[HarfBuzz] harfbuzz: Branch 'master' - 3 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Mon Nov 12 18:02:55 UTC 2018 

 src/hb-aat-layout-kerx-table.hh                                                    |    2 
 src/hb-ot-shape.cc                                                                 |   26 +++++-----
 src/hb-ot-shape.hh                                                                 |   15 +++--
 src/hb-shape-plan.cc                                                               |   25 +++++----
 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152 |binary
 5 files changed, 36 insertions(+), 32 deletions(-)

New commits:
commit a549aa14a0b60436a16f7f8924a5b5f82b4d5b7e
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Mon Nov 12 13:01:22 2018 -0500

    [kerx] Protect against stack underflow
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11367

diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 6b61186a..4e6c6e40 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -260,7 +260,7 @@ struct KerxSubTableFormat1
 	  depth = 0; /* Probably not what CoreText does, but better? */
       }
 
-      if (Format1EntryT::performAction (entry))
+      if (depth && Format1EntryT::performAction (entry))
       {
 	unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152
new file mode 100644
index 00000000..6c739000
Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5691469793329152 differ
commit 3e284e02c2a5da758526360a45364a330b8ab8e9
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sun Nov 11 22:51:34 2018 -0500

    [shape-plan] Minor

diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc
index 44cf3907..2500bcb8 100644
--- a/src/hb-ot-shape.cc
+++ b/src/hb-ot-shape.cc
@@ -68,11 +68,12 @@ _hb_apply_morx (hb_face_t *face)
 	 hb_aat_layout_has_substitution (face);
 }
 
-hb_ot_shape_planner_t::hb_ot_shape_planner_t (const hb_shape_plan_t *master_plan) :
-						face (master_plan->face_unsafe),
-						props (master_plan->props),
-						map (face, &props),
-						aat_map (face, &props),
+hb_ot_shape_planner_t::hb_ot_shape_planner_t (hb_face_t                     *face,
+					      const hb_segment_properties_t *props) :
+						face (face),
+						props (*props),
+						map (face, props),
+						aat_map (face, props),
 						apply_morx (_hb_apply_morx (face)),
 						shaper (apply_morx ?
 						        &_hb_ot_complex_shaper_default :
@@ -148,18 +149,19 @@ hb_ot_shape_planner_t::compile (hb_ot_shape_plan_t &plan,
 }
 
 bool
-hb_ot_shape_plan_t::init0 (hb_shape_plan_t    *shape_plan,
-			   const hb_feature_t *user_features,
-			   unsigned int        num_user_features,
-			   const int          *coords,
-			   unsigned int        num_coords)
+hb_ot_shape_plan_t::init0 (hb_face_t                     *face,
+			   const hb_segment_properties_t *props,
+			   const hb_feature_t            *user_features,
+			   unsigned int                   num_user_features,
+			   const int                     *coords,
+			   unsigned int                   num_coords)
 {
   map.init ();
   aat_map.init ();
 
-  hb_ot_shape_planner_t planner (shape_plan);
+  hb_ot_shape_planner_t planner (face, props);
 
-  hb_ot_shape_collect_features (&planner, &shape_plan->props,
+  hb_ot_shape_collect_features (&planner, props,
 				user_features, num_user_features);
 
   planner.compile (*this, coords, num_coords);
diff --git a/src/hb-ot-shape.hh b/src/hb-ot-shape.hh
index 049830a6..9753752a 100644
--- a/src/hb-ot-shape.hh
+++ b/src/hb-ot-shape.hh
@@ -73,12 +73,12 @@ struct hb_ot_shape_plan_t
   inline void substitute (hb_font_t *font, hb_buffer_t *buffer) const { map.substitute (this, font, buffer); }
   inline void position (hb_font_t *font, hb_buffer_t *buffer) const { map.position (this, font, buffer); }
 
