kmx git

Commit	Date	Message
8f9f0c49	2022-05-10T17:47:08	[subset] Enforce cmap12 group ordering constraints in collect_mapping. Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/6365271012540416
b051f3fa	2022-05-05T23:27:34	[subset] Fix cpal subsetting when there are partial palette overlaps. The existing code doesn't correctly handle the case where palettes partially overlap in the color record array. This changes the subsetting to only share entries in the color record array when palettes have the same first color index. Partially overlapping palettes will be converted to disjoint segments in the color record array. Updates one of the color tests to use multiple palettes. Also fixes fuzzer: https://oss-fuzz.com/testcase-detail/5568200165687296.
ca8a0f3e	2022-05-06T11:54:38	[gvar] Protect against out-of-range access Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47281 Fixes https://oss-fuzz.com/testcase-detail/5508865908670464
a665e29e	2022-03-23T17:30:25	[use] Avoid O(n^2) in the machine Fixes https://github.com/harfbuzz/harfbuzz/issues/3502
03085132	2022-03-21T18:06:33	[buffer] Fix out-buffer under memory-alloc failure This was broken in July refactoring of the buffer, and exposed to ReverseChainSingleSubstFormat1 in 3807061d634b60bd6235d6e1d8c47a034377f924 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38800 https://bugs.chromium.org/p/chromium/issues/detail?id=1303552
af407dd2	2022-02-12T13:53:16	Add a fuzzer font
4e2f409b	2022-01-31T12:20:32	[subset] Don't hold references to members of the active_glyph_stack. These references may get invalidated after the vector for the stack is resized. Fixes: https://oss-fuzz.com/testcase-detail/5422577634377728
87496bf6	2022-01-13T11:03:45	[subset] fix fuzzer timeout if visisted_paint goes into error.
067f90a8	2021-12-14T16:24:38	[subset] Fix for fuzzer timeout. Fixes https://oss-fuzz.com/testcase-detail/5549945449480192 In prune_langsys: move LangSys visited check up before any work is done for a LangSys. In this particular case the compare() method is responsible for the majority of the time spent and wasn't being guarded with a visisted check.
c4573c2e	2021-12-14T14:49:15	[repacker] don't infinite loop if visited or roots is in error. Fixes https://oss-fuzz.com/testcase-detail/5205038086094848
ace98cc6	2021-11-08T15:47:56	[subset] Only sanitize recursion depth in COLR.
f51b48c8	2021-11-02T16:16:52	[subset] Fix fuzzer found memory leak. Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.
0a7563a5	2021-11-01T14:56:14	[subset] fuzzer fix: https://oss-fuzz.com/testcase?key=6254792024915968 Make sure input is valid, each gid has a corresponding offset value in the map
85deddb1	2021-10-27T14:36:02	[subset] fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40406
794b00db	2021-09-27T17:21:16	[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664
74f96d9d	2021-09-17T13:46:07	[repacker] fix heap use after free in repacker. Don't store a reference to the link in overflow records as the link object may be freed if the sorted graph vector is resized.
fb07f8f8	2021-08-23T15:33:57	During subset input creation check for set alloc failures and fail if encountered.
dc31920b	2021-08-18T14:20:14	Don't serialize null offsets in CPAL. Fixes https://oss-fuzz.com/testcase-detail/5443213648330752
c0f3af91	2021-08-11T16:20:05	[subset] speed up add_gid_and_children and adjust op limit. Fix for fuzzer timeout: https://oss-fuzz.com/testcase-detail/5001604901240832. - Operation limit is per glyph, so 100,000 should still be far more than needed. - Switches from for(...) to while(...) loop for iteration. for(...) calls it.end() which in this case triggers a complete iteration. - Cache CompositeGlyph size in the iterator to avoid needing to recalculate it.
