[HarfBuzz] harfbuzz: Branch 'master' - 5 commits
Behdad Esfahbod
behdad at kemper.freedesktop.org
Mon Nov 12 19:24:56 UTC 2018
src/Makefile.am | 31 -----------------------------
src/hb-aat-layout-common.hh | 8 +++++--
src/hb-aat-layout-kerx-table.hh | 8 +++----
src/hb-machinery.hh | 42 ++++++++++++++++++++++++++++------------
src/hb-open-type.hh | 4 ++-
src/hb-ot-layout-common.hh | 5 ++--
src/hb-ot-layout-gpos-table.hh | 11 +++++++---
src/hb-ot-var-hvar-table.hh | 4 ++-
src/hb-ot-var-mvar-table.hh | 4 ++-
test/fuzzing/Makefile.am | 39 ++++++++++++-------------------------
10 files changed, 73 insertions(+), 83 deletions(-)
New commits:
commit 274f4c726f461f49f54a79557d63bf95d22903cf
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Mon Nov 12 14:24:36 2018 -0500
Rename check_array2() to check_array()
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 6e9f3007..f075a270 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -267,7 +267,7 @@ struct KerxSubTableFormat1
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
const FWORD *actions = &kernAction[kern_idx];
- if (!c->sanitizer.check_array2 (actions, depth, tuple_count))
+ if (!c->sanitizer.check_array (actions, depth, tuple_count))
{
depth = 0;
return false;
diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh
index fa2c7b3a..ce6c9453 100644
--- a/src/hb-machinery.hh
+++ b/src/hb-machinery.hh
@@ -343,11 +343,11 @@ struct hb_sanitize_context_t :
}
template <typename T>
- inline bool check_array2 (const T *base,
- unsigned int a,
- unsigned int b) const
+ inline bool check_array (const T *base,
+ unsigned int a,
+ unsigned int b) const
{
- return this->check_range (base, a * b, T::static_size);
+ return this->check_range (base, a, b, T::static_size);
}
template <typename Type>
commit e014405a214bceff3a1ce80f0b98273c44078e82
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Mon Nov 12 14:23:31 2018 -0500
Rename check_array(array, a, b) to check_range()
diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh
index 8191df4c..adc7538c 100644
--- a/src/hb-aat-layout-common.hh
+++ b/src/hb-aat-layout-common.hh
@@ -557,7 +557,9 @@ struct StateTable
/* Negative states. */
if (unlikely (hb_unsigned_mul_overflows (min_state, num_classes)))
return_trace (false);
- if (unlikely (!c->check_array (&states[min_state * num_classes], -min_state, row_stride)))
+ if (unlikely (!c->check_range (&states[min_state * num_classes],
+ -min_state,
+ row_stride)))
return_trace (false);
if ((c->max_ops -= state_neg - min_state) < 0)
return_trace (false);
@@ -574,7 +576,9 @@ struct StateTable
if (state_pos <= max_state)
{
/* Positive states. */
- if (unlikely (!c->check_array (states, max_state + 1, row_stride)))
+ if (unlikely (!c->check_range (states,
+ max_state + 1,
+ row_stride)))
return_trace (false);
if ((c->max_ops -= max_state - state_pos + 1) < 0)
return_trace (false);
diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh
index 6155c012..fa2c7b3a 100644
--- a/src/hb-machinery.hh
+++ b/src/hb-machinery.hh
@@ -317,22 +317,37 @@ struct hb_sanitize_context_t :
}
template <typename T>
+ inline bool check_range (const T *base,
+ unsigned int a,
+ unsigned int b) const
+ {
+ return !hb_unsigned_mul_overflows (a, b) &&
+ this->check_range (base, a * b);
+ }
+
+ template <typename T>
+ inline bool check_range (const T *base,
+ unsigned int a,
+ unsigned int b,
+ unsigned int c) const
+ {
+ return !hb_unsigned_mul_overflows (a, b) &&
+ this->check_range (base, a * b, c);
+ }
+
+ template <typename T>
inline bool check_array (const T *base,
- unsigned int len,
- unsigned int record_size = T::static_size) const
+ unsigned int len) const
{
- return !hb_unsigned_mul_overflows (len, record_size) &&
- this->check_range (base, len * record_size);
