[HarfBuzz] harfbuzz: Branch 'master' - 12 commits

Behdad Esfahbod Wed, 05 Dec 2018 15:40:01 -0800

 src/hb-cff-interp-dict-common.hh                                               
     |   51 +++++++---
 
test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696
 |binary
 2 files changed, 37 insertions(+), 14 deletions(-)


New commits:
commit d9dabc00e9278a346e85538212c126da7e610d55
Merge: 81cfd3c7 010e2ddb
Author: Behdad Esfahbod <beh...@behdad.org>
Date:   Wed Dec 5 15:39:34 2018 -0800

    Merge pull request #1454 from harfbuzz/cff-fixbcd
    
    [CFF] fix oss-fuzz issue 11674: parse_bcd

commit 010e2ddb384b5a721172fd7466aafec58dbf8063
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Wed Dec 5 12:23:58 2018 -0800

    minimized test case for oss-fuzz issue 11674

diff --git 
a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696
 
b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696
new file mode 100644
index 00000000..cb5fb83d
Binary files /dev/null and 
b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5672006905757696
 differ
commit 2cb9d4c183afc838ecf2ba0d47814e9eaa6f09c6
Merge: a5fa843c 8394a6cb
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Wed Dec 5 11:25:29 2018 -0800

    Merge branch 'master' into cff-fixbcd

commit a5fa843c746e20aaca48ece6cff057deb8d916ca
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Wed Dec 5 11:18:16 2018 -0800

    fixed a bug with fractional part in a negative value

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 005e15e6..63ca685e 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -146,7 +146,11 @@ struct DictOpSet : OpSet<Number>
        case END:
          value = (double)(neg? -int_part: int_part);
          if (frac_count > 0)
-           value += (frac_part / pow (10.0, (double)frac_count));
+         {
+           double frac = (frac_part / pow (10.0, (double)frac_count));
+           if (neg) frac = -frac;
+           value += frac;
+         }
          if (unlikely (exp_overflow))
          {
            if (value == 0.0)
commit 620d1ef588c6ce25644891cfe4b9c20fd8a9d1db
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Wed Dec 5 00:36:11 2018 -0800

    fix unsigned long const

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 2c7a9710..005e15e6 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -115,7 +115,7 @@ struct DictOpSet : OpSet<Number>
     bool    exp_overflow = false;
     enum Part { INT_PART=0, FRAC_PART, EXP_PART } part = INT_PART;
     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
-    const uint64_t MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
+    const uint64_t MAX_FRACT = 0xFFFFFFFFFFFFFllu; /* 1^52-1 */
     const uint32_t MAX_EXP = 0x7FFu; /* 1^11-1 */
 
     double  value = 0.0;
commit 28dfb4c14280b05ad0a519f9df2b0eda41a62540
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Wed Dec 5 00:26:03 2018 -0800

    fix signed/unsigned comparison

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index d5376e84..2c7a9710 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -108,7 +108,7 @@ struct DictOpSet : OpSet<Number>
   {
     bool    neg = false;
     double  int_part = 0;
-    int64_t frac_part = 0;
+    uint64_t frac_part = 0;
     uint32_t  frac_count = 0;
     bool    exp_neg = false;
     uint32_t  exp_part = 0;
@@ -206,7 +206,7 @@ struct DictOpSet : OpSet<Number>
            case FRAC_PART:
              if (likely ((frac_part <= MAX_FRACT / 10)))
              {
-               frac_part = (frac_part * 10) + d;
+               frac_part = (frac_part * 10) + (unsigned)d;
                frac_count++;
              }
              break;
commit f9cee08edd32182044407bf6ffde00df0feb09b7
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Tue Dec 4 23:58:26 2018 -0800

    use sized int types in parse_bcd

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 0ffd4cec..d5376e84 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -108,19 +108,19 @@ struct DictOpSet : OpSet<Number>
   {
     bool    neg = false;
     double  int_part = 0;
-    long    frac_part = 0;
-    unsigned int  frac_count = 0;
+    int64_t frac_part = 0;
+    uint32_t  frac_count = 0;
     bool    exp_neg = false;
-    unsigned int  exp_part = 0;
+    uint32_t  exp_part = 0;
     bool    exp_overflow = false;
     enum Part { INT_PART=0, FRAC_PART, EXP_PART } part = INT_PART;
     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
-    const unsigned long MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
-    const unsigned int MAX_EXP = 0x7FFu; /* 1^11-1 */
+    const uint64_t MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
+    const uint32_t MAX_EXP = 0x7FFu; /* 1^11-1 */
 
