Google Git
Sign in
flutter / third_party / harfbuzz / 44f7d6ecde9bf7427a05cbe73ed5d668b8a72b2a^! / .
commit44f7d6ecde9bf7427a05cbe73ed5d668b8a72b2a[log] [tgz]
authorjfkthame <jfkthame@gmail.com>Fri Feb 17 03:03:24 2017 +0000
committerBehdad Esfahbod <behdad@behdad.org>Thu Feb 16 19:03:24 2017 -0800
treed3cc0f4bff1d117ac9b20430b627aaf7b7b19b28
parent45766b673f427bb791c9d5886cadedfac0447066 [diff]
Guard against underflow when adjusting length (#421)

* Guard against underflow when adjusting length

With the fuzz-testcase in mozilla bug 1295299, we end up with a recursed lookup that removes 3 items, when `match_positions[idx]` is 0, which results in (unsigned) `end` wrapping to a huge value.

Making `end` a signed int is probably the simplest route to a fix.

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1295299.

* Add testcase for #421.

diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
index b7a0122..0c42352 100644
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh

@@ -959,7 +959,7 @@
   TRACE_APPLY (NULL);
 
   hb_buffer_t *buffer = c->buffer;
-  unsigned int end;
+  int end;
 
   /* All positions are distance from beginning of *output* buffer.
    * Adjust. */
@@ -998,8 +998,8 @@
 
     /* Recursed lookup changed buffer len.  Adjust. */
 
-    end = int (end) + delta;
-    if (end <= match_positions[idx])
+    end += delta;
+    if (end <= int (match_positions[idx]))
     {
       /* End might end up being smaller than match_positions[idx] if the recursed
        * lookup ended up removing many items, more than we have had matched.

diff --git a/test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf b/test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf
new file mode 100644
index 0000000..5d72fdf
--- /dev/null
+++ b/test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf
Binary files differ

diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index 771ac2b..d9bace3 100644
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests

@@ -10,3 +10,4 @@
 fonts/sha1sum/fab39d60d758cb586db5a504f218442cd1395725.ttf:--font-funcs=ot:U+0041,U+0041:[gid0=0+1000|gid0=1+1000]
 fonts/sha1sum/205edd09bd3d141cc9580f650109556cc28b22cb.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/217a934cfe15c548b572c203dceb2befdf026462.ttf:--font-funcs=ot:U+0061,U+0061,U+0061:[]
+fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf:--font-funcs=ot:U+FFFD,U+E0100,U+FFFD,U+E0010:[]