src/hb-aat-layout-common.hh | 11 ++++++++--- test/api/hb-subset-test.h | 6 ++---- test/api/test-multithread.c | 5 +---- test/fuzzing/main.cc | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-)
New commits: commit e940530c9723c3a581a5d5b31e5f419865dd6cc7 Author: Behdad Esfahbod <beh...@behdad.org> Date: Thu Oct 11 15:56:17 2018 -0400 [aat] Fix mul overflow Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10897 diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh index 78a27a74..5be3d372 100644 --- a/src/hb-aat-layout-common.hh +++ b/src/hb-aat-layout-common.hh @@ -386,6 +386,8 @@ struct StateTable const HBUINT16 *states = (this+stateArrayTable).arrayZ; const Entry<Extra> *entries = (this+entryTable).arrayZ; + unsigned int num_classes = nClasses; + unsigned int num_states = 1; unsigned int num_entries = 0; @@ -393,13 +395,16 @@ struct StateTable unsigned int entry = 0; while (state < num_states) { + if (unlikely (hb_unsigned_mul_overflows (num_classes, states[0].static_size))) + return_trace (false); + if (unlikely (!c->check_array (states, num_states, - states[0].static_size * nClasses))) + num_classes * states[0].static_size))) return_trace (false); { /* Sweep new states. */ - const HBUINT16 *stop = &states[num_states * nClasses]; - for (const HBUINT16 *p = &states[state * nClasses]; p < stop; p++) + const HBUINT16 *stop = &states[num_states * num_classes]; + for (const HBUINT16 *p = &states[state * num_classes]; p < stop; p++) num_entries = MAX<unsigned int> (num_entries, *p + 1); state = num_states; } commit 1d995a340b9e17fc8dca7a3e88e0918de2d8f02c Author: Behdad Esfahbod <beh...@behdad.org> Date: Thu Oct 11 15:42:54 2018 -0400 Minor diff --git a/test/api/hb-subset-test.h b/test/api/hb-subset-test.h index 8f32d3db..5f5cd8d0 100644 --- a/test/api/hb-subset-test.h +++ b/test/api/hb-subset-test.h @@ -58,10 +58,8 @@ hb_subset_test_open_font (const char *font_path) hb_blob_t *blob = hb_blob_create_from_file (path); if (hb_blob_get_length (blob) == 0) - { - printf ("The test font is not found."); - exit (1); - } + g_error ("Font not found."); + hb_face_t *face = hb_face_create (blob, 0); hb_blob_destroy (blob); diff --git a/test/api/test-multithread.c b/test/api/test-multithread.c index 779b762d..b651b399 100644 --- a/test/api/test-multithread.c +++ b/test/api/test-multithread.c @@ -149,10 +149,7 @@ main (int argc, char **argv) hb_blob_t *blob = hb_blob_create_from_file (path); if (hb_blob_get_length (blob) == 0) - { - printf ("The test font is not found."); - return 1; - } + g_error ("Font not found."); hb_face_t *face = hb_face_create (blob, 0); font = hb_font_create (face); diff --git a/test/fuzzing/main.cc b/test/fuzzing/main.cc index b42d60c1..f15247cd 100644 --- a/test/fuzzing/main.cc +++ b/test/fuzzing/main.cc @@ -10,7 +10,7 @@ int main(int argc, char **argv) { const char *font_data = hb_blob_get_data (blob, &len); if (len == 0) { - printf ("The test font is not found."); + printf ("Font not found.\n"); exit (1); } _______________________________________________ HarfBuzz mailing list HarfBuzz@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/harfbuzz