Commit Graph

223 Commits

Author SHA1 Message Date
ariza
1ab3924b31 refix PR #2087 subset PairPos1
also added oss-fuzz 20211 data fixed by this
2020-01-23 10:50:52 -08:00
ckitagawa
b18cb5b5ee Add second fixed test 2020-01-22 10:11:15 -08:00
ckitagawa
8614a30bc9 [subset] Fix sbix fuzz problem 2020-01-22 10:11:15 -08:00
ckitagawa
6bcf57eaa3 Simplify copy and add fuzzing coverage 2020-01-15 13:36:01 -08:00
Ebrahim Byagowi
dc03a993d0
Fix collect lookups logic of FeatureTableSubstitution (#2097)
https://crbug.com/oss-fuzz/20036
2020-01-12 14:21:29 +03:30
Ebrahim Byagowi
a32ecc15ae
Fix collect lookups logic of FeatureVariationRecord
As "Offset to a feature table substitution table, from beginning of the FeatureVariations table."
from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should
match its sanitize logic not the reverse way.

Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
2020-01-11 15:37:24 +03:30
Michiharu Ariza
d2ab1ec65b fixes oss-fuzz 19978: Null-dereference READ (#2091) 2020-01-10 07:54:16 +03:30
Ebrahim Byagowi
257a197ae7
Fail serialize when map has incorrect value
fixes https://crbug.com/oss-fuzz/19956

am not super happy with the fix, guess we should do some check
before the memcpy anyway as @blueshade7 thinks also,
so let's have it or revert it when we have a better approach for the case.
2020-01-09 22:55:45 +03:30
Ebrahim Byagowi
8ed46c3678
[fuzz] minor, add another already fixed case
https://crbug.com/oss-fuzz/19907
2020-01-07 23:43:53 +03:30
Ebrahim Byagowi
341407f7a5
[fuzz] minor, upload another fixed case
https://crbug.com/oss-fuzz/19878
2020-01-07 09:10:24 +03:30
Ebrahim Byagowi
7950beecfc
[subset] Fix null pointer dereference in hvar/vvar subset (#2085)
Rest of the code assumes there is at least one subtable, lets return here if not.

* https://crbug.com/oss-fuzz/19827
* https://crbug.com/oss-fuzz/19847
2020-01-06 21:25:00 +03:30
Ebrahim Byagowi
64a45be519
[ubsan] Don't decrease pointer if match_glyph_data is null (#2048)
Similar to fix on https://github.com/harfbuzz/harfbuzz/pull/2022

Fixes https://crbug.com/1023070
2019-11-09 12:25:33 +03:30
Ebrahim Byagowi
84b86a12d9
[fuzz] Remove just added case
It didn't fail locally but on bots causing timeout, let remove for now.
2019-11-06 09:22:34 +03:30
Ebrahim Byagowi
a8f049c9a1
[fuzz] Upload testcase of https://crbug.com/oss-fuzz/18529
Apparently false alarm per last comment and was ok locally also but lets have it here also
2019-11-05 22:26:36 +03:30
Qunxin Liu
defe9b6da0 crash fix : Heap-buffer-overflow READ 2
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
2019-10-25 13:09:47 -07:00
Qunxin Liu
b2fcca6e14 fuzzer crash fix
https://oss-fuzz.com/testcase-detail/5643107869917184
2019-10-24 16:11:30 -07:00
Ebrahim Byagowi
9815ca0338 [ci] Use custom subset fuzzer timeout for failing sanitizer bots 2019-10-25 00:16:23 +03:30
Garret Rieger
95ab110cd9 Optimize intersects_array to fix fuzzer timeout. 2019-10-22 13:33:50 -07:00
Qunxin Liu
b33a0d628e fuzzer crash fix: Null-dereference WRITE
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18363
2019-10-22 01:01:08 +03:30
Ebrahim Byagowi
e766783152 [fuzz] Add https://crbug.com/oss-fuzz/17898 testcase 2019-10-21 22:17:06 +03:30
Garret Rieger
831daf4c76 Enforce HB_MAX_LANGSYS limit during layout subsetting. 2019-10-18 15:10:30 -07:00
Ebrahim Byagowi
0665dce116 [fuzzer] Don't process output in debug mode as it causes timeout 2019-09-21 17:36:33 +04:30
Ebrahim Byagowi
d3b984d379 Revert in-house pow10 (d80a3ea) and fix oss-fuzz/16922
Probably can be fixed but merging it was wrong so let's revert.
2019-09-02 18:28:03 +04:30
Ebrahim Byagowi
875985cd48
[subset] Don't allow malicious fonts to insert unlimited table headers
Fixes https://crbug.com/oss-fuzz/16810
2019-08-29 14:51:22 +04:30
Ebrahim Byagowi
269a120f13
[subset] Raise the bar in new vs old table size
https://crbug.com/oss-fuzz/16740

This is actually an interesting thing that {h,v}mtx allocates as
much as a font pretends to have glyphs but the solution is not
that obvious as regular fonts can have less than actually containing
metrics in their {h,v}mtx. This change raises the bar to consider this
hmtx 4 byte for every glyph case.