+ return this->check_range (base, len, T::static_size);
}
template <typename T>
inline bool check_array2 (const T *base,
unsigned int a,
- unsigned int b,
- unsigned int record_size = T::static_size) const
+ unsigned int b) const
{
- return !hb_unsigned_mul_overflows (a, b) &&
- this->check_array (base, a * b, record_size);
+ return this->check_range (base, a * b, T::static_size);
}
template <typename Type>
diff --git a/src/hb-open-type.hh b/src/hb-open-type.hh
index 14506180..3f8e2c08 100644
--- a/src/hb-open-type.hh
+++ b/src/hb-open-type.hh
@@ -887,7 +887,9 @@ struct VarSizedBinSearchArrayOf
TRACE_SANITIZE (this);
return_trace (header.sanitize (c) &&
Type::static_size <= header.unitSize &&
- c->check_array (bytesZ.arrayZ, header.nUnits, header.unitSize));
+ c->check_range (bytesZ.arrayZ,
+ header.nUnits,
+ header.unitSize));
}
protected:
diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index 7b1d39aa..2ffb7c26 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -1566,8 +1566,9 @@ struct VarData
return_trace (c->check_struct (this) &&
regionIndices.sanitize(c) &&
shortCount <= regionIndices.len &&
- c->check_array (&StructAfter<HBUINT8> (regionIndices),
- itemCount, get_row_size ()));
+ c->check_range (&StructAfter<HBUINT8> (regionIndices),
+ itemCount,
+ get_row_size ()));
}
protected:
diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index cf735c30..fb6f6d0f 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -207,7 +207,7 @@ struct ValueFormat : HBUINT16
TRACE_SANITIZE (this);
unsigned int len = get_len ();
- if (!c->check_array (values, count, get_size ())) return_trace (false);
+ if (!c->check_range (values, count, get_size ())) return_trace (false);
if (!has_device ()) return_trace (true);
@@ -706,7 +706,10 @@ struct PairSet
{
TRACE_SANITIZE (this);
if (!(c->check_struct (this)
- && c->check_array (&firstPairValueRecord, len, HBUINT16::static_size * closure->stride))) return_trace (false);
+ && c->check_range (&firstPairValueRecord,
+ len,
+ HBUINT16::static_size,
+ closure->stride))) return_trace (false);
unsigned int count = len;
const PairValueRecord *record = &firstPairValueRecord;
@@ -879,7 +882,9 @@ struct PairPosFormat2
unsigned int stride = len1 + len2;
unsigned int record_size = valueFormat1.get_size () + valueFormat2.get_size ();
unsigned int count = (unsigned int) class1Count * (unsigned int) class2Count;
- return_trace (c->check_array ((const void *) values, count, record_size) &&
+ return_trace (c->check_range ((const void *) values,
+ count,
+ record_size) &&
valueFormat1.sanitize_values_stride_unsafe (c, this, &values[0], count, stride) &&
valueFormat2.sanitize_values_stride_unsafe (c, this, &values[len1], count, stride));
}
diff --git a/src/hb-ot-var-hvar-table.hh b/src/hb-ot-var-hvar-table.hh
index 66e086e1..62a6547b 100644
--- a/src/hb-ot-var-hvar-table.hh
+++ b/src/hb-ot-var-hvar-table.hh
@@ -39,7 +39,9 @@ struct DeltaSetIndexMap
{
TRACE_SANITIZE (this);
return_trace (c->check_struct (this) &&
- c->check_array (mapDataZ.arrayZ, mapCount, get_width ()));
+ c->check_range (mapDataZ.arrayZ,
+ mapCount,
+ get_width ()));
}
unsigned int map (unsigned int v) const /* Returns 16.16 outer.inner. */
diff --git a/src/hb-ot-var-mvar-table.hh b/src/hb-ot-var-mvar-table.hh
index 5d6b5595..b16a09b3 100644
--- a/src/hb-ot-var-mvar-table.hh
+++ b/src/hb-ot-var-mvar-table.hh
@@ -68,7 +68,9 @@ struct MVAR
c->check_struct (this) &&
valueRecordSize >= VariationValueRecord::static_size &&
varStore.sanitize (c, this) &&
- c->check_array (valuesZ.arrayZ, valueRecordCount, valueRecordSize));
+ c->check_range (valuesZ.arrayZ,
+ valueRecordCount,
+ valueRecordSize));
}
inline float get_var (hb_tag_t tag,
commit c8f4cc49272d8bcd47706a6306a625d724349f5a
