src/Makefile.am | 31 ----------------------------- src/hb-aat-layout-common.hh | 8 +++++-- src/hb-aat-layout-kerx-table.hh | 8 +++---- src/hb-machinery.hh | 42 ++++++++++++++++++++++++++++------------ src/hb-open-type.hh | 4 ++- src/hb-ot-layout-common.hh | 5 ++-- src/hb-ot-layout-gpos-table.hh | 11 +++++++--- src/hb-ot-var-hvar-table.hh | 4 ++- src/hb-ot-var-mvar-table.hh | 4 ++- test/fuzzing/Makefile.am | 39 ++++++++++++------------------------- 10 files changed, 73 insertions(+), 83 deletions(-)
New commits: commit 274f4c726f461f49f54a79557d63bf95d22903cf Author: Behdad Esfahbod <[email protected]> Date: Mon Nov 12 14:24:36 2018 -0500 Rename check_array2() to check_array() diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh index 6e9f3007..f075a270 100644 --- a/src/hb-aat-layout-kerx-table.hh +++ b/src/hb-aat-layout-kerx-table.hh @@ -267,7 +267,7 @@ struct KerxSubTableFormat1 unsigned int kern_idx = Format1EntryT::kernActionIndex (entry); kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ); const FWORD *actions = &kernAction[kern_idx]; - if (!c->sanitizer.check_array2 (actions, depth, tuple_count)) + if (!c->sanitizer.check_array (actions, depth, tuple_count)) { depth = 0; return false; diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh index fa2c7b3a..ce6c9453 100644 --- a/src/hb-machinery.hh +++ b/src/hb-machinery.hh @@ -343,11 +343,11 @@ struct hb_sanitize_context_t : } template <typename T> - inline bool check_array2 (const T *base, - unsigned int a, - unsigned int b) const + inline bool check_array (const T *base, + unsigned int a, + unsigned int b) const { - return this->check_range (base, a * b, T::static_size); + return this->check_range (base, a, b, T::static_size); } template <typename Type> commit e014405a214bceff3a1ce80f0b98273c44078e82 Author: Behdad Esfahbod <[email protected]> Date: Mon Nov 12 14:23:31 2018 -0500 Rename check_array(array, a, b) to check_range() diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh index 8191df4c..adc7538c 100644 --- a/src/hb-aat-layout-common.hh +++ b/src/hb-aat-layout-common.hh @@ -557,7 +557,9 @@ struct StateTable /* Negative states. */ if (unlikely (hb_unsigned_mul_overflows (min_state, num_classes))) return_trace (false); - if (unlikely (!c->check_array (&states[min_state * num_classes], -min_state, row_stride))) + if (unlikely (!c->check_range (&states[min_state * num_classes], + -min_state, + row_stride))) return_trace (false); if ((c->max_ops -= state_neg - min_state) < 0) return_trace (false); @@ -574,7 +576,9 @@ struct StateTable if (state_pos <= max_state) { /* Positive states. */ - if (unlikely (!c->check_array (states, max_state + 1, row_stride))) + if (unlikely (!c->check_range (states, + max_state + 1, + row_stride))) return_trace (false); if ((c->max_ops -= max_state - state_pos + 1) < 0) return_trace (false); diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh index 6155c012..fa2c7b3a 100644 --- a/src/hb-machinery.hh +++ b/src/hb-machinery.hh @@ -317,22 +317,37 @@ struct hb_sanitize_context_t : } template <typename T> + inline bool check_range (const T *base, + unsigned int a, + unsigned int b) const + { + return !hb_unsigned_mul_overflows (a, b) && + this->check_range (base, a * b); + } + + template <typename T> + inline bool check_range (const T *base, + unsigned int a, + unsigned int b, + unsigned int c) const + { + return !hb_unsigned_mul_overflows (a, b) && + this->check_range (base, a * b, c); + } + + template <typename T> inline bool check_array (const T *base, - unsigned int len, - unsigned int record_size = T::static_size) const + unsigned int len) const { - return !hb_unsigned_mul_overflows (len, record_size) && - this->check_range (base, len * record_size); + return this->check_range (base, len, T::static_size); } template <typename T> inline bool