[HarfBuzz] harfbuzz: Branch 'master' - 2 commits

Thu Oct 11 19:56:41 UTC 2018

src/hb-aat-layout-common.hh |   11 ++++++++---
 test/api/hb-subset-test.h   |    6 ++----
 test/api/test-multithread.c |    5 +----
 test/fuzzing/main.cc        |    2 +-
 4 files changed, 12 insertions(+), 12 deletions(-)

New commits:
commit e940530c9723c3a581a5d5b31e5f419865dd6cc7
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Thu Oct 11 15:56:17 2018 -0400

    [aat] Fix mul overflow
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10897

diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh
index 78a27a74..5be3d372 100644
--- a/src/hb-aat-layout-common.hh
+++ b/src/hb-aat-layout-common.hh
@@ -386,6 +386,8 @@ struct StateTable
     const HBUINT16 *states = (this+stateArrayTable).arrayZ;
     const Entry<Extra> *entries = (this+entryTable).arrayZ;
 
+    unsigned int num_classes = nClasses;
+
     unsigned int num_states = 1;
     unsigned int num_entries = 0;
 
@@ -393,13 +395,16 @@ struct StateTable
     unsigned int entry = 0;
     while (state < num_states)
     {
+      if (unlikely (hb_unsigned_mul_overflows (num_classes, states[0].static_size)))
+	return_trace (false);
+
       if (unlikely (!c->check_array (states,
 				     num_states,
-				     states[0].static_size * nClasses)))
+				     num_classes * states[0].static_size)))
 	return_trace (false);
       { /* Sweep new states. */
-	const HBUINT16 *stop = &states[num_states * nClasses];
-	for (const HBUINT16 *p = &states[state * nClasses]; p < stop; p++)
+	const HBUINT16 *stop = &states[num_states * num_classes];
+	for (const HBUINT16 *p = &states[state * num_classes]; p < stop; p++)
 	  num_entries = MAX<unsigned int> (num_entries, *p + 1);
 	state = num_states;
       }
commit 1d995a340b9e17fc8dca7a3e88e0918de2d8f02c
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Thu Oct 11 15:42:54 2018 -0400

    Minor

diff --git a/test/api/hb-subset-test.h b/test/api/hb-subset-test.h
index 8f32d3db..5f5cd8d0 100644
--- a/test/api/hb-subset-test.h
+++ b/test/api/hb-subset-test.h
@@ -58,10 +58,8 @@ hb_subset_test_open_font (const char *font_path)
 
   hb_blob_t *blob = hb_blob_create_from_file (path);
   if (hb_blob_get_length (blob) == 0)
-  {
-    printf ("The test font is not found.");
-    exit (1);
-  }
+    g_error ("Font not found.");
+
   hb_face_t *face = hb_face_create (blob, 0);
   hb_blob_destroy (blob);
 
diff --git a/test/api/test-multithread.c b/test/api/test-multithread.c
index 779b762d..b651b399 100644
--- a/test/api/test-multithread.c
+++ b/test/api/test-multithread.c
@@ -149,10 +149,7 @@ main (int argc, char **argv)
 
   hb_blob_t *blob = hb_blob_create_from_file (path);
   if (hb_blob_get_length (blob) == 0)
-  {
-    printf ("The test font is not found.");
-    return 1;
-  }
+    g_error ("Font not found.");
 
   hb_face_t *face = hb_face_create (blob, 0);
   font = hb_font_create (face);
diff --git a/test/fuzzing/main.cc b/test/fuzzing/main.cc
index b42d60c1..f15247cd 100644
--- a/test/fuzzing/main.cc
+++ b/test/fuzzing/main.cc
@@ -10,7 +10,7 @@ int main(int argc, char **argv) {
   const char *font_data = hb_blob_get_data (blob, &len);
   if (len == 0)
   {
-    printf ("The test font is not found.");
+    printf ("Font not found.\n");
     exit (1);
   }
 