c08f1b89	2021-08-10T12:29:32	[map] fix incorrect population count in hash map. If the same key was set twice the population was being incorrectly incremented.
8c0c217b	2021-08-06T10:45:38	[subset] fail reference blob in face builder if allocation for table sorting fails. Fixes https://oss-fuzz.com/testcase-detail/5041767803125760
5086e105	2021-07-29T17:03:55	[test] Add failing fuzzer test case From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236 https://oss-fuzz.com/testcase-detail/5061207689134080
0ded6a70	2021-07-28T11:28:38	[subset] Fix another fuzzer issue Addition could overflow on 32bit arch. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636 Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
09474d8d	2021-06-29T16:07:14	[subset] Fix fuzzer timeout in add_gid_and_children. The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.
c68a00b9	2021-07-27T13:25:22	[subset] Fix possible overflows in VarRegionList serialize Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
7416face	2021-07-07T11:27:49	[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/5715464591376384
bc06af97	2021-06-16T15:49:14	[subset] speed up feature collection when tags are specified. Precompute a feature index filter to avoid needing to iterate the feature tag list for each encountered feature index. For this particular fuzzer case speeds up feature collection from 50s to 2s.
675ebbeb	2021-06-16T10:40:46	[subset] don't alloc zero bytes. It will be leaked later since hb_blob_create() won't set up the blob to cleanup since it has length zero.
35d6af69	2021-06-04T10:04:27	[subset] fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5965777994907648
1b6008ca	2021-06-02T15:07:18	fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5417934246772736
7ab0f4ed	2021-05-27T11:40:34	fuzzer fix
425ba1f4	2021-04-19T18:01:24	[subset] fixes infinite loop in hb_set_get_max(). Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
ec432106	2021-04-19T17:18:05	[subset] fix infinite loop caused by alloc failure in repacker. Fixes: https://oss-fuzz.com/testcase-detail/5609112151916544.
0e845d97	2021-04-19T16:09:37	[subset] fix memory leak in repacker caused by failed alloc. Fixes: https://oss-fuzz.com/testcase-detail/5616763250278400.
3fb62cdc	2021-04-05T15:48:34	[subset] fail on offset overflow in tables that we don't repack. Fixes: https://oss-fuzz.com/testcase-detail/5229304507138048
9dc9f038	2021-04-08T11:00:17	[subset] fix for fuzzer testcase: https://oss-fuzz.com/testcase-detail/5858518134554624
4af5dace	2021-04-07T10:56:49	[subset] add fuzzer testcase
64122b5a	2021-04-05T12:53:08	[subset] don't visit lookup if covered glyph set has failed. If covered glyph set is in error then the same lookup can be recursed into repeatedly potentially causing a fuzzer timeout. Fixes: https://oss-fuzz.com/testcase-detail/5416421032067072.
71d6d156	2021-04-05T12:03:17	[subset] clamp distance to prevent shifting outside of the limits of int64. Fixes https://oss-fuzz.com/testcase-detail/4961171477233664.
c5c13006	2021-03-31T11:23:46	[subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536
adca4ce0	2021-03-30T13:20:50	[subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064. Caused by incorrect bounds check in glyph closure for context lookups.
752e393a	2021-03-29T17:23:33	[subset] avoid calling clear on null pool set.
8741914a	2021-03-29T16:39:44	[subset] fix memory leak when map insert fails.
5b6da6d2	2021-03-29T16:19:17	[subset] add fuzzer test case.
a804a0c9	2021-03-29T14:25:20	[subset] add fuzzer test case.
5ca353a2	2021-02-12T15:16:59	[subset] fix heap buffer overflow found by fuzzer.
33a0f0b6	2021-02-09T12:55:45	[test] Remove fuzzed test font that triggers virus alert Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
a4c3732f	2020-09-16T12:35:09	[ENOMEM] fix set clear() causing corruption if the set is in_error().
