src/hb-dsalgs.hh | 15 +++- src/hb-ot-glyf-table.hh | 2 src/hb-ot-post-table.hh | 34 ++++------ test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 |binary 4 files changed, 27 insertions(+), 24 deletions(-)
New commits: commit 3a9fa8c026bf28bf87e20ec95327f74fd7070b74 Author: Behdad Esfahbod <beh...@behdad.org> Date: Sat Nov 10 01:56:37 2018 -0500 [qsort] Fix O(N^2) behavior if all array elements are the same Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11327 Reported as https://github.com/noporpoise/sort_r/issues/7 diff --git a/src/hb-dsalgs.hh b/src/hb-dsalgs.hh index 9ccd7f25..ffa43870 100644 --- a/src/hb-dsalgs.hh +++ b/src/hb-dsalgs.hh @@ -356,7 +356,12 @@ hb_bsearch_r (const void *key, const void *base, } -/* From https://github.com/noporpoise/sort_r */ +/* From https://github.com/noporpoise/sort_r + * With following modifications: + * + * 10 November 2018: + * https://github.com/noporpoise/sort_r/issues/7 + */ /* Isaac Turner 29 April 2014 Public Domain */ @@ -412,7 +417,7 @@ static inline void sort_r_simple(void *base, size_t nel, size_t w, /* Use median of first, middle and last items as pivot */ char *x, *y, *xend, ch; - char *pl, *pr; + char *pl, *pm, *pr; char *last = b+w*(nel-1), *tmp; char *l[3]; l[0] = b; @@ -434,13 +439,15 @@ static inline void sort_r_simple(void *base, size_t nel, size_t w, pr = last; while(pl < pr) { - for(; pl < pr; pl += w) { + pm = pl+((pr-pl+1)>>1); + for(; pl < pm; pl += w) { if(sort_r_cmpswap(pl, pr, w, compar, arg)) { pr -= w; /* pivot now at pl */ break; } } - for(; pl < pr; pr -= w) { + pm = pl+((pr-pl)>>1); + for(; pm < pr; pr -= w) { if(sort_r_cmpswap(pl, pr, w, compar, arg)) { pl += w; /* pivot now at pr */ break; diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 new file mode 100644 index 00000000..c63bcc58 Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-5634443633491968 differ commit b308aaccf0773e252880b9b887f3d3d1dec00168 Author: Behdad Esfahbod <beh...@behdad.org> Date: Sat Nov 10 00:37:17 2018 -0500 [post] Minor diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh index bbde8d83..77eef3f5 100644 --- a/src/hb-ot-post-table.hh +++ b/src/hb-ot-post-table.hh @@ -77,11 +77,11 @@ struct post { unsigned int post_prime_length; hb_blob_t *post_blob = hb_sanitize_context_t().reference_table<post>(plan->source); - hb_blob_t *post_prime_blob = hb_blob_create_sub_blob (post_blob, 0, post::static_size); + hb_blob_t *post_prime_blob = hb_blob_create_sub_blob (post_blob, 0, post::min_size); post *post_prime = (post *) hb_blob_get_data_writable (post_prime_blob, &post_prime_length); hb_blob_destroy (post_blob); - if (unlikely (!post_prime || post_prime_length != post::static_size)) + if (unlikely (!post_prime || post_prime_length != post::min_size)) { hb_blob_destroy (post_prime_blob); DEBUG_MSG(SUBSET, nullptr, "Invalid source post table with length %d.", post_prime_length); @@ -109,7 +109,7 @@ struct post if (version != 0x00020000) return; - const postV2Tail &v2 = StructAfter<postV2Tail> (*table); + const postV2Tail &v2 = table->v2; glyphNameIndex = &v2.glyphNameIndex; pool = &StructAfter<uint8_t> (v2.glyphNameIndex); @@ -255,14 +255,10 @@ struct post inline bool sanitize (hb_sanitize_context_t *c) const { TRACE_SANITIZE (this); - if (unlikely (!c->check_struct (this))) - return_trace (false); - if (version.to_int () == 0x00020000) - { - const postV2Tail &v2 = StructAfter<postV2Tail> (*this); - return_trace (v2.sanitize (c)); - } - return_trace (true); + return_trace (likely (c->check_struct (this) && + (version.to_int () == 0x00010000 || + (version.to_int () == 0x00020000 && v2.sanitize (c)) || + version.to_int () == 0x00030000))); } public: @@ -297,8 +293,8 @@ struct post * is downloaded as a Type 1 font. */ HBUINT32 maxMemType1; /* Maximum memory usage when an OpenType font * is downloaded as a Type 1 font. */ -/*postV2Tail v2[VAR];*/ - DEFINE_SIZE_STATIC (32); + postV2Tail v2; + DEFINE_SIZE_MIN (32); }; struct post_accelerator_t : post::accelerator_t {}; commit 4111c3b8cd1b1c44f722877614ec1ee25111e78c Author: Behdad Esfahbod <beh...@behdad.org> Date: Sat Nov 10 00:26:36 2018 -0500 [post] Move sanitize close to data fields diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh index b7913773..bbde8d83 100644 --- a/src/hb-ot-post-table.hh +++ b/src/hb-ot-post-table.hh @@ -73,19 +73,6 @@ struct post { static const hb_tag_t tableTag = HB_OT_TAG_post; - inline bool sanitize (hb_sanitize_context_t *c) const - { - TRACE_SANITIZE (this); - if (unlikely (!c->check_struct (this))) - return_trace (false); - if (version.to_int () == 0x00020000) - { - const postV2Tail &v2 = StructAfter<postV2Tail> (*this); - return_trace (v2.sanitize (c)); - } - return_trace (true); - } - inline bool subset (hb_subset_plan_t *plan) const { unsigned int post_prime_length; @@ -265,6 +252,19 @@ struct post hb_atomic_ptr_t<uint16_t *> gids_sorted_by_name; }; + inline bool sanitize (hb_sanitize_context_t *c) const + { + TRACE_SANITIZE (this); + if (unlikely (!c->check_struct (this))) + return_trace (false); + if (version.to_int () == 0x00020000) + { + const postV2Tail &v2 = StructAfter<postV2Tail> (*this); + return_trace (v2.sanitize (c)); + } + return_trace (true); + } + public: FixedVersion<>version; /* 0x00010000 for version 1.0 * 0x00020000 for version 2.0 commit e26e6dbb336e48a5898738dbbd9e56e3a00b7bed Author: Behdad Esfahbod <beh...@behdad.org> Date: Sat Nov 10 00:19:50 2018 -0500 [post] Remove unnecessary hb_nonnull_ptr_t<> diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh index 18f9976b..b7913773 100644 --- a/src/hb-ot-post-table.hh +++ b/src/hb-ot-post-table.hh @@ -259,7 +259,7 @@ struct post private: hb_blob_t *blob; uint32_t version; - hb_nonnull_ptr_t<const ArrayOf<HBUINT16> > glyphNameIndex; + const ArrayOf<HBUINT16> *glyphNameIndex; hb_vector_t<uint32_t, 1> index_to_offset; const uint8_t *pool; hb_atomic_ptr_t<uint16_t *> gids_sorted_by_name; commit 6b8178c6499f8d0ee45a57332af778af0e48d1b5 Author: Ebrahim Byagowi <ebra...@gnu.org> Date: Sat Nov 10 02:42:08 2018 +0330 [glyf] minor diff --git a/src/hb-ot-glyf-table.hh b/src/hb-ot-glyf-table.hh index d2a39f23..0623be89 100644 --- a/src/hb-ot-glyf-table.hh +++ b/src/hb-ot-glyf-table.hh @@ -149,7 +149,7 @@ struct glyf }; HBUINT16 flags; - HBUINT16 glyphIndex; + GlyphID glyphIndex; inline unsigned int get_size (void) const { _______________________________________________ HarfBuzz mailing list HarfBuzz@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/harfbuzz