From 875985cd481f1609d10ad0472f1e77af075c93bc Mon Sep 17 00:00:00 2001 From: Ebrahim Byagowi Date: Thu, 29 Aug 2019 14:51:22 +0430 Subject: [PATCH] [subset] Don't allow malicious fonts to insert unlimited table headers Fixes https://crbug.com/oss-fuzz/16810 --- src/hb-subset.cc | 5 +++++ ...minimized-hb-subset-fuzzer-5675720390475776 | Bin 0 -> 299037 bytes 2 files changed, 5 insertions(+) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5675720390475776 diff --git a/src/hb-subset.cc b/src/hb-subset.cc index c0752acc1..292a01000 100644 --- a/src/hb-subset.cc +++ b/src/hb-subset.cc @@ -238,6 +238,11 @@ _subset_table (hb_subset_plan_t *plan, static bool _should_drop_table (hb_subset_plan_t *plan, hb_tag_t tag) { + if (!tag) + /* Drop tables with no tag as that means table header in + _hb_face_builder_reference_table */ + return true; + if (plan->drop_tables->has (tag)) return true; diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5675720390475776 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5675720390475776 new file mode 100644 index 0000000000000000000000000000000000000000..3881fbe614c7a00662cdb9ba3f1f54910414b357 GIT binary patch literal 299037 zcmeI*4SW8KT6~ zB|Yy0u0HJPaxCY%>IsLtivs#^?s_8NE{nIyAp){;o*?nF*#k{P5L}bV^RG^TBp9DO zY7q5Tn(FSV>guX*b!NhJ^)x9&j?W2ApOg0gN@~3ikx@mYk6++g=%EDuj}kVjM9B-v z?k%~j;^7)1IzqXkthCZKPaX8yPq^$dPRlMWo$pFnDE@)BkMVZ@Qg>z5s8^c)7jJLp z?W@Wv=DPHK##6j~l7>*a+g0VEp7b5K zy-n9Y_vq?Z?me{P&&rtJ#J9wcZKkBA7%7xQ^Ef76PNx@0b(gtEP&b_u?4aD5dxL}0 ziJFo~aEivU!COtdR9d!Vx=hhXC7pYk=&rrjopP_sQ?anpRaWUPyVp%628-4lu5m509{3@qEN!XBrdCx+BA=94OvG=Abh;92I9J_w4Ac$ z&Ryi8F{KB~O6XdTZ+;0)tX!Ct>7bDp_3NwszRLg6>o2@tm$9&V#e|ohxaZ&JJ)?~O zgVJA_yz0zgKCrB#!HmCEs{Co?Q|>vxE2pDPO5?A^i?qymfG%a1o`#avBP%m|)X0IO zdt91k^y@od)X2t7E0W6=EGSD}apXruMca%AdJi3a``o#=j~?24a?XnN>sL&+VGEmT z6ZaVpr~_=`1QLl;PNf?Q9WtFyY94c;ACmC#zcjw3y!U=N_2)$6(zG5UvokYC4H!6p zkJx>5*2#PS=kVWZ4>k@hsVFaZd0fNY#+~!;ymL_AwL_*~|6Y;*jn;ov|!ze`|hsFe)`2NPYf8y?YSi$R$mh3@+4B!i)9x_ z_vFs0e5gxQ?UTr(VLr4OGFg^h0|$d=sU zaZx^>{iI}PQ)>51H&FuDMWaRzV6W~BmT+;OflBu10Ry@A{<8Y4OeMQJ=lAQ&eeACB zGQvyQfB~GX7zs+xYqR=jea9`CzODAB{_$guC|1+;51DfcXDf?