b051f3fa83
[subset] Fix cpal subsetting when there are partial palette overlaps.
...
The existing code doesn't correctly handle the case where palettes partially overlap in the color record array. This changes the subsetting to only share entries in the color record array when palettes have the same first color index. Partially overlapping palettes will be converted to disjoint segments in the color record array.
Updates one of the color tests to use multiple palettes.
Also fixes fuzzer: https://oss-fuzz.com/testcase-detail/5568200165687296 .
2022-05-09 12:25:05 -06:00
ca8a0f3ea3
[gvar] Protect against out-of-range access
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47281
Fixes https://oss-fuzz.com/testcase-detail/5508865908670464
2022-05-06 11:54:38 -06:00
a665e29ed7
[use] Avoid O(n^2) in the machine
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/3502
2022-03-25 15:17:55 -06:00
03085132ba
[buffer] Fix out-buffer under memory-alloc failure
...
This was broken in July refactoring of the buffer, and exposed to
ReverseChainSingleSubstFormat1 in 3807061d63https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38800
https://bugs.chromium.org/p/chromium/issues/detail?id=1303552
2022-03-21 18:09:06 -06:00
151f205819
[draw] Emit move_to immediately, like other operators
2022-02-13 13:21:15 -06:00
f1a9a9ccaf
[draw-state] Pass state down to callbacks
2022-02-13 13:21:14 -06:00
1740916ede
[draw] Remove check for no-op
...
This is unnecessary overhead. Up to rasterizers to handle this. Plus,
this throws off point-numbers in uses that rely on it.
Disabled one test that broke with this.
2022-02-13 13:21:14 -06:00
8b4f429000
[draw] Virtualize hb_font_draw_glyph() into hb_font_get_glyph_shape()
...
To be implemented in hb-ft.
2022-02-13 13:21:14 -06:00
2bed4f46fb
[draw] Fix draw signatures
2022-02-13 13:21:14 -06:00
08e1096609
[draw-fuzzer] Fix signatures
2022-02-13 13:21:14 -06:00
e0ac6c587b
Remove remaining traces of HB_EXPERIMENTAL_API
2022-02-13 13:21:14 -06:00
b263371b09
Merge pull request #3398 from harfbuzz/buffer-verify
...
Add HB_BUFFER_FLAG_VERIFY
2022-02-12 15:06:47 -06:00
af407dd24d
Add a fuzzer font
2022-02-12 14:22:35 -06:00
4e2f409bce
[subset] Don't hold references to members of the active_glyph_stack.
...
These references may get invalidated after the vector for the stack is resized. Fixes: https://oss-fuzz.com/testcase-detail/5422577634377728
2022-01-31 22:58:53 +02:00
61856359cb
[fuzz] Disable verification for now.
2022-01-28 14:07:29 -07:00
6596e42d16
[fuzz] Verify shape results
2022-01-28 13:55:24 -07:00
e2e305066a
Fix various typos
...
Found via `codespell -q 3 -S ./perf/texts -L actualy,ba,beng,fo,gir,inout,nd,ot,pres,ro,te,teh,timne`
2022-01-16 05:39:03 -08:00
87496bf63e
[subset] fix fuzzer timeout if visisted_paint goes into error.
2022-01-13 11:08:24 -08:00
067f90a820
[subset] Fix for fuzzer timeout.
...
Fixes https://oss-fuzz.com/testcase-detail/5549945449480192
In prune_langsys: move LangSys visited check up before any work is done for a LangSys. In this particular case the compare() method is responsible for the majority of the time spent and wasn't being guarded with a visisted check.
2021-12-14 17:34:21 -07:00
c4573c2ec7
[repacker] don't infinite loop if visited or roots is in error.
...
Fixes https://oss-fuzz.com/testcase-detail/5205038086094848
2021-12-14 15:57:48 -07:00
69d8f27c69
[meson] Require 0.55.0
...
We implicitly require it for building ragel subproject. This new version
requirement should satisfied in both Fedora 33 and Debian bullseye, and
not be too cutting edge for us.
2021-11-22 03:11:36 +02:00
ace98cc65f
[subset] Only sanitize recursion depth in COLR.