bbbcad0d	2020-09-16T11:19:40	Revert "[ENOMEM] don't perform set process operations if the other set is in an error state." This reverts commit f3929abafe3b64f15d0dc2d21ad7b493eeb92dfe.
f3929aba	2020-09-15T13:06:36	[ENOMEM] don't perform set process operations if the other set is in an error state. Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
8c3d4de7	2020-09-09T12:38:34	[subset] Fix integer underflow in ContextFormat2.
9825e3dd	2020-08-26T17:31:50	[ENOMEM] fix access to unitialized memory. If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688.
1e48225c	2020-08-13T23:22:14	[ENOMEM] Check whether serialize context isn't in error
9562239f	2020-08-12T13:01:22	[ENOMEM] check for error in lookup visited set.
6f754852	2020-08-11T15:40:47	[ENOMEM] skip asserts in to_bias if serializer is in an error state.
ffe06c8f	2020-08-08T13:17:34	[glyf] Guard all the public APIs against null pool runs Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
18ab8029	2020-07-31T14:40:49	[ENOMEM] check vector status in cmap subsetting.
06dbb6ac	2020-07-31T15:56:14	[ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors.
fb147779	2020-07-31T14:00:38	[ENOMEM] Check result of vector resize in CBDT subsetting.
efd716de	2020-07-31T08:58:53	[cff] Check for scalars array resize result Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
040ed094	2020-07-30T15:14:02	[ENOMEM] popragate packed/packed_map errors to the serializer. Will disable further modifications based on a bad state.
7f358a55	2020-07-30T13:57:30	[ENOMEM] unchecked resize in CFF2.
32f052b0	2020-07-30T13:45:04	[ENOMEM] Fix several instances of not checking resize in CFF.
15644ee6	2020-07-29T16:37:39	[ENOMEM] fix memory leak if allocation fails during pop_pack().
42237adf	2020-07-29T15:18:25	[ENOMEM] make serializer modification operations no-ops if it's in an error state.
4ba8e3c6	2020-07-29T12:33:42	[ENOMEM] Fix failure to check calloc return. Fixes https://oss-fuzz.com/testcase-detail/6246465148813312.
d307c24a	2020-07-29T12:23:37	[ENOMEM] check resize() return. Fixes https://oss-fuzz.com/testcase-detail/5641892164009984.
11d583a9	2020-07-14T06:23:06	[aat] Consume glyph insertion from buffer's max_ops (#2223) Glyph insertion is an expensive operation and we like to have it limited based on buffer's input size which is handled by buffer's max_ops. clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120: Before the change: 0.67s user 0.00s system 99% cpu 0.674 total After the change: 0.02s user 0.00s system 98% cpu 0.024 total Which takes much longer on valgrind and tsan bots.
b22f61d8	2020-04-21T11:49:05	Fix bug
22f7c61a	2020-04-17T23:49:51	implement SID to glyph ID mapping with predefined Charset Also fixes oss-fuzz 21769
0d569598	2020-04-05T18:44:26	[subset] fixes dangling object_t issue in FeatureVariationRecord Fixes https://crbug.com/oss-fuzz/21560 revert () does not clean up useless object_t. Adjust the order of subsetting substitutions and conditions to avoid dangling object_t.
57b7de03	2020-04-05T17:07:48	[subset] Fail ClassDefFormat1 serialization if no space available Fixes https://crbug.com/oss-fuzz/21580
014e038b	2020-03-31T16:29:29	[subset] Bail out of context lookup expansion once the lookup limit is encountered.
5d345d0c	2020-03-31T17:46:19	[subset] Limit the number of lookup indices processed subsetting Feature. > Also, remove two unnessecary full iterations of the lookup index iterator during serialization of the index array. Fixes fuzzer found timeout.
96d792ae	2020-03-24T14:05:47	[avar] Prevent mul overflow Fixes https://crbug.com/oss-fuzz/21350
4ad686b9	2020-03-25T23:32:28	[subset] fix fuzzer timeout in layout closure Bail out of chain context lookup expansion once the lookup limit is encountered.
430bf696	2020-03-13T11:20:34	Add potentially crashing font as a fuzzer seed.
