[HarfBuzz] harfbuzz: Branch 'master' - 2 commits

Tue Jan 16 01:46:06 UTC 2018

src/hb-ot-layout-gsub-table.hh       |    5 ++---
 src/hb-ot-layout-gsubgpos-private.hh |    6 ++++--
 2 files changed, 6 insertions(+), 5 deletions(-)

New commits:
commit 949f6af2897b8982c81a059ea98e1c29bbce4772
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Mon Jan 15 20:44:10 2018 -0500

    Disallow sanitize recursing into Extension subtables multiple times
    
    Fixes https://oss-fuzz.com/v2/testcase-detail/5216838347653120
    which is a stack overflow, not by way of infinite recursion, just
    being deep.  That's disallowed anyway, so catch it as it happens,
    not afterwards.

diff --git a/src/hb-ot-layout-gsub-table.hh b/src/hb-ot-layout-gsub-table.hh
index 05758ed7..f483d752 100644
--- a/src/hb-ot-layout-gsub-table.hh
+++ b/src/hb-ot-layout-gsub-table.hh
@@ -1272,10 +1272,9 @@ struct SubstLookup : Lookup
     {
       /* The spec says all subtables of an Extension lookup should
        * have the same type, which shall not be the Extension type
-       * itself. This is specially important if one has a reverse type! */
+       * itself (but we already checked for that).
+       * This is specially important if one has a reverse type! */
       unsigned int type = get_subtable (0).u.extension.get_type ();
-      if (unlikely (type == SubstLookupSubTable::Extension))
-	return_trace (false);
       unsigned int count = get_subtable_count ();
       for (unsigned int i = 1; i < count; i++)
         if (get_subtable (i).u.extension.get_type () != type)
diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
index 0023b31c..a5cb105c 100644
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@@ -2230,7 +2230,9 @@ struct ExtensionFormat1
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (c->check_struct (this) && extensionOffset != 0);
+    return_trace (c->check_struct (this) &&
+		  extensionOffset != 0 &&
+		  extensionLookupType != T::LookupSubTable::Extension);
   }
 
   protected:
commit bcb6f1ae0a08e5c7af88a7affaad42a67c5adac5
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Mon Jan 15 20:34:05 2018 -0500

    Whitespace

diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
index caa4d379..0023b31c 100644
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@@ -2238,7 +2238,7 @@ struct ExtensionFormat1
   HBUINT16	extensionLookupType;	/* Lookup type of subtable referenced
 					 * by ExtensionOffset (i.e. the
 					 * extension subtable). */
-  HBUINT32		extensionOffset;	/* Offset to the extension subtable,
+  HBUINT32	extensionOffset;	/* Offset to the extension subtable,
 					 * of lookup type subtable. */
   public:
   DEFINE_SIZE_STATIC (8);