|mgKv_^CM5~h;RSx z$FKU8`xZSIUAX9{k%mbN?q60t=vUW`35P`YH@7wZR=MT3$~rN4`0)6bIM(bhd#r|c z*TmnMlcZevVdXnFyUOCnm;Jo%7XGEJ?UpqraZvVJCI8K29&8y_|I4~vzxwC+VfA;{ zKlj+9@xMQkc!$#a`G*?*c1dc+Y$1OaNojhs@h$b&_Gvd_%$Ns_jjmf-4fu$R^jCgu zME~`bD+g~cSvYCg<2>G>xJCC|T(z!wyk&uZeTC16GX+|o5c0%y$lw2NWbrFU@#Kk< z@~JP4YodhBoHuxKM!}3*HchDE6Y>a`@=Ts_Q{L0J9r&0i@wUHDIB}w2#<0vq+R^*? z1v|Y->AiEV+vQ2QwHLqG{(roHSO2p5sp>V=&s1-y-dO#+>X)jwRR6L1wd!5fyQ>dW zAFi&i{zcT)#`3tYW1|TtZZwXb&Zv8U2hdxGp*UyEtYAytP0C#Ra*C0Ke0mA z66*nLxwXPtY5mfA!dhiLZ9QwPx1P6tZ@pq|vtF}ySbMF%SnpT|ts1M&`p7zFowOSK zs$cgf`Fr^X`G@&O__O>!@?Yzp=AZ5_^w03m_uu6&_j~+R{%U`~AM-Eu|8M`#{VV;C z`XBfIi+_!Oo&P!i|M9=%-|FAyf7SoG{|*0}{(b&;{fGST`)mFGhJYSO z2qXu(1yTdu13dzl2d)eZ4qP3`3XBT;D3BAF9GD%L6POn$36uuz3X})DfqMc~fyIFb z0uKiMG4PAPF9WLrYXi>))(4&oybyRX@KWH9fj0tg2Hpzn54;t3o3}*Mz2qriW&QZVkCYb3-MevXD1) zcjzBN4}_M59tr&-^l0c;p(jEcLNA0~480usL+I7epF?ki-VPlJeHdy8Q~2WWCE=do zUf}`Zq2W>CYr?tV>%vpQ)5EjErD1n?ao7rn!qM>3@FU@W3jZR!nomLg9r#Qc#OIql z_2>$IyCUjEW9^(I>PLe}nO9O)$!}DGc!QVxigq!j$agNEr?iCMaOJz9A>XUGh(cHM zkIL_3q@>E#c+-id&AdZ0@8I)<*My%5ZwbE|em(r3;djC{;lG7Xgg*^`7EvQcBq`D> zGBonzNMYp0$SslEB4*^Sh&OU?8BMV^lQCh}}#W8@E!ZIM?ae~!E!`AcMf zE3GWuNf_t8H@w?%hG4@B#tN24dApGH56#$$RcC3b17Z)`+t zTr4M+AG;w|6q^;hId*Hz8FR(v#!6#%#XPY^v7f~Ju~_VZ*n_cuj4hA-BKBnLH?e18 z>toNy{w?-$Y)kAvW4mMj6?->!FjgBo8ao+lSR$4rEJ<3Dyd-r=_a#zW|E6CizWaaY z@u@APIpA-+FZ>&CBmTzwj{c4JrT^~2-*_GUjaQZR>)&sFlK<%EAYWZBqyl~;oGsrB zPyHLNwv+#cixOR{{J7meYDbM6Gba1?;lqcI7fP<3#wLRUV#Qg44R$b@DDUEfT~meUCKT|vX1Ho zbfNRytTVUh*!xlL#JmEYo0Us>>f7<7vYARja}Kw9zxo)j^Mo>PcA>J>?vBMN(ndBe zjbquCG!l;ft!0j%lIeU|M>|HY)~@^14GUu@D_a3bB;GH?nH zoecUOuJhEu$?ENav$L9`HngqM?bY0~P7O|OdulWvfopDc9Jz1%gGT9BCGtyzeI^PTr#Oq&)CS`5!SQ%pQ)>7wIwf(?nA>^yj6{{o zaZv1z%g#47)ipJ_T}R6KWrS-`?bYUt&xt$RB$PWJ1X>2Ld0<-_GR5Rvwi>o?1kk>EP>c_mFGKO!diL3wkadP0rp|y!-;}qPg}<0WZCO^6v2N^zQQR@xJ9f;Qg!j1MhKfgO7ZM zFU6PYyWDqf+C11d)R*bY_KovR@J;dE;4AXo?7P+HbiU@?b#5Baj* z|tJJUSa;w9AXYNhnZPswt0=2V@@(Bn>U!#%^S^G z=A15XA`Son2tWV=5P$##AOHafKmY;|fB*y_009U<00Lj5z$fR;HMy^`Q>Y385P$## zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;| zfB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U< z00Izz!1qnya~^ZpvXLwtkAL%;JY)QWre_vr`X6ZPhH<6dBq- znpHNhZRqqdx^uZ)2;xSi#n}m@E-HdYadr_bs)YaqAOHafKmY;|fB*y_009U< z00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa z0SG_<0uX=z1Rwx`?