[HarfBuzz] harfbuzz: Branch 'master' - 5 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Sat Nov 10 06:58:36 UTC 2018 

 src/hb-dsalgs.hh                                                                   |   15 +++-
 src/hb-ot-glyf-table.hh                                                            |    2 
 src/hb-ot-post-table.hh                                                            |   34 ++++------
 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 |binary
 4 files changed, 27 insertions(+), 24 deletions(-)

New commits:
commit 3a9fa8c026bf28bf87e20ec95327f74fd7070b74
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sat Nov 10 01:56:37 2018 -0500

    [qsort] Fix O(N^2) behavior if all array elements are the same
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11327
    
    Reported as https://github.com/noporpoise/sort_r/issues/7

diff --git a/src/hb-dsalgs.hh b/src/hb-dsalgs.hh
index 9ccd7f25..ffa43870 100644
--- a/src/hb-dsalgs.hh
+++ b/src/hb-dsalgs.hh
@@ -356,7 +356,12 @@ hb_bsearch_r (const void *key, const void *base,
 }
 
 
-/* From https://github.com/noporpoise/sort_r */
+/* From https://github.com/noporpoise/sort_r
+ * With following modifications:
+ *
+ * 10 November 2018:
+ * https://github.com/noporpoise/sort_r/issues/7
+ */
 
 /* Isaac Turner 29 April 2014 Public Domain */
 
@@ -412,7 +417,7 @@ static inline void sort_r_simple(void *base, size_t nel, size_t w,
 
     /* Use median of first, middle and last items as pivot */
     char *x, *y, *xend, ch;
-    char *pl, *pr;
+    char *pl, *pm, *pr;
     char *last = b+w*(nel-1), *tmp;
     char *l[3];
     l[0] = b;
@@ -434,13 +439,15 @@ static inline void sort_r_simple(void *base, size_t nel, size_t w,
     pr = last;
 
     while(pl < pr) {
-      for(; pl < pr; pl += w) {
+      pm = pl+((pr-pl+1)>>1);
+      for(; pl < pm; pl += w) {
         if(sort_r_cmpswap(pl, pr, w, compar, arg)) {
           pr -= w; /* pivot now at pl */
           break;
         }
       }
-      for(; pl < pr; pr -= w) {
+      pm = pl+((pr-pl)>>1);
+      for(; pm < pr; pr -= w) {
         if(sort_r_cmpswap(pl, pr, w, compar, arg)) {
           pl += w; /* pivot now at pr */
           break;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968
new file mode 100644
index 00000000..c63bcc58
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 differ
commit b308aaccf0773e252880b9b887f3d3d1dec00168
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sat Nov 10 00:37:17 2018 -0500

    [post] Minor

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index bbde8d83..77eef3f5 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -77,11 +77,11 @@ struct post
   {
     unsigned int post_prime_length;
     hb_blob_t *post_blob = hb_sanitize_context_t().reference_table<post>(plan->source);
-    hb_blob_t *post_prime_blob = hb_blob_create_sub_blob (post_blob, 0, post::static_size);
+    hb_blob_t *post_prime_blob = hb_blob_create_sub_blob (post_blob, 0, post::min_size);
     post *post_prime = (post *) hb_blob_get_data_writable (post_prime_blob, &post_prime_length);
     hb_blob_destroy (post_blob);
 
-    if (unlikely (!post_prime || post_prime_length != post::static_size))
+    if (unlikely (!post_prime || post_prime_length != post::min_size))
     {
       hb_blob_destroy (post_prime_blob);
       DEBUG_MSG(SUBSET, nullptr, "Invalid source post table with length %d.", post_prime_length);
@@ -109,7 +109,7 @@ struct post
       if (version != 0x00020000)
         return;
 
