Garret Rieger
8c0c217b5a
[subset] fail reference blob in face builder if allocation for table sorting fails.
...
Fixes https://oss-fuzz.com/testcase-detail/5041767803125760
3 years ago
Behdad Esfahbod
5086e10538
[test] Add failing fuzzer test case
...
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36236
https://oss-fuzz.com/testcase-detail/5061207689134080
3 years ago
Behdad Esfahbod
0ded6a70c8
[subset] Fix another fuzzer issue
...
Addition could overflow on 32bit arch.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36636
Fixes https://oss-fuzz.com/testcase-detail/5072358514753536
3 years ago
Garret Rieger
09474d8d7b
[subset] Fix fuzzer timeout in add_gid_and_children.
...
The composite glyph graph isn't check for max operations by sanitize so track an operations count during the graph traversal.
3 years ago
Behdad Esfahbod
c68a00b92e
[subset] Fix possible overflows in VarRegionList serialize
...
Fixes https://oss-fuzz.com/testcase-detail/5362189182566400
3 years ago
Qunxin Liu
7416faceeb
[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/5715464591376384
3 years ago
Garret Rieger
bc06af977f
[subset] speed up feature collection when tags are specified.
...
Precompute a feature index filter to avoid needing to iterate the feature tag list for each encountered feature index. For this particular fuzzer case speeds up feature collection from 50s to 2s.
3 years ago
Garret Rieger
675ebbeb3a
[subset] don't alloc zero bytes.
...
It will be leaked later since hb_blob_create() won't set up the blob to cleanup since it has length zero.
3 years ago
Qunxin Liu
35d6af6943
[subset] fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5965777994907648
3 years ago
Qunxin Liu
1b6008ca62
fix fuzzer testcase: https://oss-fuzz.com/testcase-detail/5417934246772736
3 years ago
Qunxin Liu
7ab0f4eda9
fuzzer fix
4 years ago
Garret Rieger
425ba1f4ab
[subset] fixes infinite loop in hb_set_get_max().
...
Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
4 years ago
Garret Rieger
ec4321068b
[subset] fix infinite loop caused by alloc failure in repacker.
...
Fixes: https://oss-fuzz.com/testcase-detail/5609112151916544 .
4 years ago
Garret Rieger
0e845d973e
[subset] fix memory leak in repacker caused by failed alloc.
...
Fixes: https://oss-fuzz.com/testcase-detail/5616763250278400 .
4 years ago
Garret Rieger
3fb62cdc14
[subset] fail on offset overflow in tables that we don't repack.
...
Fixes: https://oss-fuzz.com/testcase-detail/5229304507138048
4 years ago
Qunxin Liu
9dc9f0385d
[subset] fix for fuzzer testcase: https://oss-fuzz.com/testcase-detail/5858518134554624
4 years ago
Qunxin Liu
4af5dacedc
[subset] add fuzzer testcase
4 years ago
Garret Rieger
64122b5a44
[subset] don't visit lookup if covered glyph set has failed.
...
If covered glyph set is in error then the same lookup can be recursed into repeatedly potentially causing a fuzzer timeout. Fixes: https://oss-fuzz.com/testcase-detail/5416421032067072 .
4 years ago
Garret Rieger
71d6d15600
[subset] clamp distance to prevent shifting outside of the limits of int64.
...
Fixes https://oss-fuzz.com/testcase-detail/4961171477233664 .
4 years ago
Garret Rieger
c5c13006a1
[subset] fix memory leaks found in https://oss-fuzz.com/testcase-detail/5179935334465536
4 years ago
Garret Rieger
adca4ce071
[subset] fixes https://oss-fuzz.com/testcase-detail/6173520787800064 .
...
Caused by incorrect bounds check in glyph closure for context lookups.
4 years ago
Garret Rieger
752e393ad2
[subset] avoid calling clear on null pool set.
4 years ago
Garret Rieger
8741914a80
[subset] fix memory leak when map insert fails.
4 years ago
Garret Rieger
5b6da6d2f0
[subset] add fuzzer test case.
4 years ago
Garret Rieger
a804a0c903
[subset] add fuzzer test case.
