src/hb-ot-layout-gsub-table.hh | 6 ++++-- test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf |binary test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf |binary test/shaping/tests/fuzzed.tests | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-)
New commits: commit 16fba5b2158a0e093e6df32637eba5058942e299 Author: Behdad Esfahbod <[email protected]> Date: Wed Nov 29 16:08:11 2017 -0800 [ot] Fix Extension type recurse to disallow recursing to another Extension Particularly hazardous if the second layer mixes forward and backward lookups. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4336 diff --git a/src/hb-ot-layout-gsub-table.hh b/src/hb-ot-layout-gsub-table.hh index 4fb56c1a..28e0790e 100644 --- a/src/hb-ot-layout-gsub-table.hh +++ b/src/hb-ot-layout-gsub-table.hh @@ -1280,9 +1280,11 @@ struct SubstLookup : Lookup if (unlikely (get_type () == SubstLookupSubTable::Extension)) { /* The spec says all subtables of an Extension lookup should - * have the same type. This is specially important if one has - * a reverse type! */ + * have the same type, which shall not be the Extension type + * itself. This is specially important if one has a reverse type! */ unsigned int type = get_subtable (0).u.extension.get_type (); + if (unlikely (type == SubstLookupSubTable::Extension)) + return_trace (false); unsigned int count = get_subtable_count (); for (unsigned int i = 1; i < count; i++) if (get_subtable (i).u.extension.get_type () != type) diff --git a/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf b/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf new file mode 100644 index 00000000..3fb9951b Binary files /dev/null and b/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf differ diff --git a/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf b/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf new file mode 100644 index 00000000..6a3af465 Binary files /dev/null and b/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf differ diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests index edac2856..bb2c32b1 100644 --- a/test/shaping/tests/fuzzed.tests +++ b/test/shaping/tests/fuzzed.tests @@ -17,3 +17,5 @@ fonts/sha1sum/b6acef662e0beb8d5fcf5b61c6b0ca69537b7402.ttf:--font-funcs=ot:U+004 fonts/sha1sum/e88c339237f52d21e01c55f01b9c1b4cc14a0467.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] fonts/sha1sum/dd9f0c7c7c36f75a18be0cab1cddf8f3ab0f366b.ttf:--font-funcs=ot --no-positions --no-clusters --no-glyph-names:U+0041:[0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|0|2|0|0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|0|2|0|0|2|0|0|2|0|0|2|0] +fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] +fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] _______________________________________________ HarfBuzz mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/harfbuzz
