[HarfBuzz] harfbuzz: Branch 'master'

Thu Nov 5 23:45:27 PST 2015

src/hb-buffer-private.hh |   11 +++++++++++
 src/hb-buffer.cc         |    8 ++++++++
 src/hb-ot-shape.cc       |    6 ++++++
 test/fuzzing/Makefile.am |    2 ++
 4 files changed, 27 insertions(+)

New commits:
commit 4301703bddb63a01651a0d58474bb15ac0ebbcf6
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Thu Nov 5 23:44:59 2015 -0800

    Limit buffer max size growth
    
    https://github.com/behdad/harfbuzz/issues/161

diff --git a/src/hb-buffer-private.hh b/src/hb-buffer-private.hh
index 721e718..8d9ae7c 100644
--- a/src/hb-buffer-private.hh
+++ b/src/hb-buffer-private.hh
@@ -35,6 +35,16 @@
 #include "hb-unicode-private.hh"
 
 
+#ifndef HB_BUFFER_MAX_EXPANSION_FACTOR
+#define HB_BUFFER_MAX_EXPANSION_FACTOR 32
+#endif
+#ifndef HB_BUFFER_MAX_LEN_MIN
+#define HB_BUFFER_MAX_LEN_MIN 8192
+#endif
+#ifndef HB_BUFFER_MAX_LEN_DEFAULT_
+#define HB_BUFFER_MAX_LEN_DEFAULT 0x3FFFFFFF /* Shaping more than a billion chars? Let us know! */
+#endif
+
 ASSERT_STATIC (sizeof (hb_glyph_info_t) == 20);
 ASSERT_STATIC (sizeof (hb_glyph_info_t) == sizeof (hb_glyph_position_t));
 
@@ -71,6 +81,7 @@ struct hb_buffer_t {
   hb_buffer_cluster_level_t cluster_level;
   hb_codepoint_t replacement; /* U+FFFD or something else. */
   hb_buffer_scratch_flags_t scratch_flags; /* Have space-flallback, etc. */
+  unsigned int max_len; /* Maximum allowed len. */
 
   /* Buffer contents */
   hb_buffer_content_type_t content_type;
diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
index f690769..5c71734 100644
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@@ -91,6 +91,11 @@ hb_buffer_t::enlarge (unsigned int size)
 {
   if (unlikely (in_error))
     return false;
+  if (unlikely (size > max_len))
+  {
+    in_error = true;
+    return false;
+  }
 
   unsigned int new_allocated = allocated;
   hb_glyph_position_t *new_pos = NULL;
@@ -715,6 +720,8 @@ hb_buffer_create (void)
   if (!(buffer = hb_object_create<hb_buffer_t> ()))
     return hb_buffer_get_empty ();
 
+  buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
+
   buffer->reset ();
 
   return buffer;
@@ -740,6 +747,7 @@ hb_buffer_get_empty (void)
     HB_BUFFER_CLUSTER_LEVEL_DEFAULT,
     HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT,
     HB_BUFFER_SCRATCH_FLAG_DEFAULT,
+    HB_BUFFER_MAX_LEN_DEFAULT,
 
     HB_BUFFER_CONTENT_TYPE_INVALID,
     HB_SEGMENT_PROPERTIES_DEFAULT,
diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc
index c4c1c7f..09e98b7 100644
--- a/src/hb-ot-shape.cc
+++ b/src/hb-ot-shape.cc
@@ -798,6 +798,11 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c)
 {
   c->buffer->deallocate_var_all ();
   c->buffer->scratch_flags = HB_BUFFER_SCRATCH_FLAG_DEFAULT;
+  if (likely (!_hb_unsigned_int_mul_overflows (c->buffer->len, HB_BUFFER_MAX_EXPANSION_FACTOR)))
+  {
+    c->buffer->max_len = MAX (c->buffer->len * HB_BUFFER_MAX_EXPANSION_FACTOR,
+			      (unsigned) HB_BUFFER_MAX_LEN_MIN);
+  }
 
   /* Save the original direction, we use it later. */
   c->target_direction = c->buffer->props.direction;
@@ -827,6 +832,7 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c)
 
   c->buffer->props.direction = c->target_direction;
 
+  c->buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
   c->buffer->deallocate_var_all ();
 }
 
diff --git a/test/fuzzing/Makefile.am b/test/fuzzing/Makefile.am
index 5bd6921..22e7a12 100644
--- a/test/fuzzing/Makefile.am
+++ b/test/fuzzing/Makefile.am
@@ -39,6 +39,8 @@ hb_fuzzer_CPPFLAGS = \
 	-DMAIN \
 	-DHB_MAX_NESTING_LEVEL=3 \
 	-DHB_SANITIZE_MAX_EDITS=3 \
+	-DHB_BUFFER_MAX_EXPANSION_FACTOR=3 \
+	-DHB_BUFFER_MAX_LEN_MIN=8 \
 	$(NULL)
 
 -include $(top_srcdir)/git.mk