2021-11-10 10:34:46 -07:00
f51b48c8e7
[subset] Fix fuzzer found memory leak.
...
Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.
2021-11-02 17:00:07 -07:00
0a7563a53f
[subset] fuzzer fix: https://oss-fuzz.com/testcase?key=6254792024915968
...
Make sure input is valid, each gid has a corresponding offset value in
the map
2021-11-02 15:25:18 -07:00
85deddb16e
[subset] fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40406
2021-10-27 16:16:15 -07:00
794b00db4b
[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664
2021-09-29 10:29:06 -06:00
74f96d9d4b
[repacker] fix heap use after free in repacker.
...
Don't store a reference to the link in overflow records as the link object may be freed if the sorted graph vector is resized.
2021-09-19 09:06:17 -06:00
fb07f8f876
During subset input creation check for set alloc failures and fail if encountered.
2021-08-24 10:59:14 -06:00
dc31920bbe
Don't serialize null offsets in CPAL.
...
Fixes https://oss-fuzz.com/testcase-detail/5443213648330752
2021-08-18 16:52:45 -06:00
c0f3af91b8
[subset] speed up add_gid_and_children and adjust op limit.
...
Fix for fuzzer timeout: https://oss-fuzz.com/testcase-detail/5001604901240832 .
- Operation limit is per glyph, so 100,000 should still be far more than needed.
- Switches from for(...) to while(...) loop for iteration. for(...) calls it.end() which in this case triggers a complete iteration.
- Cache CompositeGlyph size in the iterator to avoid needing to recalculate it.
2021-08-12 14:50:42 -06:00
c08f1b8903
[map] fix incorrect population count in hash map.
...
If the same key was set twice the population was being incorrectly incremented.
2021-08-10 14:00:55 -06:00
8c0c217b5a
[subset] fail reference blob in face builder if allocation for table sorting fails.
...
Fixes https://oss-fuzz.com/testcase-detail/5041767803125760
2021-08-06 15:54:41 -06:00
5086e10538
[test] Add failing fuzzer test case
...
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236
https://oss-fuzz.com/testcase-detail/5061207689134080
2021-08-04 11:55:53 -06:00
f9d8e4a976
[subset] switch ..._set_flags to not take a mask.
2021-07-29 18:30:27 -07:00
3d534b146c
[subset] convert subset input flags into bit flags.
...
Store the flags in a bit set. Updates the public api to work with the bit set directly.
2021-07-29 18:02:34 -07:00
0ded6a70c8
[subset] Fix another fuzzer issue
...
Addition could overflow on 32bit arch.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
2021-07-28 11:35:27 -06:00
09474d8d7b
[subset] Fix fuzzer timeout in add_gid_and_children.
...
The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.
2021-07-27 13:30:06 -06:00
c68a00b92e
[subset] Fix possible overflows in VarRegionList serialize
...
Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
2021-07-27 13:28:09 -06:00
9ab751ac9f
[subset] Remove hb_subset(). Leaving just hb_subset_or_fail().
2021-07-22 12:14:47 -07:00
942636ae13
[subset] Remove hb_subset_input_get/set_retain_gids.
2021-07-22 12:12:36 -07:00
8bf5d4d4f7
[subset] Remove hb_subset_input_get/set_drop_hints.
2021-07-22 12:12:36 -07:00
7416faceeb
[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/5715464591376384
2021-07-08 09:09:30 -07:00
bc06af977f
[subset] speed up feature collection when tags are specified.
...
Precompute a feature index filter to avoid needing to iterate the feature tag list for each encountered feature index. For this particular fuzzer case speeds up feature collection from 50s to 2s.
2021-06-20 17:45:19 -07:00
675ebbeb3a
[subset] don't alloc zero bytes.
...
It will be leaked later since hb_blob_create() won't set up the blob to cleanup since it has length zero.
2021-06-16 17:35:39 -06:00
bdfed8f113
[blob] Add failing versions of create API
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/2567
New API:
+hb_blob_create_or_fail()
+hb_blob_create_from_file_or_fail()
Use these in util/ to distinguish empty file from not-found file.
Only err on the latter.