834a224a	2020-03-12T03:02:36	[subset] Put a limit on the number of lookup indices that can be visited during closures Fixes https://crbug.com/oss-fuzz/21025
0d729b4b	2020-03-07T11:53:12	[avar] Fix out-of-bound read when input is bigger than all the coords 'i' shouldn't become equal to array's length which as the increament is happened at end of the loop, if the input is bigger than all the table coords, it will be equal to array's length. Fixes https://crbug.com/oss-fuzz/21092
446d1e3b	2020-03-04T23:32:50	[fuzz] Add more of fixed cases
99b5b3f1	2020-03-04T11:15:46	[gvar] Make sure TupleVarHeader has the needed size Fixes https://crbug.com/oss-fuzz/21026
6543d166	2020-03-03T20:26:46	[fuzz] Remove the not yet fixed timeout, going to investigate
2bbf1c86	2020-03-03T19:42:38	[fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker
f253f06c	2020-03-03T18:57:13	[fuzz] Add another fixed case https://crbug.com/oss-fuzz/14626 another numerous subtables count which is fixed by d38360397
d3836039	2020-03-02T22:41:08	Limit OT::Lookup subtables (#2219) Fixes https://crbug.com/oss-fuzz/13943
29efd964	2020-03-02T14:22:29	[fuzz] Add cases that marked as wontfix Let's see if they were really false alarms, if so, let's just have them.
5ab50eeb	2020-02-29T01:32:29	collect_unicodes() with clamp, calling add_range() Use add_range instead an inner loop, clamp its input number by number of glyphs a face has. Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here used to make timeout, face's maxp has 16-bit gid limitation at least for now, using that makes sure we both fix and the timeout and don't need to change much things here also in order to support 32-bit gids also someday. Fixes #2204
410b4881	2020-02-28T10:38:27	[subset] Add fuzzer timeout testcase.
e57ced5f	2020-02-28T23:29:05	[gvar] Add other possibly fixed fuzzer case Speculatively should've been fixed by 61208401 https://crbug.com/oss-fuzz/20924 related
758fda72	2020-02-28T23:19:06	[glyf] Don't accept gids higher than maxp's glyphs number This specially becomes concerning on sub-components where a gvar table that is sanitized using maxp's glyphs number overflows when a high gid accepted here goes to it, maybe an additional check can be put there also, this however feels to be enough. Fixes https://crbug.com/oss-fuzz/20944
e9021386	2020-02-28T21:24:27	Revert "collect_unicodes() to check gid < num_glyphs with cmap 12" Didn't fix the case actually, making bots to fail. This reverts commit 15b43a410400c74a32d40f4b89dbea02fa7cd6e1.
61208401	2020-02-28T21:09:07	[gvar] Use hb_bytes_t.check_range instead having in house one And use TupleVarHeader calculated size for validity check. Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues
15b43a41	2020-02-28T08:45:39	collect_unicodes() to check gid < num_glyphs with cmap 12 fixes #2204
8eba66c1	2020-02-27T15:58:58	[gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic Fixes https://crbug.com/oss-fuzz/20906
a99134c5	2020-02-26T09:58:03	add oss-fuzz 20886 test file
1c015d3e	2020-02-12T19:19:37	[fuzz] minor fuzzer case move, oops
ff984ed3	2020-02-11T19:50:51	Use multiplication to avoid undefined behaviour per clang Newer versions of MSVC with /we4146 don't like putting negative sign behind a unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069 That however have made https://crbug.com/1050424 this complain: src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself which apparently can be fixed using this change. Let's see if this won't make another ubsan complain!
e128f802	2020-01-21T13:35:43	parent 777ba47b50f6379b9f9abf1d72559316b7116b9e author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500 committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500 [subset] Add CBLC support
ed857c46	2020-01-24T08:52:23	[subset] Add COLR support
0e4b2676	2020-01-24T12:16:08	[subset] sbix fix missed offset is_null() check

