[HarfBuzz] harfbuzz: Branch 'master' - 15 commits
Behdad Esfahbod
behdad at kemper.freedesktop.org
Thu Dec 6 18:28:04 UTC 2018
src/hb-cff-interp-dict-common.hh | 4 +-
src/hb-cff2-interp-cs.hh | 5 ++
src/hb-dsalgs.hh | 8 ++--
src/hb-open-type.hh | 8 ++--
src/hb-ot-cff1-table.hh | 2 -
src/hb-ot-cff2-table.hh | 3 +
src/hb-vector.hh | 18 ++++++++++
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5686369209286656 |binary
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 |binary
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 |binary
10 files changed, 37 insertions(+), 11 deletions(-)
New commits:
commit 20245f0000a0f04f2ba172b51ce69ee7ebb256aa
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Thu Dec 6 10:27:37 2018 -0800
Fix likely check
Ouch!
diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 63ca685e..f35342c9 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -208,7 +208,7 @@ struct DictOpSet : OpSet<Number>
break;
case FRAC_PART:
- if (likely ((frac_part <= MAX_FRACT / 10)))
+ if (likely (frac_part <= MAX_FRACT / 10))
{
frac_part = (frac_part * 10) + (unsigned)d;
frac_count++;
@@ -216,7 +216,7 @@ struct DictOpSet : OpSet<Number>
break;
case EXP_PART:
- if (likely (exp_part * 10) + d <= MAX_EXP)
+ if (likely (exp_part * 10 + d <= MAX_EXP))
{
exp_part = (exp_part * 10) + d;
}
commit d866e905fd555d393464ed58d5fc11ee453c7ea4
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Thu Dec 6 10:26:32 2018 -0800
Add default value to first argument of sub_array()
diff --git a/src/hb-dsalgs.hh b/src/hb-dsalgs.hh
index 1956bb9b..653dd6ac 100644
--- a/src/hb-dsalgs.hh
+++ b/src/hb-dsalgs.hh
@@ -588,8 +588,11 @@ struct hb_array_t
inline unsigned int get_size (void) const { return len * sizeof (Type); }
- inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *seg_count = nullptr /* IN/OUT */) const
+ inline hb_array_t<Type> sub_array (unsigned int start_offset = 0, unsigned int *seg_count = nullptr /* IN/OUT */) const
{
+ if (!start_offset && !seg_count)
+ return *this;
+
unsigned int count = len;
if (unlikely (start_offset > count))
count = 0;
commit f1352f7486caaf6d3480ef2ac6b4719acf73e6a2
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Thu Dec 6 10:21:06 2018 -0800
Add sub_array to hb_vector_t
diff --git a/src/hb-vector.hh b/src/hb-vector.hh
index 4b34a381..558fce1c 100644
--- a/src/hb-vector.hh
+++ b/src/hb-vector.hh
@@ -98,11 +98,29 @@ struct hb_vector_t
inline hb_array_t<const Type> as_array (void) const
{ return hb_array (arrayZ(), len); }
+ inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int count) const
+ { return as_array ().sub_array (start_offset, count);}
+ inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */) const
+ { return as_array ().sub_array (start_offset, count);}
+ inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int count)
+ { return as_array ().sub_array (start_offset, count);}
+ inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */)
+ { return as_array ().sub_array (start_offset, count);}
+
inline hb_sorted_array_t<Type> as_sorted_array (void)
{ return hb_sorted_array (arrayZ(), len); }
inline hb_sorted_array_t<const Type> as_sorted_array (void) const
{ return hb_sorted_array (arrayZ(), len); }
+ inline hb_array_t<const Type> sorted_sub_array (unsigned int start_offset, unsigned int count) const
+ { return as_sorted_array ().sorted_sub_array (start_offset, count);}
+ inline hb_array_t<const Type> sorted_sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */) const
+ { return as_sorted_array ().sorted_sub_array (start_offset, count);}
+ inline hb_array_t<Type> sorted_sub_array (unsigned int start_offset, unsigned int count)
+ { return as_sorted_array ().sorted_sub_array (start_offset, count);}
+ inline hb_array_t<Type> sorted_sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */)
+ { return as_sorted_array ().sorted_sub_array (start_offset, count);}
+
template <typename T> explicit_operator inline operator T * (void) { return arrayZ(); }