Initially we wanted to just find things allocating crazy amount of
memory but having the assert has led to interesting findings also
so let's don't remove the assert and see what we can find elsewhere.
2019-08-25 20:37:00 +04:30
Ebrahim Byagowi
28aba780c4 [subset] Fix blob leak of _subset2 when returns early
Fixes https://crbug.com/oss-fuzz/16639
2019-08-24 16:11:21 +04:30
Ebrahim Byagowi
b31d627f15
Increase subset fuzzer timeout to 16s
To satisfy -valgrind and -tsan bots, very ugly
2019-08-11 23:34:48 +04:30
Ebrahim Byagowi
e21bdf500d
Increase subset fuzzer timeout to 8s
Probably we should just remove timeout when running tsan and vaglrind here, the flaky bots
2019-07-28 22:59:09 +04:30
Ebrahim Byagowi
bdfdac0f26
[ci][fuzzer] print valgrind failure if an error happened 2019-07-19 10:33:00 +04:30
Ebrahim Byagowi
f8242b61ab
[fuzz] Increase subset runner timeout for tsan bot
Now is flaky let's just increase and maybe investigate later
2019-07-11 15:10:36 +04:30
Ebrahim Byagowi
b65bad18aa
[fuzz] Don't fail when blob is empty
And enable more tests able to trig the issue.
2019-07-11 14:31:55 +04:30
Ebrahim Byagowi
c85f624b51 Force blob generation and memory check in hb-subset-fuzzer 2019-07-10 23:38:07 +04:30
Michiharu Ariza
8341c0b304 add test case file 2019-06-27 08:43:31 -07:00
Michiharu Ariza
90872a29ee change assert(false) to failure 2019-06-11 12:42:28 -07:00
Michiharu Ariza
65e66a2d37 added test data 2019-06-03 16:31:41 -07:00
Bruce Mitchener
5846884f86 test: Use nullptr in C++ code. (#1744) 2019-06-03 12:30:25 +04:30
Qunxin Liu
e1a5ce6aa6 Fix fuzzer crash testcase
Add a check for stringOffSet(uint16) overflow,
return early if overflow happens
2019-05-24 15:26:20 -04:00
Garret Rieger
0ff3618c2d [subset] Use hb_subset_input_t inside of subset_options_t so that input defaults are shared between the library and cli. 2019-05-20 13:35:46 -07:00
Behdad Esfahbod
9ef241cd40 [test] Add one more 2019-05-20 11:38:02 -04:00
Behdad Esfahbod
3efb7af7e2 [STAT] Fix sanitize condition
Oops!

Fixes https://oss-fuzz.com/testcase-detail/5696825891225600
2019-05-20 11:37:16 -04:00
Ebrahim Byagowi
30c059a978
[test] minor, fix -Weverything bot 2019-05-11 18:48:41 -04:00
Ebrahim Byagowi
25531a3039
[test] minor
style fix and add return statement
2019-05-11 19:50:42 +00:00
Behdad Esfahbod
25a5b287f2 Fix sanitize fail of extension sublookups
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
2019-05-10 16:03:20 -07:00
Ebrahim Byagowi
df237d2fe7
[test] Add https://crbug.com/oss-fuzz/14641 testcase
As 503748d fix
2019-05-08 14:17:14 -07:00
Ebrahim Byagowi
6d6edc8b25
[valgrind] Use libtool and support run-subset-fuzzer-tests (#1668) 2019-04-28 11:54:07 -07:00
Ebrahim Byagowi
62c6e17072 [test] Add crbug.com/oss-fuzz/14474 testcase
Fixed at 6977a95f
2019-04-28 10:55:07 -07:00
Michiharu Ariza
ba0386060d fix oss-fuzz issue 14345 2019-04-18 18:18:05 -04:00
Behdad Esfahbod
b7384c89e2 [fuzzing] Run valgrind with --leak-check=full 2019-04-15 16:53:10 -04:00
Behdad Esfahbod
3ff66c0029 [fuzzing] Fail if valgrind is requested but not found 2019-04-15 16:52:21 -04:00
Behdad Esfahbod
ec2a5dc859 Use class templates for Null objects
This allows partial-instantiating custom Null object for template Lookup<T>.
Before, this had to be handcoded per instantiation.  Apparently I missed
adding one for AAT::ankr.lookupTable, so it was getting the wrong (generic)
null for Lookup object, which is wrong and unsafe.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=944346
2019-03-26 16:23:40 -07:00
Michiharu Ariza
bcb4e505d6
cff2 subset fuzzer issues (#1619)
* add check to FDArray::serialize

