[HarfBuzz] harfbuzz: Branch 'master' - 2 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Mon Feb 19 01:34:19 UTC 2018 

 src/Makefile.am                                                               |    2 +
 src/hb-aat-layout-common-private.hh                                           |    2 -
 src/hb-open-type-private.hh                                                   |   16 ++++++++--
 test/shaping/data/in-house/fonts/233c1e252e737ca79e03a9fd56b71aaa4a230f2b.ttf |binary
 test/shaping/data/in-house/tests/fuzzed.tests                                 |    1 
 5 files changed, 18 insertions(+), 3 deletions(-)

New commits:
commit e2d2d819848ed0ff1c60b9bde1f9c8f9495ec5b4
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sun Feb 18 17:28:53 2018 -0800

    Limit how much work sanitize() can do
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6022

diff --git a/src/Makefile.am b/src/Makefile.am
index e3915bc8..161bdcb0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -170,6 +170,8 @@ FUZZING_CPPFLAGS = \
 	-DHB_NDEBUG \
 	-DHB_MAX_NESTING_LEVEL=3 \
 	-DHB_SANITIZE_MAX_EDITS=3 \
+	-DHB_SANITIZE_MAX_OPS_FACTOR=3 \
+	-DHB_SANITIZE_MAX_OPS_MIN=128 \
 	-DHB_BUFFER_MAX_LEN_FACTOR=3 \
 	-DHB_BUFFER_MAX_LEN_MIN=8 \
 	-DHB_BUFFER_MAX_LEN_DEFAULT=128 \
diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh
index 5263d6f9..080dcca1 100644
--- a/src/hb-open-type-private.hh
+++ b/src/hb-open-type-private.hh
@@ -189,6 +189,12 @@ struct hb_dispatch_context_t
 #ifndef HB_SANITIZE_MAX_EDITS
 #define HB_SANITIZE_MAX_EDITS 32
 #endif
+#ifndef HB_SANITIZE_MAX_OPS_FACTOR
+#define HB_SANITIZE_MAX_OPS_FACTOR 8
+#endif
+#ifndef HB_SANITIZE_MAX_OPS_MIN
+#define HB_SANITIZE_MAX_OPS_MIN 16384
+#endif
 
 struct hb_sanitize_context_t :
        hb_dispatch_context_t<hb_sanitize_context_t, bool, HB_DEBUG_SANITIZE>
@@ -196,7 +202,7 @@ struct hb_sanitize_context_t :
   inline hb_sanitize_context_t (void) :
 	debug_depth (0),
 	start (nullptr), end (nullptr),
-	writable (false), edit_count (0),
+	writable (false), edit_count (0), max_ops (0),
 	blob (nullptr),
 	num_glyphs (0) {}
 
@@ -221,6 +227,8 @@ struct hb_sanitize_context_t :
     this->start = hb_blob_get_data (this->blob, nullptr);
     this->end = this->start + hb_blob_get_length (this->blob);
     assert (this->start <= this->end); /* Must not overflow. */
+    this->max_ops = MAX ((unsigned int) (this->end - this->start) * HB_SANITIZE_MAX_OPS_FACTOR,
+			 (unsigned) HB_SANITIZE_MAX_OPS_MIN);
     this->edit_count = 0;
     this->debug_depth = 0;
 
@@ -244,7 +252,10 @@ struct hb_sanitize_context_t :
   inline bool check_range (const void *base, unsigned int len) const
   {
     const char *p = (const char *) base;
-    bool ok = this->start <= p && p <= this->end && (unsigned int) (this->end - p) >= len;
+    bool ok = this->max_ops-- > 0 &&
+	      this->start <= p &&
+	      p <= this->end &&
+	      (unsigned int) (this->end - p) >= len;
 
     DEBUG_MSG_LEVEL (SANITIZE, p, this->debug_depth+1, 0,
        "check_range [%p..%p] (%d bytes) in [%p..%p] -> %s",
@@ -308,6 +319,7 @@ struct hb_sanitize_context_t :
   const char *start, *end;
   bool writable;
   unsigned int edit_count;
+  mutable int max_ops;
   hb_blob_t *blob;
   unsigned int num_glyphs;
 };
diff --git a/test/shaping/data/in-house/fonts/233c1e252e737ca79e03a9fd56b71aaa4a230f2b.ttf b/test/shaping/data/in-house/fonts/233c1e252e737ca79e03a9fd56b71aaa4a230f2b.ttf
new file mode 100644
index 00000000..999f2962
Binary files /dev/null and b/test/shaping/data/in-house/fonts/233c1e252e737ca79e03a9fd56b71aaa4a230f2b.ttf differ
diff --git a/test/shaping/data/in-house/tests/fuzzed.tests b/test/shaping/data/in-house/tests/fuzzed.tests
index e1a39e4e..43a19334 100644
--- a/test/shaping/data/in-house/tests/fuzzed.tests
+++ b/test/shaping/data/in-house/tests/fuzzed.tests
@@ -20,3 +20,4 @@
 ../fonts/ef2511f215aa3ca847cbfffbf861793b42170875.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 ../fonts/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 ../fonts/bbf4a308c402f0678c3e82844892a4da2ebe598f.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
+../fonts/233c1e252e737ca79e03a9fd56b71aaa4a230f2b.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
commit 7033fe5877c6f9500575f20f17135f74dc9c0547
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sun Feb 18 17:12:04 2018 -0800

    [aat] Minor

diff --git a/src/hb-aat-layout-common-private.hh b/src/hb-aat-layout-common-private.hh
index fea3b094..7c0dfa8b 100644
--- a/src/hb-aat-layout-common-private.hh
+++ b/src/hb-aat-layout-common-private.hh
@@ -657,7 +657,7 @@ struct StateTableDriver
       if (unlikely (!c->transition (this, entry)))
         break;
 
-      last_was_dont_advance = (entry->flags & context_t::DontAdvance) && buffer->max_ops--;
+      last_was_dont_advance = (entry->flags & context_t::DontAdvance) && buffer->max_ops-- > 0;
 
       state = entry->newState;

More information about the HarfBuzz mailing list