[HarfBuzz] harfbuzz: Branch 'master' - 12 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Wed Dec 5 23:39:45 UTC 2018 

 src/hb-cff-interp-dict-common.hh                                                    |   51 +++++++---
 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696 |binary
 2 files changed, 37 insertions(+), 14 deletions(-)

New commits:
commit d9dabc00e9278a346e85538212c126da7e610d55
Merge: 81cfd3c7 010e2ddb
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Wed Dec 5 15:39:34 2018 -0800

    Merge pull request #1454 from harfbuzz/cff-fixbcd
    
    [CFF] fix oss-fuzz issue 11674: parse_bcd

commit 010e2ddb384b5a721172fd7466aafec58dbf8063
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Wed Dec 5 12:23:58 2018 -0800

    minimized test case for oss-fuzz issue 11674

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696
new file mode 100644
index 00000000..cb5fb83d
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696 differ
commit 2cb9d4c183afc838ecf2ba0d47814e9eaa6f09c6
Merge: a5fa843c 8394a6cb
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Wed Dec 5 11:25:29 2018 -0800

    Merge branch 'master' into cff-fixbcd

commit a5fa843c746e20aaca48ece6cff057deb8d916ca
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Wed Dec 5 11:18:16 2018 -0800

    fixed a bug with fractional part in a negative value

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 005e15e6..63ca685e 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -146,7 +146,11 @@ struct DictOpSet : OpSet<Number>
 	case END:
 	  value = (double)(neg? -int_part: int_part);
 	  if (frac_count > 0)
-	    value += (frac_part / pow (10.0, (double)frac_count));
+	  {
+	    double frac = (frac_part / pow (10.0, (double)frac_count));
+	    if (neg) frac = -frac;
+	    value += frac;
+	  }
 	  if (unlikely (exp_overflow))
 	  {
 	    if (value == 0.0)
commit 620d1ef588c6ce25644891cfe4b9c20fd8a9d1db
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Wed Dec 5 00:36:11 2018 -0800

    fix unsigned long const

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 2c7a9710..005e15e6 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -115,7 +115,7 @@ struct DictOpSet : OpSet<Number>
     bool    exp_overflow = false;
     enum Part { INT_PART=0, FRAC_PART, EXP_PART } part = INT_PART;
     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
-    const uint64_t MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
+    const uint64_t MAX_FRACT = 0xFFFFFFFFFFFFFllu; /* 1^52-1 */
     const uint32_t MAX_EXP = 0x7FFu; /* 1^11-1 */
 
     double  value = 0.0;
commit 28dfb4c14280b05ad0a519f9df2b0eda41a62540
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Wed Dec 5 00:26:03 2018 -0800

    fix signed/unsigned comparison

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index d5376e84..2c7a9710 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -108,7 +108,7 @@ struct DictOpSet : OpSet<Number>
   {
     bool    neg = false;
     double  int_part = 0;
-    int64_t frac_part = 0;
+    uint64_t frac_part = 0;
     uint32_t  frac_count = 0;
     bool    exp_neg = false;
     uint32_t  exp_part = 0;
@@ -206,7 +206,7 @@ struct DictOpSet : OpSet<Number>
 	    case FRAC_PART:
 	      if (likely ((frac_part <= MAX_FRACT / 10)))
 	      {
-		frac_part = (frac_part * 10) + d;
+		frac_part = (frac_part * 10) + (unsigned)d;
 		frac_count++;
 	      }
 	      break;
commit f9cee08edd32182044407bf6ffde00df0feb09b7
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Tue Dec 4 23:58:26 2018 -0800

    use sized int types in parse_bcd

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 0ffd4cec..d5376e84 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -108,19 +108,19 @@ struct DictOpSet : OpSet<Number>
   {
     bool    neg = false;
     double  int_part = 0;
-    long    frac_part = 0;
-    unsigned int  frac_count = 0;
+    int64_t frac_part = 0;
+    uint32_t  frac_count = 0;
     bool    exp_neg = false;
-    unsigned int  exp_part = 0;
+    uint32_t  exp_part = 0;
     bool    exp_overflow = false;
     enum Part { INT_PART=0, FRAC_PART, EXP_PART } part = INT_PART;
     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
-    const unsigned long MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
-    const unsigned int MAX_EXP = 0x7FFu; /* 1^11-1 */
+    const uint64_t MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
+    const uint32_t MAX_EXP = 0x7FFu; /* 1^11-1 */
 
     double  value = 0.0;
     unsigned char byte = 0;
-    for (unsigned int i = 0;; i++)
+    for (uint32_t i = 0;; i++)
     {
       char d;
       if ((i & 1) == 0)
commit c01a5f32a33fa875de68ca29a4672fd36a05245b
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Tue Dec 4 23:23:23 2018 -0800

    refix

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index f84f26cd..0ffd4cec 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -204,7 +204,7 @@ struct DictOpSet : OpSet<Number>
 	      break;
 