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Mon Nov 12 14:11:29 2018 -0500
[kerx] Fix integer overflow in multiply
Fixes https://oss-fuzz.com/v2/testcase-detail/5754863779053568
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index ccba8fe1..6e9f3007 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -267,7 +267,7 @@ struct KerxSubTableFormat1
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
const FWORD *actions = &kernAction[kern_idx];
- if (!c->sanitizer.check_array (actions, depth * tuple_count))
+ if (!c->sanitizer.check_array2 (actions, depth, tuple_count))
{
depth = 0;
return false;
diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh
index 9e4c16d8..6155c012 100644
--- a/src/hb-machinery.hh
+++ b/src/hb-machinery.hh
@@ -298,7 +298,8 @@ struct hb_sanitize_context_t :
this->start = this->end = nullptr;
}
- inline bool check_range (const void *base, unsigned int len) const
+ inline bool check_range (const void *base,
+ unsigned int len) const
{
const char *p = (const char *) base;
bool ok = this->start <= p &&
@@ -316,20 +317,22 @@ struct hb_sanitize_context_t :
}
template <typename T>
- inline bool check_array (const T *base, unsigned int len, unsigned int record_size = T::static_size) const
+ inline bool check_array (const T *base,
+ unsigned int len,
+ unsigned int record_size = T::static_size) const
{
- const char *p = (const char *) base;
- bool overflows = hb_unsigned_mul_overflows (len, record_size);
- unsigned int array_size = record_size * len;
- bool ok = !overflows && this->check_range (base, array_size);
-
- DEBUG_MSG_LEVEL (SANITIZE, p, this->debug_depth+1, 0,
- "check_array [%p..%p] (%d*%d=%d bytes) in [%p..%p] -> %s",
- p, p + (record_size * len), record_size, len, (unsigned int) array_size,
- this->start, this->end,
- overflows ? "OVERFLOWS" : ok ? "OK" : "OUT-OF-RANGE");
+ return !hb_unsigned_mul_overflows (len, record_size) &&
+ this->check_range (base, len * record_size);
+ }
- return likely (ok);
+ template <typename T>
+ inline bool check_array2 (const T *base,
+ unsigned int a,
+ unsigned int b,
+ unsigned int record_size = T::static_size) const
+ {
+ return !hb_unsigned_mul_overflows (a, b) &&
+ this->check_array (base, a * b, record_size);
}
template <typename Type>
commit 1300f027a938d8898cdc9abbcad71afadf70e6e6
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Mon Nov 12 13:56:48 2018 -0500
[kerx] Minor tweak on previous commit
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 4e6c6e40..ccba8fe1 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -260,7 +260,7 @@ struct KerxSubTableFormat1
depth = 0; /* Probably not what CoreText does, but better? */
}
- if (depth && Format1EntryT::performAction (entry))
+ if (Format1EntryT::performAction (entry) && depth)
{
unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
@@ -279,9 +279,9 @@ struct KerxSubTableFormat1
* "Each pops one glyph from the kerning stack and applies the kerning value to it.
* The end of the list is marked by an odd value... */
bool last = false;
- while (!last && depth--)
+ while (!last && depth)
{
- unsigned int idx = stack[depth];
+ unsigned int idx = stack[--depth];
int v = *actions;
actions += tuple_count;
if (idx >= buffer->len) continue;
commit d6666b3866037c9d3e8a497958af9ba8d2f47a73
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Mon Nov 12 13:21:14 2018 -0500
[fuzzing] Remove limited-edition build of libraries
Use normal, production, shared libraries.
Fixes https://github.com/harfbuzz/harfbuzz/issues/1237
diff --git a/src/Makefile.am b/src/Makefile.am
index 9632b4df..b3cc42f3 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -15,7 +15,6 @@ check_PROGRAMS =
# Convenience targets:
lib: $(BUILT_SOURCES) libharfbuzz.la
libs: $(BUILT_SOURCES) $(lib_LTLIBRARIES)
