From 16fba5b2158a0e093e6df32637eba5058942e299 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Wed, 29 Nov 2017 16:08:11 -0800 Subject: [PATCH] [ot] Fix Extension type recurse to disallow recursing to another Extension Particularly hazardous if the second layer mixes forward and backward lookups. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4336 --- src/hb-ot-layout-gsub-table.hh | 6 ++++-- .../9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf | Bin 0 -> 4545 bytes .../ef2511f215aa3ca847cbfffbf861793b42170875.ttf | Bin 0 -> 1152 bytes test/shaping/tests/fuzzed.tests | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf create mode 100644 test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf diff --git a/src/hb-ot-layout-gsub-table.hh b/src/hb-ot-layout-gsub-table.hh index 4fb56c1a8..28e0790e6 100644 --- a/src/hb-ot-layout-gsub-table.hh +++ b/src/hb-ot-layout-gsub-table.hh @@ -1280,9 +1280,11 @@ struct SubstLookup : Lookup if (unlikely (get_type () == SubstLookupSubTable::Extension)) { /* The spec says all subtables of an Extension lookup should - * have the same type. This is specially important if one has - * a reverse type! */ + * have the same type, which shall not be the Extension type + * itself. This is specially important if one has a reverse type! */ unsigned int type = get_subtable (0).u.extension.get_type (); + if (unlikely (type == SubstLookupSubTable::Extension)) + return_trace (false); unsigned int count = get_subtable_count (); for (unsigned int i = 1; i < count; i++) if (get_subtable (i).u.extension.get_type () != type) diff --git a/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf b/test/shaping/fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf new file mode 100644 index 0000000000000000000000000000000000000000..3fb9951bbe66afbaad4ca42508a3b1905cd520c5 GIT binary patch literal 4545 zcmdUzv2N2~6oqdbH<(NrI-qWd0g4o<0X1!4f`yKj5DyT$DMA7U$kJ!v5#UvLC^i-p z?(brMDL(zNrKl3NTA!SI&bjxuY^Svi%q+Q|*wF0N>o+eSzWWxKgGW;f$Fc4EK6t-e zf3(a$4eg$NceLl#)Djz2zg=kQU9-o298|u3rzTK3I1njtxwx{?fzZKqOW9Xv?Kvr+Zh6~xC{y88h#nwxDy6>; zheE1bR~=p)@tM)#)sApohwWdw_LG4gAeGXtUVG*=*B?4HDaq*Ilmi{8t7F%Bs&Bl9 za=@{oIKn|U9I6V34lh*@IyjK3wz=EBBA734u0J^DQ&pvd1CbKrZhPfws=W6(AO*xK z<9SNg-$4o!#1Rg<;ZRjLba<(P(7}OJHIJTq9JOxx`SR0h`=1)(Yst-jrtJBHe*D+_ elGOZV$)C;NeuP&N{;7Jwanp;F5JFpKocsoYscz%| literal 0 HcmV?d00001 diff --git a/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf b/test/shaping/fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf new file mode 100644 index 0000000000000000000000000000000000000000..6a3af4657e1f35b1c8caf2ee62e3a744dab13d22 GIT binary patch literal 1152 zcmd^9Jxc>Y5Pf^uoX3$9#ZC*AKuC&!t#;a2qzYmyoI>zGFGon>zYqoe16Cr4e?YJn zOaF*f)DYJSA7cmgcP+ep_uEC|;ED6z~TF74-< z?w((s-X0wL(ZYycXqs<9DvWyc@3zL8f^^t6Nr+TE{XRs7ltC^EMmTl3Y)4@cX9Czn z z8&`TgYf?l#7G5jYdoiuHVV8UWGg?~BW)@PuB&;D{9w$Ifl7F;7Ic6P9krJMxD=V;) zo|E=U38qov7f|a=^GG|M7?H{Ym>WC*0|^PJ$7@tGyi%v`scGO$HV{&yvSWn*W`h4N cRrX2qaKGE<*%pNPIpjwHmAJ{Jib0y-6IX+W&j0`b literal 0 HcmV?d00001 diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests index edac28562..bb2c32b1d 100644 --- a/test/shaping/tests/fuzzed.tests +++ b/test/shaping/tests/fuzzed.tests @@ -17,3 +17,5 @@ fonts/sha1sum/b6acef662e0beb8d5fcf5b61c6b0ca69537b7402.ttf:--font-funcs=ot:U+004 fonts/sha1sum/e88c339237f52d21e01c55f01b9c1b4cc14a0467.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] fonts/sha1sum/243798dd281c1c77c065958e1ff467420faa9bde.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] fonts/sha1sum/dd9f0c7c7c36f75a18be0cab1cddf8f3ab0f366b.ttf:--font-funcs=ot --no-positions --no-clusters --no-glyph-names:U+0041:[0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|0|2|0|0|0|2|0|0|2|0|0|2|0|0|2|0|0|2|0|0|0|2|0|0|2|0|0|2|0|0|2|0] +fonts/sha1sum/ef2511f215aa3ca847cbfffbf861793b42170875.ttf:--font-funcs=ot:U+0041:[gid0=0+1000] +fonts/sha1sum/9d8a94a67932a3ab75a596fc8b5c6d0392ca9e49.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]