-05-20 11:38:02 -04:00
Behdad Esfahbod 3efb7af7e2 [STAT] Fix sanitize condition 
Oops!

Fixes https://oss-fuzz.com/testcase-detail/5696825891225600
 2019-05-20 11:37:16 -04:00
Behdad Esfahbod 25a5b287f2 Fix sanitize fail of extension sublookups 
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
 2019-05-10 16:03:20 -07:00
Ebrahim Byagowi df237d2fe7
[test] Add https://crbug.com/oss-fuzz/14641 testcase 
As 503748d fix
 2019-05-08 14:17:14 -07:00
Ebrahim Byagowi 62c6e17072 [test] Add crbug.com/oss-fuzz/14474 testcase 
Fixed at 6977a95f
 2019-04-28 10:55:07 -07:00
Michiharu Ariza ba0386060d fix oss-fuzz issue 14345 2019-04-18 18:18:05 -04:00