2021-06-15 13:56:30 -06:00
35d6af6943
[subset] fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5965777994907648
2021-06-04 18:16:23 -06:00
1b6008ca62
fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5417934246772736
2021-06-02 17:32:16 -06:00
7ab0f4eda9
fuzzer fix
2021-05-31 12:44:33 -06:00
425ba1f4ab
[subset] fixes infinite loop in hb_set_get_max().
...
Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
2021-04-20 13:18:07 -06:00
ec4321068b
[subset] fix infinite loop caused by alloc failure in repacker.
...
Fixes: https://oss-fuzz.com/testcase-detail/5609112151916544 .
2021-04-20 13:18:07 -06:00
0e845d973e
[subset] fix memory leak in repacker caused by failed alloc.
...
Fixes: https://oss-fuzz.com/testcase-detail/5616763250278400 .
2021-04-20 13:18:07 -06:00
3fb62cdc14
[subset] fail on offset overflow in tables that we don't repack.
...
Fixes: https://oss-fuzz.com/testcase-detail/5229304507138048
2021-04-19 17:01:05 -06:00
9dc9f0385d
[subset] fix for fuzzer testcase: https://oss-fuzz.com/testcase-detail/5858518134554624
2021-04-09 11:07:28 -06:00
4af5dacedc
[subset] add fuzzer testcase
2021-04-07 13:02:04 -06:00
64122b5a44
[subset] don't visit lookup if covered glyph set has failed.
...
If covered glyph set is in error then the same lookup can be recursed into repeatedly potentially causing a fuzzer timeout. Fixes: https://oss-fuzz.com/testcase-detail/5416421032067072 .
2021-04-06 12:34:44 -06:00
71d6d15600
[subset] clamp distance to prevent shifting outside of the limits of int64.
...
Fixes https://oss-fuzz.com/testcase-detail/4961171477233664 .
2021-04-06 11:48:39 -06:00
c5c13006a1
[subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536
2021-03-31 12:37:45 -06:00
adca4ce071
[subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064 .
...
Caused by incorrect bounds check in glyph closure for context lookups.
2021-03-30 15:44:41 -06:00
752e393ad2
[subset] avoid calling clear on null pool set.
2021-03-30 15:12:52 -06:00
8741914a80
[subset] fix memory leak when map insert fails.
2021-03-29 18:02:32 -06:00
5b6da6d2f0
[subset] add fuzzer test case.
2021-03-29 17:41:07 -06:00
a804a0c903
[subset] add fuzzer test case.
2021-03-29 17:15:22 -06:00
f2d08578e7
[tests] Increase shape-fuzzer timeout
2021-03-16 01:15:40 +02:00
5ca353a2d0
[subset] fix heap buffer overflow found by fuzzer.
2021-02-16 12:43:02 -07:00
33a0f0b686
[test] Remove fuzzed test font that triggers virus alert
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
2021-02-09 12:55:45 -07:00
f94bf9f06f
[set fuzzer] limit the total number of set members in a fuzzing input.
...
Currently the fuzzer can create arbitarily long inputs which once big enough will trigger a timeout.
2021-01-26 10:22:07 -08:00
a4c3732f59
[ENOMEM] fix set clear() causing corruption if the set is in_error().
2021-01-21 12:12:05 -07:00
84dd65a874
[test] Remove timeout from test runners
...
See https://github.com/harfbuzz/harfbuzz/issues/2707#issuecomment-707744079
This wasn’t inconsistent as well, HB_TEST_SUBSET_FUZZER_TIMEOUT defaulted
to 12 in the test runner, but it was overridden to 50 in meson.build,
and then meson has its own test timeout.
2020-10-15 00:49:02 -07:00
bbbcad0dbb
Revert "[ENOMEM] don't perform set process operations if the other set is in an error state."
...
This reverts commit f3929abafe
2020-09-16 12:23:38 -06:00
f3929abafe
[ENOMEM] don't perform set process operations if the other set is in an error state.
...
Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
2020-09-16 10:36:30 -07:00
8c3d4de796
[subset] Fix integer underflow in ContextFormat2.