* add test files

* fix off by one
2019-03-15 13:46:25 -07:00
Garret Rieger
dc04261a5b [subset] Update the subset fuzzer to determine which options to use based on data in the fuzzing test case.
Add support for toggling retain_gids.
2019-01-30 15:23:19 -08:00
Behdad Esfahbod
6879efc2c1 [AAT] Fix anchor bound checking, again
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12532
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=922303
2019-01-17 14:08:02 -05:00
Behdad Esfahbod
91d774712f [test] Add test for previous commit 2019-01-14 15:31:31 -05:00
Behdad Esfahbod
7a6686a589 [AAT] Fix mort ContextualSubtable offset access
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12312
2019-01-14 15:09:14 -05:00
Behdad Esfahbod
a3fa7d3336 [AAT] Fix ankr table access
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=918340
2019-01-14 14:37:36 -05:00
Michiharu Ariza
798e98c47b [CFF] bad offset in Index (#1476)
* Update hb-ot-cff-common.hh

* fix bug

* bummer fix wasn't hit. refix

* additional sanity check

* Added test cases for oss-fuzz issues 11805, 11806
2018-12-12 21:08:15 -05:00
Michiharu Ariza
bcb4ecaf68 [CFF] check out of range FD index (#1477)
* add fd index checks to subr subsetter

also added oss-fuzz test case

* undid SubrSubsetParam::is_valid

because already validated by SubrClosures.valid
2018-12-12 20:36:01 -05:00
Michiharu Ariza
2941208f1e [CFF] oss-fuzz issue 11690 ASSERT: substr.offset >= opStart (#1461)
* fix oss-fuzz 11690: substr.offset >= opStart

detect recursive subroutine call & handle as error

* fix build failure

* add minimized test case for oss-fuzz 11690

* removed asserts
2018-12-11 15:21:24 -05:00
Michiharu Ariza
ae087d10c2 add minimized test case for oss-fuzz issue 11714 2018-12-05 21:47:34 -08:00
Ebrahim Byagowi
f95324a335
Merge pull request #1457 from harfbuzz/cff-varstore-sanitize
[CFF] oss-fuzz issue 11713 (CFF2VariationStore::serialize)
2018-12-06 08:33:44 +03:30
Michiharu Ariza
9d8f3b0dfb add minimized test case for oss-fuzz issue 11713 2018-12-05 17:14:51 -08:00
Michiharu Ariza
34e3ef8ff3 Merge branch 'master' into cff-subr-sanitize 2018-12-05 15:50:05 -08:00
Michiharu Ariza
72d8f76368 add minimized test case for oss-fuzz issue 11691 2018-12-05 15:49:11 -08:00
Behdad Esfahbod
d9dabc00e9
Merge pull request #1454 from harfbuzz/cff-fixbcd
[CFF] fix oss-fuzz issue 11674: parse_bcd
2018-12-05 15:39:34 -08:00
Michiharu Ariza
6708c5595f fix oss-fuzz issue 11675 (ASSERT: count <= str.len)
Also added an additional error check to avail ()
2018-12-05 12:51:18 -08:00
Michiharu Ariza
010e2ddb38 minimized test case for oss-fuzz issue 11674 2018-12-05 12:23:58 -08:00
Ebrahim Byagowi
79e7e3445e
Merge pull request #1449 from harfbuzz/cff-fixcharset
[CFF] fix for oss-fuzz 11657: Charset overrun
2018-12-05 13:25:18 +03:30
Ebrahim Byagowi
cf4b7db6b1
Merge pull request #1448 from harfbuzz/cff-leak
[CFF] fix leak: oss-fuzz 11662
2018-12-05 13:23:23 +03:30
Michiharu Ariza
32cc46c75a [CFF] fix oss-fuzz issue 11670: NULL dereference (#1450)
* guard against no subr access

