projects / platform / upstream / libHarfBuzzSharp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3530cc2)
[ot-font] Fix hmtx table length checking, *again*
authorBehdad Esfahbod <behdad@behdad.org>
Tue, 3 Nov 2015 20:15:12 +0000 (12:15 -0800)
committerBehdad Esfahbod <behdad@behdad.org>
Tue, 3 Nov 2015 20:15:12 +0000 (12:15 -0800)
Exactly the same problem that I fixed in
63ef0b41dc48d6112d1918c1b1de9de8ea90adb5

I rewrote the table checking yesterday in
67f8821fb25d9bd55719f5e29a582ae1af4b02b3
and introduced the exact same issue again. :(
Good thing we have ongoing fuzzing going now.  Was discovered
immediately by libFuzzer.  Thanks kcc!

https://github.com/behdad/harfbuzz/issues/139#issuecomment-153449473
Fixes https://github.com/behdad/harfbuzz/issues/156

src/hb-ot-font.cc patch | blob | history
test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf [new file with mode: 0644] patch | blob
test/shaping/fonts/sha1sum/MANIFEST patch | blob | history
test/shaping/tests/fuzzed.tests patch | blob | history

diff --git a/src/hb-ot-font.cc b/src/hb-ot-font.cc
index bde63fa..94c31b3 100644 (file)
--- a/src/hb-ot-font.cc
+++ b/src/hb-ot-font.cc
@@ -59,11 +59,11 @@ struct hb_ot_face_metrics_accelerator_t
 
     /* Cap num_metrics() and num_advances() based on table length. */
     unsigned int len = hb_blob_get_length (this->blob);
-    if (unlikely (this->num_advances * 4 < len))
+    if (unlikely (this->num_advances * 4 > len))
       this->num_advances = len / 4;
     this->num_metrics = this->num_advances + (len - 4 * this->num_advances) / 2;
 
-    /* We MUSt set num_metrics to zero if num_advances is zero.
+    /* We MUST set num_metrics to zero if num_advances is zero.
      * Our get_advance() depends on that. */
     if (unlikely (!this->num_advances))
     {
diff --git a/test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf b/test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf
new file mode 100644 (file)
index 0000000..8eed14d
Binary files /dev/null and b/test/shaping/fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf differ
diff --git a/test/shaping/fonts/sha1sum/MANIFEST b/test/shaping/fonts/sha1sum/MANIFEST
index 902fa00..785e6ef 100644 (file)
--- a/test/shaping/fonts/sha1sum/MANIFEST
+++ b/test/shaping/fonts/sha1sum/MANIFEST
@@ -17,6 +17,7 @@
 757ebd573617a24aa9dfbf0b885c54875c6fe06b.ttf
 7e14e7883ed152baa158b80e207b66114c823a8b.ttf
 813c2f8e5512187fd982417a7fb4286728e6f4a8.ttf
+8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf
 8454d22037f892e76614e1645d066689a0200e61.ttf
 8a9fea2a7384f2116e5b84a9b31f83be7850ce21.ttf
 a919b33197965846f21074b24e30250d67277bce.ttf
diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index 6bb30b0..64e96d7 100644 (file)
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests
@@ -3,3 +3,4 @@ fonts/sha1sum/5a5daf5eb5a4db77a2baa3ad9c7a6ed6e0655fa8.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/0509e80afb379d16560e9e47bdd7d888bebdebc6.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/641bd9db850193064d17575053ae2bf8ec149ddc.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/375d6ae32a3cbe52fbf81a4e5777e3377675d5a3.ttf:--font-funcs=ot:U+0041:[gid0=0+4352]
+fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf:--font-funcs=ot:U+0041:[gid0=0+2304]
Domain: Dotnet / API;