2020-09-11 15:52:46 -07:00
9825e3dd2e
[ENOMEM] fix access to unitialized memory.
...
If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688 .
2020-09-02 11:01:07 -07:00
1e48225ca3
[ENOMEM] Check whether serialize context isn't in error
2020-08-13 23:22:14 +04:30
6e32145dc9
[meson] Make compatbile with 0.47.0
2020-08-13 18:28:42 +04:30
9562239f05
[ENOMEM] check for error in lookup visited set.
2020-08-13 01:43:11 +04:30
6f754852c1
[ENOMEM] skip asserts in to_bias if serializer is in an error state.
2020-08-12 11:25:30 +04:30
057769b1a3
[fuzzer] minor
2020-08-12 02:40:55 +04:30
0417938011
[fuzzer] Mark alloc_state as unused
...
It is really unused when failing-alloc isn't on.
2020-08-12 02:40:55 +04:30
5193357832
Revert "Remove autotools build support"
...
This reverts commit 01ac32aab2
2020-08-11 23:51:59 +04:30
ffe06c8f04
[glyf] Guard all the public APIs against null pool runs
...
Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
2020-08-08 13:43:49 +04:30
01ac32aab2
Remove autotools build support
2020-08-07 23:28:12 +04:30
679fac87df
Skip hb_shape if buffer object is immutable
2020-08-06 23:47:35 +04:30
18ab8029d5
[ENOMEM] check vector status in cmap subsetting.
2020-08-02 00:30:17 +04:30
06dbb6acbb
[ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors.
2020-08-01 09:21:22 +04:30
fb1477795c
[ENOMEM] Check result of vector resize in CBDT subsetting.
2020-08-01 09:20:52 +04:30
efd716de3f
[cff] Check for scalars array resize result
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
2020-07-31 09:27:27 +04:30
040ed094ef
[ENOMEM] popragate packed/packed_map errors to the serializer.
...
Will disable further modifications based on a bad state.
2020-07-31 08:39:26 +04:30
7f358a55f4
[ENOMEM] unchecked resize in CFF2.
2020-07-31 02:04:06 +04:30
32f052b033
[ENOMEM] Fix several instances of not checking resize in CFF.
2020-07-31 02:04:06 +04:30
15644ee60e
[ENOMEM] fix memory leak if allocation fails during pop_pack().
2020-07-30 04:15:35 +04:30
42237adffc
[ENOMEM] make serializer modification operations no-ops if it's in an error state.
2020-07-30 03:59:49 +04:30
4ba8e3c6fd
[ENOMEM] Fix failure to check calloc return.
...
Fixes https://oss-fuzz.com/testcase-detail/6246465148813312 .
2020-07-30 00:08:08 +04:30
d307c24abf
[ENOMEM] check resize() return.
...
Fixes https://oss-fuzz.com/testcase-detail/5641892164009984 .
2020-07-30 00:08:08 +04:30
48ad745996
[ENOMEM] Fix buffer's content check logic
...
So now rest of shape fuzzer also can be enabled.
Fixes #2571
2020-07-29 08:09:10 +04:30
c33e8006fd
[fuzz] Implement failing allocator
2020-07-29 07:35:34 +04:30
5c46683ab8
[fuzz] increase shape fuzzer timeout
...
as https://circleci.com/gh/harfbuzz/harfbuzz/149203
2020-07-22 17:23:22 +04:30
945bcd7230
minor
2020-07-15 09:54:32 +04:30
fa0436ddd1
[ENOMEM][fuzzer/subset] early return if the result is null
...
I don't see _or_fail APIs idiomatic for the project but since it is there, let's have this
2020-07-15 09:52:40 +04:30
11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops ( #2223 )
...
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.
clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:
Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
After the change: 0.02s user 0.00s system 98% cpu 0.024 total
Which takes much longer on valgrind and tsan bots.
2020-07-13 18:53:06 -07:00
cd6f62d960
[meson] Raise timeout value of subset fuzzer testcases
...
happens when tsan is enabled
2020-07-12 23:05:11 +04:30
Garret Rieger
Behdad Esfahbod
luz paz
Khaled Hosny
Qunxin Liu
Khaled Hosny
ebraminio