 	    case FRAC_PART:
-	      if (likely ((fract_part <= MAX_FRACT / 10)))
+	      if (likely ((frac_part <= MAX_FRACT / 10)))
 	      {
 		frac_part = (frac_part * 10) + d;
 		frac_count++;
commit 755fefc92113e469a1aadee2546958fede156c01
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Tue Dec 4 23:18:28 2018 -0800

    fix bug

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 7eafc7c0..f84f26cd 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -204,7 +204,7 @@ struct DictOpSet : OpSet<Number>
 	      break;
 
 	    case FRAC_PART:
-	      if (likely ((frac_count <= MAX_FRACT / 10)))
+	      if (likely ((fract_part <= MAX_FRACT / 10)))
 	      {
 		frac_part = (frac_part * 10) + d;
 		frac_count++;
commit 0e81b153aff1f2e301e73ca1a15a9bc5b2e7bb82
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Tue Dec 4 22:40:07 2018 -0800

    fix typo

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index ace91bea..7eafc7c0 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -204,7 +204,7 @@ struct DictOpSet : OpSet<Number>
 	      break;
 
 	    case FRAC_PART:
-	      if (likely ((fract_count <= MAX_FRACT / 10)))
+	      if (likely ((frac_count <= MAX_FRACT / 10)))
 	      {
 		frac_part = (frac_part * 10) + d;
 		frac_count++;
commit 85d4b15cd88ce9a6ffccccf90300f9c184166058
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Tue Dec 4 22:30:33 2018 -0800

    include float.h

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 62c87e94..ace91bea 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -28,6 +28,7 @@
 
 #include "hb-cff-interp-common.hh"
 #include <math.h>
+#include <float.h>
 
 namespace CFF {
 
commit 5a7c371e4c6f1775ebbfe120fafe92afe402a954
Author: Michiharu Ariza <ariza at adobe.com>
Date:   Tue Dec 4 22:24:38 2018 -0800

    check overflow & clamp

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 2822af40..62c87e94 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -105,16 +105,17 @@ struct DictOpSet : OpSet<Number>
 
   static inline double parse_bcd (SubByteStr& substr)
   {
-    double v = 0.0;
-
     bool    neg = false;
     double  int_part = 0;
     long    frac_part = 0;
     unsigned int  frac_count = 0;
     bool    exp_neg = false;
     unsigned int  exp_part = 0;
+    bool    exp_overflow = false;
     enum Part { INT_PART=0, FRAC_PART, EXP_PART } part = INT_PART;
     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
+    const unsigned long MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
+    const unsigned int MAX_EXP = 0x7FFu; /* 1^11-1 */
 
     double  value = 0.0;
     unsigned char byte = 0;
@@ -139,12 +140,21 @@ struct DictOpSet : OpSet<Number>
       {
 	case RESERVED:
 	  substr.set_error ();
-	  return v;
+	  return value;
 
 	case END:
 	  value = (double)(neg? -int_part: int_part);
 	  if (frac_count > 0)
 	    value += (frac_part / pow (10.0, (double)frac_count));
+	  if (unlikely (exp_overflow))
+	  {
+	    if (value == 0.0)
+	      return value;
+	    if (exp_neg)
+	      return neg? -DBL_MIN: DBL_MIN;
+	    else
+	      return neg? -DBL_MAX: DBL_MAX;
+	  }
 	  if (exp_part != 0)
 	  {
 	    if (exp_neg)
@@ -167,7 +177,7 @@ struct DictOpSet : OpSet<Number>
 	  if (part != INT_PART)
 	  {
 	    substr.set_error ();
-	    return v;
+	    return value;
 	  }
 	  part = FRAC_PART;
 	  break;
@@ -180,7 +190,7 @@ struct DictOpSet : OpSet<Number>
 	  if (part == EXP_PART)
 	  {
 	    substr.set_error ();
-	    return v;
+	    return value;
 	  }
 	  part = EXP_PART;
 	  break;
@@ -193,18 +203,26 @@ struct DictOpSet : OpSet<Number>
 	      break;
 
 	    case FRAC_PART:
-	      frac_part = (frac_part * 10) + d;
-	      frac_count++;
+	      if (likely ((fract_count <= MAX_FRACT / 10)))
+	      {
+		frac_part = (frac_part * 10) + d;
+		frac_count++;
+	      }
 	      break;
 
 	    case EXP_PART:
-	      exp_part = (exp_part * 10) + d;
+	      if (likely (exp_part * 10) + d <= MAX_EXP)
+	      {
+	      	exp_part = (exp_part * 10) + d;
+	      }
+	      else
+	      	exp_overflow = true;
 	      break;
 	  }
       }
     }
 
-    return v;
+    return value;
   }
 
   static inline bool is_hint_op (OpCode op)

More information about the HarfBuzz mailing list