8f9f0c49

2022-05-10T17:47:08

[subset] Enforce cmap12 group ordering constraints in collect_mapping. Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/6365271012540416

b051f3fa

2022-05-05T23:27:34

[subset] Fix cpal subsetting when there are partial palette overlaps. The existing code doesn't correctly handle the case where palettes partially overlap in the color record array. This changes the subsetting to only share entries in the color record array when palettes have the same first color index. Partially overlapping palettes will be converted to disjoint segments in the color record array. Updates one of the color tests to use multiple palettes. Also fixes fuzzer: https://oss-fuzz.com/testcase-detail/5568200165687296.

ca8a0f3e

2022-05-06T11:54:38

[gvar] Protect against out-of-range access Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47281 Fixes https://oss-fuzz.com/testcase-detail/5508865908670464

a665e29e

2022-03-23T17:30:25

[use] Avoid O(n^2) in the machine Fixes https://github.com/harfbuzz/harfbuzz/issues/3502

03085132

2022-03-21T18:06:33

[buffer] Fix out-buffer under memory-alloc failure This was broken in July refactoring of the buffer, and exposed to ReverseChainSingleSubstFormat1 in 3807061d634b60bd6235d6e1d8c47a034377f924 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38800 https://bugs.chromium.org/p/chromium/issues/detail?id=1303552

af407dd2

2022-02-12T13:53:16

Add a fuzzer font

4e2f409b

2022-01-31T12:20:32

[subset] Don't hold references to members of the active_glyph_stack. These references may get invalidated after the vector for the stack is resized. Fixes: https://oss-fuzz.com/testcase-detail/5422577634377728

87496bf6

2022-01-13T11:03:45

[subset] fix fuzzer timeout if visisted_paint goes into error.

067f90a8

2021-12-14T16:24:38

[subset] Fix for fuzzer timeout. Fixes https://oss-fuzz.com/testcase-detail/5549945449480192 In prune_langsys: move LangSys visited check up before any work is done for a LangSys. In this particular case the compare() method is responsible for the majority of the time spent and wasn't being guarded with a visisted check.

c4573c2e

2021-12-14T14:49:15

[repacker] don't infinite loop if visited or roots is in error. Fixes https://oss-fuzz.com/testcase-detail/5205038086094848

ace98cc6

2021-11-08T15:47:56

[subset] Only sanitize recursion depth in COLR.

f51b48c8

2021-11-02T16:16:52

[subset] Fix fuzzer found memory leak. Happens because an insert into a map with an invalid key reports successful, but this causes the set being inserted to be lost.

0a7563a5

2021-11-01T14:56:14

[subset] fuzzer fix: https://oss-fuzz.com/testcase?key=6254792024915968 Make sure input is valid, each gid has a corresponding offset value in the map

85deddb1

2021-10-27T14:36:02

[subset] fuzzer fix: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40406

794b00db

2021-09-27T17:21:16

[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664

74f96d9d

2021-09-17T13:46:07

[repacker] fix heap use after free in repacker. Don't store a reference to the link in overflow records as the link object may be freed if the sorted graph vector is resized.

fb07f8f8

2021-08-23T15:33:57

During subset input creation check for set alloc failures and fail if encountered.

dc31920b

2021-08-18T14:20:14

Don't serialize null offsets in CPAL. Fixes https://oss-fuzz.com/testcase-detail/5443213648330752

c0f3af91

2021-08-11T16:20:05

[subset] speed up add_gid_and_children and adjust op limit. Fix for fuzzer timeout: https://oss-fuzz.com/testcase-detail/5001604901240832. - Operation limit is per glyph, so 100,000 should still be far more than needed. - Switches from for(...) to while(...) loop for iteration. for(...) calls it.end() which in this case triggers a complete iteration. - Cache CompositeGlyph size in the iterator to avoid needing to recalculate it.

c08f1b89

2021-08-10T12:29:32

[map] fix incorrect population count in hash map. If the same key was set twice the population was being incorrectly incremented.