~%YKP2Z!=qN@;q00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fWY@n zVDa~@!{{#rAOHafe6heIbb>sJU1nGMXt^9fTKo+|kf>j2Cnt{07*gu4tV&(4<`OA% zd8ZPj*a`?LdEtyZrkHj+pbsUlrCn)^tH#S~E}W{YA`D#nT` zVTqVnCRT{Y#Tv0rY!chV4x%LLM}tV2M3g~^B#1Y7nM!mqCG(2nODHbq#wN+m^N-HO zbka!WH2E_@?xJ0y22}^=Ds<(;EA?wVzWF6Iv2tNnrh`Ua)NevFg062SWy@)V`L2|O zV%W1>=hpVeN z*|5vgg>oO#mdDp~j>YMm&nYA2+F3!BWv}KAr137C>yjk~whJvsvv)pe$AVk1oe@c0 zs?O$=Y0XQ;q)eq3rwUcmg|4cCi!_IpI&vrG6;KZ4Ql9#D{HScEQgFJ+e)Tb4A80qb zP}ypC$Kn)eBO8~-v8*SJgrk3Jnd7HqI$ze&j*+Xi>+VJtAEkKm*h%>nk-AJCiX6@< zpE5JIsO}l>a^7CY+kt`^!&-XeDCOAFC(?Z_1E=uN$)NAyI!_Iptll0tJF7WrL)$9dUd=u0)ZpZ{r$+M;xaQ{L zw66i%5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0ucCC3#7EPp6?$=fB*y_009U<00Izz z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_< z0uX=z1Rwx`FCl>Yw7vuyc7Xr{AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z z1Rwwb2teTc7Wky;{B9pw2LT8`00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafK;SC~EdC1n zVpj-200I#BdIX$%o%@~dI1f4xIp234c7Evm$a%u~nX}PUO~Xt!dzhD*SC~IEhnPdn zVP=+@ZC+#Mn3K%O<_+d_^G0))Ip^zX2Wo);1Rwwb2tWV=5P$##AOHafKmY;|fB*y_ z009U<00Izz00bZa0SG_<0uX?}w_G5lrTyYt-VZb%0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SKHH_@wFdDpnu>0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;| zfB*y_009Vm*8~=S*E)p$KmY;|fWTK1c!W-nN3rYJl|EW72apzj!w@9uSK7&mV>5=7 zx+|+v*Q>ci3SHhR&=p+dI+uIC-fvaIKHaJ)m~+RhyDO&FJhc1ddz-F*?$Omhuk;HMbk<4+LF^V*!*r?=qkx@m8*h?O& zp(AuGUn6b0)-Y2uwGypdyI)(Xt!iTcqXQYH~)P$KbjSq2d=Q;9C7WL{Bx z3B~2y*d*C`{?WOZP8zA4CVwW#U9?Nopz7dUg|2*frGBl)H@}1?RxZrSbkN9)`b}s? z(DluvY&nfE-<7gZ411QVJjQ$Wm+T^s3b~T)iQKHRin%VDN+Njp6oZzWgSm{Z~zmq7Lcc(Gj7TKP>l)mnl=Ug=1+NAASD0?MIW%2VHtAC=8i z3QiZ1MOxPDqHRDSeznlWaH8}mi45OaP)62bNrM{=gT_UF>L z8l2qr)M!2e*WBtja^LpHvFqcgiNmRNEFk~^2tWV=5P$##AOHafKmY;|fB*y_009U< z;QSSkpXZ+I(2<6ES0_UU4VLw``rNwpB@vk=KR)k*&+CGlk( zg|C3Aygq_2%yc$rlzx@0#lFHLXq@6KT2mW{#|OvbaZRa7=OIWOH0E}`EMg?8_O&-Y z%$c#QYie@4j+Ao~xCYf;J(JmPt+P!