-      const postV2Tail &v2 = StructAfter<postV2Tail> (*table);
+      const postV2Tail &v2 = table->v2;
 
       glyphNameIndex = &v2.glyphNameIndex;
       pool = &StructAfter<uint8_t> (v2.glyphNameIndex);
@@ -255,14 +255,10 @@ struct post
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    if (unlikely (!c->check_struct (this)))
-      return_trace (false);
-    if (version.to_int () == 0x00020000)
-    {
-      const postV2Tail &v2 = StructAfter<postV2Tail> (*this);
-      return_trace (v2.sanitize (c));
-    }
-    return_trace (true);
+    return_trace (likely (c->check_struct (this) &&
+			  (version.to_int () == 0x00010000 ||
+			   (version.to_int () == 0x00020000 && v2.sanitize (c)) ||
+			   version.to_int () == 0x00030000)));
   }
 
   public:
@@ -297,8 +293,8 @@ struct post
 					 * is downloaded as a Type 1 font. */
   HBUINT32	maxMemType1;		/* Maximum memory usage when an OpenType font
 					 * is downloaded as a Type 1 font. */
-/*postV2Tail	v2[VAR];*/
-  DEFINE_SIZE_STATIC (32);
+  postV2Tail	v2;
+  DEFINE_SIZE_MIN (32);
 };
 
 struct post_accelerator_t : post::accelerator_t {};
commit 4111c3b8cd1b1c44f722877614ec1ee25111e78c
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sat Nov 10 00:26:36 2018 -0500

    [post] Move sanitize close to data fields

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index b7913773..bbde8d83 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -73,19 +73,6 @@ struct post
 {
   static const hb_tag_t tableTag = HB_OT_TAG_post;
 
-  inline bool sanitize (hb_sanitize_context_t *c) const
-  {
-    TRACE_SANITIZE (this);
-    if (unlikely (!c->check_struct (this)))
-      return_trace (false);
-    if (version.to_int () == 0x00020000)
-    {
-      const postV2Tail &v2 = StructAfter<postV2Tail> (*this);
-      return_trace (v2.sanitize (c));
-    }
-    return_trace (true);
-  }
-
   inline bool subset (hb_subset_plan_t *plan) const
   {
     unsigned int post_prime_length;
@@ -265,6 +252,19 @@ struct post
     hb_atomic_ptr_t<uint16_t *> gids_sorted_by_name;
   };
 
+  inline bool sanitize (hb_sanitize_context_t *c) const
+  {
+    TRACE_SANITIZE (this);
+    if (unlikely (!c->check_struct (this)))
+      return_trace (false);
+    if (version.to_int () == 0x00020000)
+    {
+      const postV2Tail &v2 = StructAfter<postV2Tail> (*this);
+      return_trace (v2.sanitize (c));
+    }
+    return_trace (true);
+  }
+
   public:
   FixedVersion<>version;		/* 0x00010000 for version 1.0
 					 * 0x00020000 for version 2.0
commit e26e6dbb336e48a5898738dbbd9e56e3a00b7bed
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sat Nov 10 00:19:50 2018 -0500

    [post] Remove unnecessary hb_nonnull_ptr_t<>

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index 18f9976b..b7913773 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -259,7 +259,7 @@ struct post
     private:
     hb_blob_t *blob;
     uint32_t version;
-    hb_nonnull_ptr_t<const ArrayOf<HBUINT16> > glyphNameIndex;
+    const ArrayOf<HBUINT16> *glyphNameIndex;
     hb_vector_t<uint32_t, 1> index_to_offset;
     const uint8_t *pool;
     hb_atomic_ptr_t<uint16_t *> gids_sorted_by_name;
commit 6b8178c6499f8d0ee45a57332af778af0e48d1b5
Author: Ebrahim Byagowi <ebrahim at gnu.org>
Date:   Sat Nov 10 02:42:08 2018 +0330

    [glyf] minor

diff --git a/src/hb-ot-glyf-table.hh b/src/hb-ot-glyf-table.hh
index d2a39f23..0623be89 100644
--- a/src/hb-ot-glyf-table.hh
+++ b/src/hb-ot-glyf-table.hh
@@ -149,7 +149,7 @@ struct glyf
     };
 
     HBUINT16 flags;
-    HBUINT16 glyphIndex;
+    GlyphID  glyphIndex;
 
     inline unsigned int get_size (void) const
     {

More information about the HarfBuzz mailing list