8c0c217b

2021-08-06T10:45:38

[subset] fail reference blob in face builder if allocation for table sorting fails. Fixes https://oss-fuzz.com/testcase-detail/5041767803125760

5086e105

2021-07-29T17:03:55

[test] Add failing fuzzer test case From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236 https://oss-fuzz.com/testcase-detail/5061207689134080

0ded6a70

2021-07-28T11:28:38

[subset] Fix another fuzzer issue Addition could overflow on 32bit arch. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636 Fixes https://oss-fuzz.com/testcase-detail/5072358514753536

09474d8d

2021-06-29T16:07:14

[subset] Fix fuzzer timeout in add_gid_and_children. The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.

c68a00b9

2021-07-27T13:25:22

[subset] Fix possible overflows in VarRegionList serialize Fixes https://oss-fuzz.com/testcase-detail/5362189182566400

7416face

2021-07-07T11:27:49

[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/5715464591376384

bc06af97

2021-06-16T15:49:14

[subset] speed up feature collection when tags are specified. Precompute a feature index filter to avoid needing to iterate the feature tag list for each encountered feature index. For this particular fuzzer case speeds up feature collection from 50s to 2s.

675ebbeb

2021-06-16T10:40:46

[subset] don't alloc zero bytes. It will be leaked later since hb_blob_create() won't set up the blob to cleanup since it has length zero.

35d6af69

2021-06-04T10:04:27

[subset] fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5965777994907648

1b6008ca

2021-06-02T15:07:18

fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5417934246772736

7ab0f4ed

2021-05-27T11:40:34

fuzzer fix

425ba1f4

2021-04-19T18:01:24

[subset] fixes infinite loop in hb_set_get_max(). Fixes https://oss-fuzz.com/testcase-detail/5363902507515904

ec432106

2021-04-19T17:18:05

[subset] fix infinite loop caused by alloc failure in repacker. Fixes: https://oss-fuzz.com/testcase-detail/5609112151916544.

0e845d97

2021-04-19T16:09:37

[subset] fix memory leak in repacker caused by failed alloc. Fixes: https://oss-fuzz.com/testcase-detail/5616763250278400.

3fb62cdc

2021-04-05T15:48:34

[subset] fail on offset overflow in tables that we don't repack. Fixes: https://oss-fuzz.com/testcase-detail/5229304507138048

9dc9f038

2021-04-08T11:00:17

[subset] fix for fuzzer testcase: https://oss-fuzz.com/testcase-detail/5858518134554624

4af5dace

2021-04-07T10:56:49

[subset] add fuzzer testcase

64122b5a

2021-04-05T12:53:08

[subset] don't visit lookup if covered glyph set has failed. If covered glyph set is in error then the same lookup can be recursed into repeatedly potentially causing a fuzzer timeout. Fixes: https://oss-fuzz.com/testcase-detail/5416421032067072.

71d6d156

2021-04-05T12:03:17

[subset] clamp distance to prevent shifting outside of the limits of int64. Fixes https://oss-fuzz.com/testcase-detail/4961171477233664.

c5c13006

2021-03-31T11:23:46

[subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536

adca4ce0

2021-03-30T13:20:50

[subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064. Caused by incorrect bounds check in glyph closure for context lookups.

752e393a

2021-03-29T17:23:33

[subset] avoid calling clear on null pool set.

8741914a

2021-03-29T16:39:44

[subset] fix memory leak when map insert fails.

5b6da6d2

2021-03-29T16:19:17

[subset] add fuzzer test case.

a804a0c9

2021-03-29T14:25:20

[subset] add fuzzer test case.

5ca353a2

2021-02-12T15:16:59

[subset] fix heap buffer overflow found by fuzzer.

33a0f0b6

2021-02-09T12:55:45

[test] Remove fuzzed test font that triggers virus alert Fixes https://github.com/harfbuzz/harfbuzz/issues/2750

a4c3732f

2020-09-16T12:35:09

[ENOMEM] fix set clear() causing corruption if the set is in_error().

bbbcad0d

2020-09-16T11:19:40

Revert "[ENOMEM] don't perform set process operations if the other set is in an error state." This reverts commit f3929abafe3b64f15d0dc2d21ad7b493eeb92dfe.

f3929aba

2020-09-15T13:06:36

[ENOMEM] don't perform set process operations if the other set is in an error state. Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).

8c3d4de7

2020-09-09T12:38:34

[subset] Fix integer underflow in ContextFormat2.

9825e3dd

2020-08-26T17:31:50

[ENOMEM] fix access to unitialized memory. If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688.