+x${AwW$>B@wxvO1*REYl{J#u*@~NqAmt1Xk zo$(7d`Lc86Q5oc^MYNd?zW#O(xu(oipX{}u=i&i%R}anMYm0V}mkZ@jZ;s_}g8Fc)WJ9E;2U-L%Zl2+3bvYA&sp-zmN?)Wb=osw8v+o300bZa0SG_< z0uX=z1Rwwb2tWV=5P-mUQJ~#7m7J5!jvVogI&Ed}jXE8kj%}f^b$$!r8+AG{KKMqR zP9Swr5qzUg7r~-h2tWV=5P$##AOHafKmY;|fB*y_009Vm1p(X?`xWr8D+C|_f$yRK zZi>ZCvA8J~H^t(n*ze-2JNg6x2teR`7r+EgOyE4<&(Th`4-+^$!GsB%oj~fMBACG0 zMX;zA0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z z1R(JJ6-a66`dLrt`~H%k=MaDZ1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz z00bZa0SJ8C1wLu|w)X(-hX4d1009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##Akd+};tq3= z0Rad=00Q4jfk)^Bc@(?ryV6I?xl>UuSoNTJJH1-gQZ zT<3Dn*ZZw%*r!_+1#|A0b$7+onum6ud~ehB&po>O2X-AqeOi_=QuGb_297uDTR1+h zf68%#-av{$2G?&4Hj+3_Hj+6`Ge(hS6dRQsFEXk~5qrr)HFSiIB7<6M>;H~h(a-26pKbM9L(h3`!(^F3TX|Wh&9dl*}uNFQK@c8=E9M&p$dB(@7(h z)8x+txr=s*8dM#etI(AXuhg&g_~w_;#L9(PnGPCxQNIbz2)e$Rlr5(b=DSiBieb-k zmB)C`{*qnfQ6X2dJ&~JLRx#H_Q|V_!YO?H)+g0VE3+PhLpTe7ta@WHvYpM^8R~yxO zl@mM_3oAVd`F9c}^X@c;+alYOm(th$@|=st_aRNIWpmo2w&*y5b+nOdAFi(AWWz2` z7s`D|TOMD}ITojLKBtV7Yi9*jmc5!gkjA@ku1l5}*e9Sd&3c19$1sXCie zrZq1WlQNZFoGMgJ7rLqnF47!Y>d2j#S3o(GOL^+s@uRYtO2O$O`_;#IeW2a!LS?Jn z9g9<>jci;R$FiO@5{~|@WsaYc>3ms7J4UY7uDcsqe3atJV<+WTMCvkmC~`Qbe9Fw+ zqPl0i%XxbpZwCry3~T9;qm;Lc=ek`UDkAp)0w^<*UE#V?R-fgkQ6uY#P0A zX55q!oJjYz44lG4CxgC+>pV4ZvU+>q?5yUf4Q;D*do}m0Q-hP+o*Kmqm<3)xP$|hdDErbxlof*O78=0@tA0 zt7kIXt#!6ZD0e;xvXW?|^jtik?&_gAd~MMV@^Yd4>CLhHt&mH3{dXdt=^4EIrh~!lQ22Mw zMRV;-Y`paT$-Be5)4R*N$NQG|fcLN754^{{4L5ybBHbv}eLL1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa z0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00IzzKpO!(s-_JGHXr~2 z2tWYeY=Un#!8e=Wn@#Y|CU`G^00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOL|g0_`3F za!xkS9KG!t9#zxU1COfd@N{eog{|{j0FSEa#Q5M*HJw1}q9S-yjlO{&{Ipr$!trta zQ;r+-22u<%_`y%cU?Yj+WFwj5G-DKLMzK-J@gk#&6tR~)R6|GTSiVNubgf~gW@;r` zxpu#{R9m5~)}Gh4YCE-k+5xRrtJe}6NhFF?kuDtafl(X|iz%W|%ofF>RE!l>!V;L! zfe9U$(18gZ&94uLApijgKmY;|fB*y_009U<00Izz00bZaf%8nD!z;I4n9&gd<`uM+ z!MuVFPr|lP*gC%jFt4B!*{ zx-g?7Hhh59Rt6tnb$AlCg~HbPEr1WOIx#-@0IL&7T~y?}`Tz^xbc!2eaAOQ^jKPgD zUG!>?Y9Rmt2tWV=5P$##AOHafKmY;|fB*y_0D*HN(BTE%F3jktW0-!>RtD1#Iy?#6 bLSgIt6u`8DPK*nt9drVzi;8^pX$Suog^Wb3 literal 0 HcmV?d00001