* code tweak

* add minimized testcase for oss-fuzz 11670 (Null deference)
2018-12-05 09:02:34 +03:30
Michiharu Ariza
78f639b8bf added minimized testcase for oss-fuzz issue 11657 2018-12-04 14:17:03 -08:00
Michiharu Ariza
b61f74f69a added minimized test case for oss-fuzz issue 11662 2018-12-04 10:30:35 -08:00
Michiharu Ariza
9424e80526 added minimized test cases 2018-12-03 16:18:10 -08:00
Behdad Esfahbod
84efe0438e [aat] Fix division sign fallout
Happened after 11d2f49af8
since now nClasses is unsigned int...
2018-12-02 12:39:14 -05:00
Behdad Esfahbod
1204a247a5 [fuzzing] Add tests for previous commit
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11526
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11522
2018-11-24 09:49:21 -05:00
Behdad Esfahbod
2c8188bf59 [kerx] Make sure subtables are non-zero-length
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11400
2018-11-22 22:02:19 -05:00
Garret Rieger
8982830d3e [subset] add fuzzer testcase. 2018-11-22 21:30:01 -05:00
Behdad Esfahbod
5212cd8af2 [fuzzing] Add new test 2018-11-12 14:25:18 -05:00
Behdad Esfahbod
d6666b3866 [fuzzing] Remove limited-edition build of libraries
Use normal, production, shared libraries.

Fixes https://github.com/harfbuzz/harfbuzz/issues/1237
2018-11-12 13:21:14 -05:00
Behdad Esfahbod
a549aa14a0 [kerx] Protect against stack underflow
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11367
2018-11-12 13:02:39 -05:00
Behdad Esfahbod
752bd8a192 [kerx] Fix Format1 tupleKern sanitization
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11312
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11305
2018-11-10 21:13:32 -05:00
Behdad Esfahbod
f9e0552deb [fuzzing] Make "make lib" faster and more usable 2018-11-10 21:06:56 -05:00
Behdad Esfahbod
3a9fa8c026 [qsort] Fix O(N^2) behavior if all array elements are the same
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11327

Reported as https://github.com/noporpoise/sort_r/issues/7
2018-11-10 01:58:26 -05:00
Behdad Esfahbod
0bf76154f1 [fuzzing] Take whatever text we can 2018-11-07 19:12:27 -05:00
Behdad Esfahbod
8790b2740a [fuzzing] Fix test 2018-11-06 10:24:54 -05:00
Behdad Esfahbod
3af0a7edd0 [fuzzing] Add make check-valgrind 2018-11-06 10:20:57 -05:00
Behdad Esfahbod
6482fda519 [fuzzing] Fuzz glyph-id etc in test-ot-face 2018-11-05 15:03:18 -05:00
Behdad Esfahbod
bce437cf0b [test] Call test-ot-face.c test from hb-shape-fuzzer
Should increase coverage...
2018-11-04 02:53:25 -05:00
Ebrahim Byagowi
c560ca9251
[fuzz] A new testcase 2018-11-03 13:03:36 +03:30
Behdad Esfahbod
69297bb216 [fuzzing] Call hb-ot-color API 2018-10-30 19:07:38 -07:00
Khaled Hosny
0af3d176a6 [sbix] Fix memory leak in early return
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11210
2018-10-30 17:05:28 +02:00
Behdad Esfahbod
ad3cededdd [fuzzing] Make test runners less verbose 2018-10-29 22:53:16 -07:00
Behdad Esfahbod
12058e44d1 [fuzzing] Add more test 2018-10-26 21:22:26 -07:00
Ebrahim Byagowi
0229eaea29
[fuzz] Add a found hb-subset testcase 2018-10-22 10:51:37 +03:30
Ebrahim Byagowi
9b3461574f
[fuzz] Add more testcases
Fixed already but better to have anyway.

One didn't have minimized but it was only 164 B, so
2018-10-21 11:37:38 +03:30
Behdad Esfahbod
217a3728b4 [fuzzing] Add more font 2018-10-20 20:39:56 -07:00
Ebrahim Byagowi
d39acc5a95
[fuzzing] Add new testcases 2018-10-20 12:20:30 +03:30
Ebrahim Byagowi
964ae32aac
Run valgrind on run-shape-fuzzer only when RUN_VALGRIND is set (#1285) 2018-10-20 07:39:18 +03:30
Ebrahim Byagowi
b7cef8cb1d Enable valgrind and dedicate a bot to it 2018-10-19 09:39:36 +03:30
Ebrahim Byagowi
bccd09d6c7 Minor, tweak spaces on hb-shape-fuzzer.cc 2018-10-19 09:39:36 +03:30