template <typename T> explicit_operator inline operator const T * (void) const { return arrayZ(); }
inline operator hb_array_t<Type> (void) { return as_array (); }
commit ca23b719357b01e98a5cf533bbf637d6706a4ec2
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Thu Dec 6 10:19:03 2018 -0800
Add default-value for second arg of sub_array()
diff --git a/src/hb-dsalgs.hh b/src/hb-dsalgs.hh
index dccca3cf..1956bb9b 100644
--- a/src/hb-dsalgs.hh
+++ b/src/hb-dsalgs.hh
@@ -588,16 +588,15 @@ struct hb_array_t
inline unsigned int get_size (void) const { return len * sizeof (Type); }
- inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *seg_count /* IN/OUT */) const
+ inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *seg_count = nullptr /* IN/OUT */) const
{
- if (!seg_count) return hb_array_t<Type> ();
-
unsigned int count = len;
if (unlikely (start_offset > count))
count = 0;
else
count -= start_offset;
- count = *seg_count = MIN (count, *seg_count);
+ if (seg_count)
+ count = *seg_count = MIN (count, *seg_count);
return hb_array_t<Type> (arrayZ + start_offset, count);
}
inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int seg_count) const
diff --git a/src/hb-open-type.hh b/src/hb-open-type.hh
index 69cc5ccf..b9d917d3 100644
--- a/src/hb-open-type.hh
+++ b/src/hb-open-type.hh
@@ -541,11 +541,11 @@ struct ArrayOf
inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int count) const
{ return as_array ().sub_array (start_offset, count);}
- inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int *count /* IN/OUT */) const
+ inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */) const
{ return as_array ().sub_array (start_offset, count);}
inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int count)
{ return as_array ().sub_array (start_offset, count);}
- inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *count /* IN/OUT */)
+ inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */)
{ return as_array ().sub_array (start_offset, count);}
inline bool serialize (hb_serialize_context_t *c,
@@ -812,11 +812,11 @@ struct SortedArrayOf : ArrayOf<Type, LenType>
inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int count) const
{ return as_array ().sub_array (start_offset, count);}
- inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int *count /* IN/OUT */) const
+ inline hb_array_t<const Type> sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */) const
{ return as_array ().sub_array (start_offset, count);}
inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int count)
{ return as_array ().sub_array (start_offset, count);}
- inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *count /* IN/OUT */)
+ inline hb_array_t<Type> sub_array (unsigned int start_offset, unsigned int *count = nullptr /* IN/OUT */)
{ return as_array ().sub_array (start_offset, count);}
template <typename T>
commit 6ad3fcddaf2ba8ebc9ad49ff9e7b33b60fcad16a
Merge: f95324a3 ae087d10
Author: Ebrahim Byagowi <ebrahim at gnu.org>
Date: Thu Dec 6 10:21:00 2018 +0330
Merge pull request #1458 from harfbuzz/cff-check-blends
[CFF] oss-fuzz issue 11714: set_blends
commit ae087d10c22249f3aec3239e4eac98a728f71f75
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 21:47:34 2018 -0800
add minimized test case for oss-fuzz issue 11714
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968
new file mode 100644
index 00000000..5fef2f84
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 differ
commit 1ccbdcf73bbc967f5f94c0bc7f7e869bd87d9fa0
Merge: 14d29a10 f95324a3
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 21:37:38 2018 -0800
Merge branch 'master' into cff-check-blends
commit 14d29a10437205566c4bd7bcfa2282d34d9f4f2f
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 21:33:29 2018 -0800
check number of blends against args on stack
diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index d258b814..18e84680 100644
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh
@@ -235,6 +235,11 @@ struct CFF2CSOpSet : CSOpSet<BlendArg, OPSET, CFF2CSInterpEnv, PARAM, PATH>
env.process_blend ();
k = env.get_region_count ();
n = env.argStack.pop_uint ();
+ if (unlikely (env.argStack.get_count () < ((k+1) * n)))
+ {
+ env.set_error ();
+ return;
+ }
/* copy the blend values into blend array of the default values */
unsigned int start = env.argStack.get_count () - ((k+1) * n);
for (unsigned int i = 0; i < n; i++)
commit f95324a3351c1f699214ad84d073268218ea83a3
Merge: 6727c4b6 9d8f3b0d
Author: Ebrahim Byagowi <ebrahim at gnu.org>
Date: Thu Dec 6 08:33:44 2018 +0330
Merge pull request #1457 from harfbuzz/cff-varstore-sanitize
[CFF] oss-fuzz issue 11713 (CFF2VariationStore::serialize)
commit 6727c4b6f0356b08803b4d5cde608ec004e3533f
Merge: d9dabc00 34e3ef8f
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Wed Dec 5 17:37:21 2018 -0800
Merge pull request #1456 from harfbuzz/cff-subr-sanitize
[CFF] fix oss-fuzz issue 11691 (BlendArg::set_blends)
commit 9d8f3b0dfbf39f5dfa25d52f47e8af6ad318eb17
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 17:14:51 2018 -0800
add minimized test case for oss-fuzz issue 11713
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216
new file mode 100644
index 00000000..302a1c4e
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5660711141769216 differ
commit c31092ab34641072606f854408eb1bea18ed2507
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 17:04:55 2018 -0800
sanitize variationStore in CFF2 against its size
diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 178acf0b..de2b1b22 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -115,7 +115,7 @@ struct CFF2VariationStore
inline bool sanitize (hb_sanitize_context_t *c) const
{
TRACE_SANITIZE (this);
- return_trace (likely (c->check_struct (this)) && varStore.sanitize (c));
+ return_trace (likely (c->check_struct (this)) && c->check_range (&varStore, size) && varStore.sanitize (c));
}
inline bool serialize (hb_serialize_context_t *c, const CFF2VariationStore *varStore)
commit 34e3ef8ff394f281b8d7e2c08f346a9495692edc
Merge: 72d8f763 d9dabc00
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 15:50:05 2018 -0800
Merge branch 'master' into cff-subr-sanitize
commit 72d8f76368b264a42fe58438fe15811d458a7935
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 15:49:11 2018 -0800
add minimized test case for oss-fuzz issue 11691
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5686369209286656 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5686369209286656
new file mode 100644
index 00000000..9f47ca8a
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5686369209286656 differ
commit 6dcfda92c17a7701479118751a8290246e9a3c05
Author: Michiharu Ariza <ariza at adobe.com>
Date: Wed Dec 5 15:07:46 2018 -0800
sanitize CFF1 & CFF2 global subrs
diff --git a/src/hb-ot-cff1-table.hh b/src/hb-ot-cff1-table.hh
index 39da8fa7..10ce8ff4 100644
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@@ -1067,7 +1067,7 @@ struct cff1
{ fini (); return; }
globalSubrs = &StructAtOffset<CFF1Subrs> (stringIndex, stringIndex->get_size ());
- if ((globalSubrs != &Null (CFF1Subrs)) && !stringIndex->sanitize (&sc))
+ if ((globalSubrs != &Null (CFF1Subrs)) && !globalSubrs->sanitize (&sc))
{ fini (); return; }
charStrings = &StructAtOffsetOrNull<CFF1CharStrings> (cff, topDict.charStringsOffset);
diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 178acf0b..5b8e6c77 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -466,6 +466,7 @@ struct cff2
if (((varStore != &Null(CFF2VariationStore)) && unlikely (!varStore->sanitize (&sc))) ||
(charStrings == &Null(CFF2CharStrings)) || unlikely (!charStrings->sanitize (&sc)) ||
+ (globalSubrs == &Null(CFF2Subrs)) || unlikely (!globalSubrs->sanitize (&sc)) ||
(fdArray == &Null(CFF2FDArray)) || unlikely (!fdArray->sanitize (&sc)) ||
(((fdSelect != &Null(CFF2FDSelect)) && unlikely (!fdSelect->sanitize (&sc, fdArray->count)))))
{ fini (); return; }
More information about the HarfBuzz
mailing list