-  HB_INTERNAL bool init0 (hb_shape_plan_t    *shape_plan,
-			  const hb_feature_t *user_features,
-			  unsigned int        num_user_features,
-			  const int          *coords,
-			  unsigned int        num_coords);
-
+  HB_INTERNAL bool init0 (hb_face_t                     *face,
+			  const hb_segment_properties_t *props,
+			  const hb_feature_t            *user_features,
+			  unsigned int                   num_user_features,
+			  const int                     *coords,
+			  unsigned int                   num_coords);
   HB_INTERNAL void fini (void);
 };
 
@@ -94,7 +94,8 @@ struct hb_ot_shape_planner_t
   bool apply_morx : 1;
   const struct hb_ot_complex_shaper_t *shaper;
 
-  HB_INTERNAL hb_ot_shape_planner_t (const hb_shape_plan_t *master_plan);
+  HB_INTERNAL hb_ot_shape_planner_t (hb_face_t                     *face,
+				     const hb_segment_properties_t *props);
 
   HB_INTERNAL void compile (hb_ot_shape_plan_t &plan,
 			    const int          *coords,
diff --git a/src/hb-shape-plan.cc b/src/hb-shape-plan.cc
index 534d2896..0d51165f 100644
--- a/src/hb-shape-plan.cc
+++ b/src/hb-shape-plan.cc
@@ -178,7 +178,8 @@ hb_shape_plan_create2 (hb_face_t                     *face,
 			       coords, num_coords,
 			       shaper_list);
 
-  if (unlikely (!shape_plan->ot.init0 (shape_plan,
+  if (unlikely (!shape_plan->ot.init0 (face,
+				       props,
 				       user_features,
 				       num_user_features,
 				       coords,
commit 420c9de6447cdb491184e7f8caf0811b0c962c05
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Sun Nov 11 22:38:05 2018 -0500

    [shape-plan] Minor rename

diff --git a/src/hb-shape-plan.cc b/src/hb-shape-plan.cc
index 2a2e0e39..534d2896 100644
--- a/src/hb-shape-plan.cc
+++ b/src/hb-shape-plan.cc
@@ -45,12 +45,12 @@
 
 
 static void
-hb_shape_plan_plan (hb_shape_plan_t    *shape_plan,
-		    const hb_feature_t *user_features,
-		    unsigned int        num_user_features,
-		    const int          *coords,
-		    unsigned int        num_coords,
-		    const char * const *shaper_list)
+hb_shape_plan_choose_shaper (hb_shape_plan_t    *shape_plan,
+			     const hb_feature_t *user_features,
+			     unsigned int        num_user_features,
+			     const int          *coords,
+			     unsigned int        num_coords,
+			     const char * const *shaper_list)
 {
   DEBUG_MSG_FUNC (SHAPE_PLAN, shape_plan,
 		  "num_features=%d num_coords=%d shaper_list=%p",
@@ -173,10 +173,10 @@ hb_shape_plan_create2 (hb_face_t                     *face,
   if (num_coords)
     memcpy (coords, orig_coords, num_coords * sizeof (int));
 
-  hb_shape_plan_plan (shape_plan,
-		      user_features, num_user_features,
-		      coords, num_coords,
-		      shaper_list);
+  hb_shape_plan_choose_shaper (shape_plan,
+			       user_features, num_user_features,
+			       coords, num_coords,
+			       shaper_list);
 
   if (unlikely (!shape_plan->ot.init0 (shape_plan,
 				       user_features,
@@ -487,7 +487,7 @@ hb_shape_plan_create_cached2 (hb_face_t                     *face,
   };
 
   if (shaper_list) {
-    /* Choose shaper.  Adapted from hb_shape_plan_plan().
+    /* Choose shaper.  Adapted from hb_shape_plan_choose_shaper().
      * Must choose shaper exactly the same way as that function. */
     for (const char * const *shaper_item = shaper_list; *shaper_item; shaper_item++)
       if (false)

More information about the HarfBuzz mailing list