4 years ago
Garret Rieger
5ca353a2d0
[subset] fix heap buffer overflow found by fuzzer.
4 years ago
Behdad Esfahbod
33a0f0b686
[test] Remove fuzzed test font that triggers virus alert
...
Fixes https://github.com/harfbuzz/harfbuzz/issues/2750
4 years ago
Garret Rieger
a4c3732f59
[ENOMEM] fix set clear() causing corruption if the set is in_error().
4 years ago
Khaled Hosny
5091ea7e24
Merge pull request #2733 from astiob/buffer-context-doc
...
[docs] Describe buffer context applicability more explicitly
4 years ago
Garret Rieger
bbbcad0dbb
Revert "[ENOMEM] don't perform set process operations if the other set is in an error state."
...
This reverts commit f3929abafe
.
4 years ago
Garret Rieger
f3929abafe
[ENOMEM] don't perform set process operations if the other set is in an error state.
...
Running a process while the other set is in an error state can potentially corrupt this sets map map (for example by overwritting all of the major values with 0).
4 years ago
Garret Rieger
8c3d4de796
[subset] Fix integer underflow in ContextFormat2.
4 years ago
Garret Rieger
9825e3dd2e
[ENOMEM] fix access to unitialized memory.
...
If the serialize() call fails to write the object then we can't safely read varstore_prime fields. Fixes https://oss-fuzz.com/testcase-detail/5137462782066688 .
4 years ago
ebraminio
1e48225ca3
[ENOMEM] Check whether serialize context isn't in error
4 years ago
Garret Rieger
9562239f05
[ENOMEM] check for error in lookup visited set.
4 years ago
Garret Rieger
6f754852c1
[ENOMEM] skip asserts in to_bias if serializer is in an error state.
4 years ago
Ebrahim Byagowi
ffe06c8f04
[glyf] Guard all the public APIs against null pool runs
...
Fixes https://crbug.com/oss-fuzz/24575 and https://crbug.com/oss-fuzz/24737
4 years ago
Garret Rieger
18ab8029d5
[ENOMEM] check vector status in cmap subsetting.
4 years ago
Garret Rieger
06dbb6acbb
[ENOMEM] in GSUB ChainContext subsetting check maps for allocation errors.
4 years ago
Garret Rieger
fb1477795c
[ENOMEM] Check result of vector resize in CBDT subsetting.
4 years ago
Ebrahim Byagowi
efd716de3f
[cff] Check for scalars array resize result
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24504
4 years ago
Garret Rieger
040ed094ef
[ENOMEM] popragate packed/packed_map errors to the serializer.
...
Will disable further modifications based on a bad state.
4 years ago
Garret Rieger
7f358a55f4
[ENOMEM] unchecked resize in CFF2.
4 years ago
Garret Rieger
32f052b033
[ENOMEM] Fix several instances of not checking resize in CFF.
4 years ago
Garret Rieger
15644ee60e
[ENOMEM] fix memory leak if allocation fails during pop_pack().
4 years ago
Garret Rieger
42237adffc
[ENOMEM] make serializer modification operations no-ops if it's in an error state.
4 years ago
Garret Rieger
4ba8e3c6fd
[ENOMEM] Fix failure to check calloc return.
...
Fixes https://oss-fuzz.com/testcase-detail/6246465148813312 .
4 years ago
Garret Rieger
d307c24abf
[ENOMEM] check resize() return.
...
Fixes https://oss-fuzz.com/testcase-detail/5641892164009984 .
4 years ago
Ebrahim Byagowi
11d583a9ea
[aat] Consume glyph insertion from buffer's max_ops ( #2223 )
...
Glyph insertion is an expensive operation and we like to have it limited
based on buffer's input size which is handled by buffer's max_ops.
clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5754958982021120:
Before the change: 0.67s user 0.00s system 99% cpu 0.674 total
After the change: 0.02s user 0.00s system 98% cpu 0.024 total
Which takes much longer on valgrind and tsan bots.
4 years ago
ckitagawa
b22f61d86a
Fix bug
5 years ago