-fuzzing: $(BUILT_SOURCES) libharfbuzz-fuzzing.la libharfbuzz-subset-fuzzing.la
lib_LTLIBRARIES = libharfbuzz.la
@@ -169,36 +168,6 @@ pkginclude_HEADERS += $(HB_SUBSET_headers)
pkgconfig_DATA += harfbuzz-subset.pc
EXTRA_DIST += harfbuzz-subset.pc.in
-FUZZING_CPPFLAGS = \
- -DHB_MAX_NESTING_LEVEL=3 \
- -DHB_SANITIZE_MAX_EDITS=3 \
- -DHB_SANITIZE_MAX_OPS_FACTOR=3 \
- -DHB_SANITIZE_MAX_OPS_MIN=128 \
- -DHB_BUFFER_MAX_LEN_FACTOR=3 \
- -DHB_BUFFER_MAX_LEN_MIN=8 \
- -DHB_BUFFER_MAX_LEN_DEFAULT=128 \
- -DHB_BUFFER_MAX_OPS_FACTOR=8 \
- -DHB_BUFFER_MAX_OPS_MIN=64 \
- -DHB_BUFFER_MAX_OPS_DEFAULT=1024 \
- $(NULL)
-EXTRA_LTLIBRARIES = libharfbuzz-fuzzing.la libharfbuzz-subset-fuzzing.la
-
-libharfbuzz_fuzzing_la_LINK = $(chosen_linker) $(libharfbuzz_fuzzing_la_LDFLAGS)
-libharfbuzz_fuzzing_la_SOURCES = $(libharfbuzz_la_SOURCES)
-libharfbuzz_fuzzing_la_CPPFLAGS = $(HBCFLAGS) $(FUZZING_CPPFLAGS)
-libharfbuzz_fuzzing_la_LDFLAGS = $(AM_LDFLAGS)
-libharfbuzz_fuzzing_la_LIBADD = $(libharfbuzz_la_LIBADD)
-EXTRA_libharfbuzz_fuzzing_la_DEPENDENCIES = $(EXTRA_libharfbuzz_la_DEPENDENCIES)
-CLEANFILES += libharfbuzz-fuzzing.la
-
-libharfbuzz_subset_fuzzing_la_LINK = $(chosen_linker) $(libharfbuzz_subset_fuzzing_la_LDFLAGS)
-libharfbuzz_subset_fuzzing_la_SOURCES = $(libharfbuzz_subset_la_SOURCES)
-libharfbuzz_subset_fuzzing_la_CPPFLAGS = $(HBCFLAGS) $(FUZZING_CPPFLAGS)
-libharfbuzz_subset_fuzzing_la_LDFLAGS = $(AM_LDFLAGS)
-libharfbuzz_subset_fuzzing_la_LIBADD = libharfbuzz-fuzzing.la
-EXTRA_libharfbuzz_subset_fuzzing_la_DEPENDENCIES = $(EXTRA_libharfbuzz_subset_la_DEPENDENCIES)
-CLEANFILES += libharfbuzz-subset-fuzzing.la
-
if HAVE_ICU
if HAVE_ICU_BUILTIN
HBCFLAGS += $(ICU_CFLAGS)
diff --git a/test/fuzzing/Makefile.am b/test/fuzzing/Makefile.am
index ed67eee8..a77df706 100644
--- a/test/fuzzing/Makefile.am
+++ b/test/fuzzing/Makefile.am
@@ -7,13 +7,13 @@ DISTCLEANFILES =
MAINTAINERCLEANFILES =
# Convenience targets:
-lib-only:
- @$(MAKE) $(AM_MAKEFLAGS) -C $(top_builddir)/src fuzzing
-lib: lib-only
- @$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+lib:
+ @$(MAKE) $(AM_MAKEFLAGS) -C $(top_builddir)/src lib
+libs:
+ @$(MAKE) $(AM_MAKEFLAGS) -C $(top_builddir)/src libs
-$(top_builddir)/src/libharfbuzz-fuzzing.la: lib-only
-$(top_builddir)/src/libharfbuzz-subset-fuzzing.la: lib-only
+$(top_builddir)/src/libharfbuzz.la: lib
+$(top_builddir)/src/libharfbuzz-subset.la: libs
EXTRA_DIST += \
README \
@@ -33,24 +33,15 @@ AM_CPPFLAGS = \
-I$(top_srcdir)/src/ \
-I$(top_builddir)/src/ \
$(NULL)
-LDADD = \
- $(top_builddir)/src/libharfbuzz-fuzzing.la \
- $(NULL)
hb_shape_fuzzer_SOURCES = \
hb-fuzzer.hh \
hb-shape-fuzzer.cc \
main.cc \
$(NULL)
-hb_shape_fuzzer_LDADD = \
- $(LDADD) \
- $(NULL)
-hb_shape_fuzzer_CPPFLAGS = \
- $(AM_CPPFLAGS) \
- $(NULL)
-hb_shape_fuzzer_DEPENDENCIES = \
- $(top_builddir)/src/libharfbuzz-fuzzing.la
- $(NULL)
+hb_shape_fuzzer_LDADD = $(top_builddir)/src/libharfbuzz.la
+hb_shape_fuzzer_CPPFLAGS = $(AM_CPPFLAGS)
+hb_shape_fuzzer_DEPENDENCIES = $(top_builddir)/src/libharfbuzz.la
hb_subset_fuzzer_SOURCES = \
hb-fuzzer.hh \
@@ -58,14 +49,10 @@ hb_subset_fuzzer_SOURCES = \
main.cc \
$(NULL)
hb_subset_fuzzer_LDADD = \
- $(top_builddir)/src/libharfbuzz-subset-fuzzing.la \
- $(NULL)
-hb_subset_fuzzer_CPPFLAGS = \
- $(AM_CPPFLAGS) \
- $(NULL)
-hb_subset_fuzzer_DEPENDENCIES = \
- $(top_builddir)/src/libharfbuzz-subset-fuzzing.la
- $(NULL)
+ $(top_builddir)/src/libharfbuzz.la \
+ $(top_builddir)/src/libharfbuzz-subset.la
+hb_subset_fuzzer_CPPFLAGS = $(AM_CPPFLAGS)
+hb_subset_fuzzer_DEPENDENCIES = $(top_builddir)/src/libharfbuzz-subset.la
check:
EXEEXT="$(EXEEXT)" srcdir="$(srcdir)" builddir="$(builddir)" $(srcdir)/run-shape-fuzzer-tests.py
More information about the HarfBuzz
mailing list