check_array2 (const T *base, unsigned int a, - unsigned int b, - unsigned int record_size = T::static_size) const + unsigned int b) const { - return !hb_unsigned_mul_overflows (a, b) && - this->check_array (base, a * b, record_size); + return this->check_range (base, a * b, T::static_size); } template <typename Type> diff --git a/src/hb-open-type.hh b/src/hb-open-type.hh index 14506180..3f8e2c08 100644 --- a/src/hb-open-type.hh +++ b/src/hb-open-type.hh @@ -887,7 +887,9 @@ struct VarSizedBinSearchArrayOf TRACE_SANITIZE (this); return_trace (header.sanitize (c) && Type::static_size <= header.unitSize && - c->check_array (bytesZ.arrayZ, header.nUnits, header.unitSize)); + c->check_range (bytesZ.arrayZ, + header.nUnits, + header.unitSize)); } protected: diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh index 7b1d39aa..2ffb7c26 100644 --- a/src/hb-ot-layout-common.hh +++ b/src/hb-ot-layout-common.hh @@ -1566,8 +1566,9 @@ struct VarData return_trace (c->check_struct (this) && regionIndices.sanitize(c) && shortCount <= regionIndices.len && - c->check_array (&StructAfter<HBUINT8> (regionIndices), - itemCount, get_row_size ())); + c->check_range (&StructAfter<HBUINT8> (regionIndices), + itemCount, + get_row_size ())); } protected: diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh index cf735c30..fb6f6d0f 100644 --- a/src/hb-ot-layout-gpos-table.hh +++ b/src/hb-ot-layout-gpos-table.hh @@ -207,7 +207,7 @@ struct ValueFormat : HBUINT16 TRACE_SANITIZE (this); unsigned int len = get_len (); - if (!c->check_array (values, count, get_size ())) return_trace (false); + if (!c->check_range (values, count, get_size ())) return_trace (false); if (!has_device ()) return_trace (true); @@ -706,7 +706,10 @@ struct PairSet { TRACE_SANITIZE (this); if (!(c->check_struct (this) - && c->check_array (&firstPairValueRecord, len, HBUINT16::static_size * closure->stride))) return_trace (false); + && c->check_range (&firstPairValueRecord, + len, + HBUINT16::static_size, + closure->stride))) return_trace (false); unsigned int count = len; const PairValueRecord *record = &firstPairValueRecord; @@ -879,7 +882,9 @@ struct PairPosFormat2 unsigned int stride = len1 + len2; unsigned int record_size = valueFormat1.get_size () + valueFormat2.get_size (); unsigned int count = (unsigned int) class1Count * (unsigned int) class2Count; - return_trace (c->check_array ((const void *) values, count, record_size) && + return_trace (c->check_range ((const void *) values, + count, + record_size) && valueFormat1.sanitize_values_stride_unsafe (c, this, &values[0], count, stride) && valueFormat2.sanitize_values_stride_unsafe (c, this, &values[len1], count, stride)); } diff --git a/src/hb-ot-var-hvar-table.hh b/src/hb-ot-var-hvar-table.hh index 66e086e1..62a6547b 100644 --- a/src/hb-ot-var-hvar-table.hh +++ b/src/hb-ot-var-hvar-table.hh @@ -39,7 +39,9 @@ struct DeltaSetIndexMap { TRACE_SANITIZE (this); return_trace (c->check_struct (this) && - c->check_array (mapDataZ.arrayZ, mapCount, get_width ())); + c->check_range (mapDataZ.arrayZ, + mapCount, + get_width ())); } unsigned int map (unsigned int v) const /* Returns 16.16 outer.inner. */ diff --git a/src/hb-ot-var-mvar-table.hh b/src/hb-ot-var-mvar-table.hh index 5d6b5595..b16a09b3 100644 --- a/src/hb-ot-var-mvar-table.hh +++ b/src/hb-ot-var-mvar-table.hh @@ -68,7 +68,9 @@ struct MVAR c->check_struct (this) && valueRecordSize >= VariationValueRecord::static_size && varStore.sanitize (c, this) && - c->check_array (valuesZ.arrayZ, valueRecordCount, valueRecordSize)); + c->check_range (valuesZ.arrayZ, + valueRecordCount, + valueRecordSize)); } inline float get_var (hb_tag_t tag, commit c8f4cc49272d8bcd47706a6306a625d724349f5a Author: Behdad Esfahbod <[email protected]> Date: Mon Nov 12 14:11:29 2018 -0500 [kerx] Fix integer overflow in multiply Fixes