[HarfBuzz] harfbuzz: Branch 'master'

Behdad Esfahbod behdad at kemper.freedesktop.org
Thu Nov 30 00:09:26 UTC 2017 

 src/hb-ot-layout-gsub-table.hh                                          |    6 ++++--
 test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf |binary
 test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf |binary
 test/shaping/tests/fuzzed.tests                                         |    2 ++
 4 files changed, 6 insertions(+), 2 deletions(-)

New commits:
commit 16fba5b2158a0e093e6df32637eba5058942e299
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Wed Nov 29 16:08:11 2017 -0800

    [ot] Fix Extension type recurse to disallow recursing to another Extension
    
    Particularly hazardous if the second layer mixes forward and backward lookups.
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4336

diff --git a/src/hb-ot-layout-gsub-table.hh b/src/hb-ot-layout-gsub-table.hh
index 4fb56c1a..28e0790e 100644
--- a/src/hb-ot-layout-gsub-table.hh
+++ b/src/hb-ot-layout-gsub-table.hh
@@ -1280,9 +1280,11 @@ struct SubstLookup : Lookup
     if (unlikely (get_type () == SubstLookupSubTable::Extension))
     {
       /* The spec says all subtables of an Extension lookup should
-       * have the same type.  This is specially important if one has
-       * a reverse type! */
+       * have the same type, which shall not be the Extension type
+       * itself. This is specially important if one has a reverse type! */
       unsigned int type = get_subtable (0).u.extension.get_type ();
+      if (unlikely (type == SubstLookupSubTable::Extension))
+	return_trace (false);
       unsigned int count = get_subtable_count ();
       for (unsigned int i = 1; i < count; i++)
         if (get_subtable (i).u.extension.get_type () != type)
diff --git a/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf b/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf
new file mode 100644
index 00000000..3fb9951b
Binary files /dev/null and b/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf differ
diff --git a/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf b/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf
new file mode 100644
index 00000000..6a3af465
Binary files /dev/null and b/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf differ
diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index edac2856..bb2c32b1 100644
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests
@@ -17,3 +17,5 @@ fonts/sha1sum/b6acef662e0beb8d5fcf5b61c6b0ca69537b7402.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/e88c339237f52d21e01c55f01b9c1b4cc14a0467.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/dd9f0c7c7c36f75a18be0cab1cddf8f3ab0f366b.ttf:--font-funcs=ot --no-positions --no-clusters --no-glyph-names:U+0041:[0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|0|2|0|0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|0|2|0|0|2|0|0|2|0|0|2|0]
+fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
+fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]

More information about the HarfBuzz mailing list