1e48225c

2020-08-13T23:22:14

[ENOMEM] Check whether serialize context isn't in error

9562239f

2020-08-12T13:01:22

[ENOMEM] check for error in lookup visited set.

6f754852

2020-08-11T15:40:47

[ENOMEM] skip asserts in to_bias if serializer is in an error state.

ffe06c8f

2020-08-08T13:17:34

[glyf] Guard all the public APIs against null pool runs Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737

18ab8029

2020-07-31T14:40:49

[ENOMEM] check vector status in cmap subsetting.

06dbb6ac

2020-07-31T15:56:14

[ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors.

fb147779

2020-07-31T14:00:38

[ENOMEM] Check result of vector resize in CBDT subsetting.

efd716de

2020-07-31T08:58:53

[cff] Check for scalars array resize result Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504

040ed094

2020-07-30T15:14:02

[ENOMEM] popragate packed/packed_map errors to the serializer. Will disable further modifications based on a bad state.

7f358a55

2020-07-30T13:57:30

[ENOMEM] unchecked resize in CFF2.

32f052b0

2020-07-30T13:45:04

[ENOMEM] Fix several instances of not checking resize in CFF.

15644ee6

2020-07-29T16:37:39

[ENOMEM] fix memory leak if allocation fails during pop_pack().

42237adf

2020-07-29T15:18:25

[ENOMEM] make serializer modification operations no-ops if it's in an error state.

4ba8e3c6

2020-07-29T12:33:42

[ENOMEM] Fix failure to check calloc return. Fixes https://oss-fuzz.com/testcase-detail/6246465148813312.

d307c24a

2020-07-29T12:23:37

[ENOMEM] check resize() return. Fixes https://oss-fuzz.com/testcase-detail/5641892164009984.

11d583a9

2020-07-14T06:23:06

[aat] Consume glyph insertion from buffer's max_ops (#2223) Glyph insertion is an expensive operation and we like to have it limited based on buffer's input size which is handled by buffer's max_ops. clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120: Before the change: 0.67s user 0.00s system 99% cpu 0.674 total After the change: 0.02s user 0.00s system 98% cpu 0.024 total Which takes much longer on valgrind and tsan bots.

b22f61d8

2020-04-21T11:49:05

Fix bug

22f7c61a

2020-04-17T23:49:51

implement SID to glyph ID mapping with predefined Charset Also fixes oss-fuzz 21769

0d569598

2020-04-05T18:44:26

[subset] fixes dangling object_t issue in FeatureVariationRecord Fixes https://crbug.com/oss-fuzz/21560 revert () does not clean up useless object_t. Adjust the order of subsetting substitutions and conditions to avoid dangling object_t.

57b7de03

2020-04-05T17:07:48

[subset] Fail ClassDefFormat1 serialization if no space available Fixes https://crbug.com/oss-fuzz/21580

014e038b

2020-03-31T16:29:29

[subset] Bail out of context lookup expansion once the lookup limit is encountered.

5d345d0c

2020-03-31T17:46:19

[subset] Limit the number of lookup indices processed subsetting Feature. > Also, remove two unnessecary full iterations of the lookup index iterator during serialization of the index array. Fixes fuzzer found timeout.

96d792ae

2020-03-24T14:05:47

[avar] Prevent mul overflow Fixes https://crbug.com/oss-fuzz/21350

4ad686b9

2020-03-25T23:32:28

[subset] fix fuzzer timeout in layout closure Bail out of chain context lookup expansion once the lookup limit is encountered.

430bf696

2020-03-13T11:20:34

Add potentially crashing font as a fuzzer seed.