https://oss-fuzz.com/v2/testcase-detail/5754863779053568 diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh index ccba8fe1..6e9f3007 100644 --- a/src/hb-aat-layout-kerx-table.hh +++ b/src/hb-aat-layout-kerx-table.hh @@ -267,7 +267,7 @@ struct KerxSubTableFormat1 unsigned int kern_idx = Format1EntryT::kernActionIndex (entry); kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ); const FWORD *actions = &kernAction[kern_idx]; - if (!c->sanitizer.check_array (actions, depth * tuple_count)) + if (!c->sanitizer.check_array2 (actions, depth, tuple_count)) { depth = 0; return false; diff --git a/src/hb-machinery.hh b/src/hb-machinery.hh index 9e4c16d8..6155c012 100644 --- a/src/hb-machinery.hh +++ b/src/hb-machinery.hh @@ -298,7 +298,8 @@ struct hb_sanitize_context_t : this->start = this->end = nullptr; } - inline bool check_range (const void *base, unsigned int len) const + inline bool check_range (const void *base, + unsigned int len) const { const char *p = (const char *) base; bool ok = this->start <= p && @@ -316,20 +317,22 @@ struct hb_sanitize_context_t : } template <typename T> - inline bool check_array (const T *base, unsigned int len, unsigned int record_size = T::static_size) const + inline bool check_array (const T *base, + unsigned int len, + unsigned int record_size = T::static_size) const { - const char *p = (const char *) base; - bool overflows = hb_unsigned_mul_overflows (len, record_size); - unsigned int array_size = record_size * len; - bool ok = !overflows && this->check_range (base, array_size); - - DEBUG_MSG_LEVEL (SANITIZE, p, this->debug_depth+1, 0, - "check_array [%p..%p] (%d*%d=%d bytes) in [%p..%p] -> %s", - p, p + (record_size * len), record_size, len, (unsigned int) array_size, - this->start, this->end, - overflows ? "OVERFLOWS" : ok ? "OK" : "OUT-OF-RANGE"); + return !hb_unsigned_mul_overflows (len, record_size) && + this->check_range (base, len * record_size); + } - return likely (ok); + template <typename T> + inline bool check_array2 (const T *base, + unsigned int a, + unsigned int b, + unsigned int record_size = T::static_size) const + { + return !hb_unsigned_mul_overflows (a, b) && + this->check_array (base, a * b, record_size); } template <typename Type> commit 1300f027a938d8898cdc9abbcad71afadf70e6e6 Author: Behdad Esfahbod <[email protected]> Date: Mon Nov 12 13:56:48 2018 -0500 [kerx] Minor tweak on previous commit diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh index 4e6c6e40..ccba8fe1 100644 --- a/src/hb-aat-layout-kerx-table.hh +++ b/src/hb-aat-layout-kerx-table.hh @@ -260,7 +260,7 @@ struct KerxSubTableFormat1 depth = 0; /* Probably not what CoreText does, but better? */ } - if (depth && Format1EntryT::performAction (entry)) + if (Format1EntryT::performAction (entry) && depth) { unsigned int tuple_count = MAX (1u, table->header.tuple_count ()); @@ -279,9 +279,9 @@ struct KerxSubTableFormat1 * "Each pops one glyph from the kerning stack and applies the kerning value to it. * The end of the list is marked by an odd value... */ bool last = false; - while (!last && depth--) + while (!last && depth) { - unsigned int idx = stack[depth]; + unsigned int idx = stack[--depth]; int v = *actions; actions += tuple_count; if (idx >= buffer->len) continue; commit d6666b3866037c9d3e8a497958af9ba8d2f47a73 Author: Behdad Esfahbod <[email protected]> Date: Mon Nov 12 13:21:14 2018 -0500 [fuzzing] Remove limited-edition build of libraries Use normal, production, shared libraries. Fixes https://github.com/harfbuzz/harfbuzz/issues/1237 diff --git a/src/Makefile.am b/src/Makefile.am index 9632b4df..b3cc42f3 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -15,7 +15,6 @@ check_PROGRAMS = # Convenience targets: lib: $(BUILT_SOURCES) libharfbuzz.la libs: $(BUILT_SOURCES) $(lib_LTLIBRARIES) -fuzzing: $(BUILT_SOURCES) libharfbuzz-fuzzing.la libharfbuzz-subset-fuzzing.la lib_LTLIBRARIES = libharfbuzz.la @@ -169,36 +168,6 @@ pkginclude_HEADERS += $(HB_SUBSET_headers) pkgconfig_DATA += harfbuzz-subset.pc EXTRA_DIST += harfbuzz-subset.pc.in -FUZZING_CPPFLAGS = \ - -DHB_MAX_NESTING_LEVEL=3 \ - -DHB_SANITIZE_MAX_EDITS=3 \ - -DHB_SANITIZE_MAX_OPS_FACTOR=3 \ - -DHB_SANITIZE_MAX_OPS_MIN=128 \ - -DHB_BUFFER_MAX_LEN_FACTOR=3 \ - -DHB_BUFFER_MAX_LEN_MIN=8 \ - -DHB_BUFFER_MAX_LEN_DEFAULT=128 \ - -DHB_BUFFER_MAX_OPS_FACTOR=8 \ - -DHB_BUFFER_MAX_OPS_MIN=64 \ - -DHB_BUFFER_MAX_OPS_DEFAULT=1024 \ - $(NULL) -EXTRA_LTLIBRARIES = libharfbuzz-fuzzing.la libharfbuzz-subset-fuzzing.la - -libharfbuzz_fuzzing_la_LINK = $(chosen_linker) $(libharfbuzz_fuzzing_la_LDFLAGS) -libharfbuzz_fuzzing_la_SOURCES = $(libharfbuzz_la_SOURCES) -libharfbuzz_fuzzing_la_CPPFLAGS = $(HBCFLAGS) $(FUZZING_CPPFLAGS) -libharfbuzz_fuzzing_la_LDFLAGS = $(AM_LDFLAGS) -libharfbuzz_fuzzing_la_LIBADD = $(libharfbuzz_la_LIBADD) -EXTRA_libharfbuzz_fuzzing_la_DEPENDENCIES = $(EXTRA_libharfbuzz_la_DEPENDENCIES) -CLEANFILES += libharfbuzz-fuzzing.la - -libharfbuzz_subset_fuzzing_la_LINK = $(chosen_linker) $(libharfbuzz_subset_fuzzing_la_LDFLAGS) -libharfbuzz_subset_fuzzing_la_SOURCES = $(libharfbuzz_subset_la_SOURCES) -libharfbuzz_subset_fuzzing_la_CPPFLAGS = $(HBCFLAGS) $(FUZZING_CPPFLAGS) -libharfbuzz_subset_fuzzing_la_LDFLAGS = $(AM_LDFLAGS) -libharfbuzz_subset_fuzzing_la_LIBADD = libharfbuzz-fuzzing.la -EXTRA_libharfbuzz_subset_fuzzing_la_DEPENDENCIES = $(EXTRA_libharfbuzz_subset_la_DEPENDENCIES) -CLEANFILES += libharfbuzz-subset-fuzzing.la - if HAVE_ICU if HAVE_ICU_BUILTIN HBCFLAGS += $(ICU_CFLAGS) diff --git a/test/fuzzing/Makefile.am b/test/fuzzing/Makefile.am index ed67eee8..a77df706 100644 --- a/test/fuzzing/Makefile.am +++ b/test/fuzzing/Makefile.am @@ -7,13 +7,13 @@ DISTCLEANFILES = MAINTAINERCLEANFILES = # Convenience targets: -lib-only: - @$(MAKE) $(AM_MAKEFLAGS) -C $(top_builddir)/src fuzzing -lib: lib-only - @$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) +lib: + @$(MAKE) $(AM_MAKEFLAGS) -C $(top_builddir)/src lib +libs: + @$(MAKE) $(AM_MAKEFLAGS) -C $(top_builddir)/src libs -$(top_builddir)/src/libharfbuzz-fuzzing.la: lib-only -$(top_builddir)/src/libharfbuzz-subset-fuzzing.la: lib-only +$(top_builddir)/src/libharfbuzz.la: lib +$(top_builddir)/src/libharfbuzz-subset.la: libs EXTRA_DIST += \ README \ @@ -33,24 +33,15 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/ \ -I$(top_builddir)/src/ \ $(NULL) -LDADD = \ - $(top_builddir)/src/libharfbuzz-fuzzing.la \ - $(NULL) hb_shape_fuzzer_SOURCES = \ hb-fuzzer.hh \ hb-shape-fuzzer.cc \ main.cc \ $(NULL) -hb_shape_fuzzer_LDADD = \ - $(LDADD) \ - $(NULL) -hb_shape_fuzzer_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(NULL) -hb_shape_fuzzer_DEPENDENCIES = \ - $(top_builddir)/src/libharfbuzz-fuzzing.la - $(NULL) +hb_shape_fuzzer_LDADD = $(top_builddir)/src/libharfbuzz.la +hb_shape_fuzzer_CPPFLAGS = $(AM_CPPFLAGS) +hb_shape_fuzzer_DEPENDENCIES = $(top_builddir)/src/libharfbuzz.la hb_subset_fuzzer_SOURCES = \ hb-fuzzer.hh \ @@ -58,14 +49,10 @@ hb_subset_fuzzer_SOURCES = \ main.cc \ $(NULL) hb_subset_fuzzer_LDADD = \ - $(top_builddir)/src/libharfbuzz-subset-fuzzing.la \ - $(NULL) -hb_subset_fuzzer_CPPFLAGS = \ - $(AM_CPPFLAGS) \ - $(NULL) -hb_subset_fuzzer_DEPENDENCIES = \ - $(top_builddir)/src/libharfbuzz-subset-fuzzing.la - $(NULL) + $(top_builddir)/src/libharfbuzz.la \ + $(top_builddir)/src/libharfbuzz-subset.la +hb_subset_fuzzer_CPPFLAGS = $(AM_CPPFLAGS) +hb_subset_fuzzer_DEPENDENCIES = $(top_builddir)/src/libharfbuzz-subset.la check: EXEEXT="$(EXEEXT)" srcdir="$(srcdir)" builddir="$(builddir)" $(srcdir)/run-shape-fuzzer-tests.py _______________________________________________ HarfBuzz mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/harfbuzz