834a224a

2020-03-12T03:02:36

[subset] Put a limit on the number of lookup indices that can be visited during closures Fixes https://crbug.com/oss-fuzz/21025

0d729b4b

2020-03-07T11:53:12

[avar] Fix out-of-bound read when input is bigger than all the coords 'i' shouldn't become equal to array's length which as the increament is happened at end of the loop, if the input is bigger than all the table coords, it will be equal to array's length. Fixes https://crbug.com/oss-fuzz/21092

446d1e3b

2020-03-04T23:32:50

[fuzz] Add more of fixed cases

99b5b3f1

2020-03-04T11:15:46

[gvar] Make sure TupleVarHeader has the needed size Fixes https://crbug.com/oss-fuzz/21026

6543d166

2020-03-03T20:26:46

[fuzz] Remove the not yet fixed timeout, going to investigate

2bbf1c86

2020-03-03T19:42:38

[fuzz] Add more of supposed to already be fixed cases from Chromium bug tracker

f253f06c

2020-03-03T18:57:13

[fuzz] Add another fixed case https://crbug.com/oss-fuzz/14626 another numerous subtables count which is fixed by d38360397

d3836039

2020-03-02T22:41:08

Limit OT::Lookup subtables (#2219) Fixes https://crbug.com/oss-fuzz/13943

29efd964

2020-03-02T14:22:29

[fuzz] Add cases that marked as wontfix Let's see if they were really false alarms, if so, let's just have them.

5ab50eeb

2020-02-29T01:32:29

collect_unicodes() with clamp, calling add_range() Use add_range instead an inner loop, clamp its input number by number of glyphs a face has. Even the face cmap12 and 13 have 32-bit hb_codepoint_t, which is here used to make timeout, face's maxp has 16-bit gid limitation at least for now, using that makes sure we both fix and the timeout and don't need to change much things here also in order to support 32-bit gids also someday. Fixes #2204

410b4881

2020-02-28T10:38:27

[subset] Add fuzzer timeout testcase.

e57ced5f

2020-02-28T23:29:05

[gvar] Add other possibly fixed fuzzer case Speculatively should've been fixed by 61208401 https://crbug.com/oss-fuzz/20924 related

758fda72

2020-02-28T23:19:06

[glyf] Don't accept gids higher than maxp's glyphs number This specially becomes concerning on sub-components where a gvar table that is sanitized using maxp's glyphs number overflows when a high gid accepted here goes to it, maybe an additional check can be put there also, this however feels to be enough. Fixes https://crbug.com/oss-fuzz/20944

e9021386

2020-02-28T21:24:27

Revert "collect_unicodes() to check gid < num_glyphs with cmap 12" Didn't fix the case actually, making bots to fail. This reverts commit 15b43a410400c74a32d40f4b89dbea02fa7cd6e1.

61208401

2020-02-28T21:09:07

[gvar] Use hb_bytes_t.check_range instead having in house one And use TupleVarHeader calculated size for validity check. Fixes https://crbug.com/oss-fuzz/20919 and possibly other gvar related issues

15b43a41

2020-02-28T08:45:39

collect_unicodes() to check gid < num_glyphs with cmap 12 fixes #2204

8eba66c1

2020-02-27T15:58:58

[gvar] Fix invalid memory access by refactoring GlyphVarData fetch logic Fixes https://crbug.com/oss-fuzz/20906

a99134c5

2020-02-26T09:58:03

add oss-fuzz 20886 test file

1c015d3e

2020-02-12T19:19:37

[fuzz] minor fuzzer case move, oops

ff984ed3

2020-02-11T19:50:51

Use multiplication to avoid undefined behaviour per clang Newer versions of MSVC with /we4146 don't like putting negative sign behind a unsigned number as https://github.com/harfbuzz/harfbuzz/pull/2069 That however have made https://crbug.com/1050424 this complain: src/hb-ot-color-sbix-table.hh:304:28: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself which apparently can be fixed using this change. Let's see if this won't make another ubsan complain!

e128f802

2020-01-21T13:35:43

parent 777ba47b50f6379b9f9abf1d72559316b7116b9e author ckitagawa <ckitagawa@chromium.org> 1579631743 -0500 committer ckitagawa <ckitagawa@chromium.org> 1580506176 -0500 [subset] Add CBLC support

ed857c46

2020-01-24T08:52:23

[subset] Add COLR support

0e4b2676

2020-01-24T12:16:08

[subset] sbix fix missed offset is_null() check

kc3-lang/harfbuzz/test/fuzzing/fonts

test/fuzzing/fonts

Log