     double  value = 0.0;
     unsigned char byte = 0;
-    for (unsigned int i = 0;; i++)
+    for (uint32_t i = 0;; i++)
     {
       char d;
       if ((i & 1) == 0)
commit c01a5f32a33fa875de68ca29a4672fd36a05245b
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Tue Dec 4 23:23:23 2018 -0800

    refix

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index f84f26cd..0ffd4cec 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -204,7 +204,7 @@ struct DictOpSet : OpSet<Number>
              break;
 
            case FRAC_PART:
-             if (likely ((fract_part <= MAX_FRACT / 10)))
+             if (likely ((frac_part <= MAX_FRACT / 10)))
              {
                frac_part = (frac_part * 10) + d;
                frac_count++;
commit 755fefc92113e469a1aadee2546958fede156c01
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Tue Dec 4 23:18:28 2018 -0800

    fix bug

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 7eafc7c0..f84f26cd 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -204,7 +204,7 @@ struct DictOpSet : OpSet<Number>
              break;
 
            case FRAC_PART:
-             if (likely ((frac_count <= MAX_FRACT / 10)))
+             if (likely ((fract_part <= MAX_FRACT / 10)))
              {
                frac_part = (frac_part * 10) + d;
                frac_count++;
commit 0e81b153aff1f2e301e73ca1a15a9bc5b2e7bb82
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Tue Dec 4 22:40:07 2018 -0800

    fix typo

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index ace91bea..7eafc7c0 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -204,7 +204,7 @@ struct DictOpSet : OpSet<Number>
              break;
 
            case FRAC_PART:
-             if (likely ((fract_count <= MAX_FRACT / 10)))
+             if (likely ((frac_count <= MAX_FRACT / 10)))
              {
                frac_part = (frac_part * 10) + d;
                frac_count++;
commit 85d4b15cd88ce9a6ffccccf90300f9c184166058
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Tue Dec 4 22:30:33 2018 -0800

    include float.h

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 62c87e94..ace91bea 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -28,6 +28,7 @@
 
 #include "hb-cff-interp-common.hh"
 #include <math.h>
+#include <float.h>
 
 namespace CFF {
 
commit 5a7c371e4c6f1775ebbfe120fafe92afe402a954
Author: Michiharu Ariza <ar...@adobe.com>
Date:   Tue Dec 4 22:24:38 2018 -0800

    check overflow & clamp

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 2822af40..62c87e94 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -105,16 +105,17 @@ struct DictOpSet : OpSet<Number>
 
   static inline double parse_bcd (SubByteStr& substr)
   {
-    double v = 0.0;
-
     bool    neg = false;
     double  int_part = 0;
     long    frac_part = 0;
     unsigned int  frac_count = 0;
     bool    exp_neg = false;
     unsigned int  exp_part = 0;
+    bool    exp_overflow = false;
     enum Part { INT_PART=0, FRAC_PART, EXP_PART } part = INT_PART;
     enum Nibble { DECIMAL=10, EXP_POS, EXP_NEG, RESERVED, NEG, END };
+    const unsigned long MAX_FRACT = 0xFFFFFFFFFFFFFlu; /* 1^52-1 */
+    const unsigned int MAX_EXP = 0x7FFu; /* 1^11-1 */
 
     double  value = 0.0;
     unsigned char byte = 0;
@@ -139,12 +140,21 @@ struct DictOpSet : OpSet<Number>
       {
        case RESERVED:
          substr.set_error ();
-         return v;
+         return value;
 
        case END:
          value = (double)(neg? -int_part: int_part);
          if (frac_count > 0)
            value += (frac_part / pow (10.0, (double)frac_count));
+         if (unlikely (exp_overflow))
+         {
+           if (value == 0.0)
+             return value;
+           if (exp_neg)
+             return neg? -DBL_MIN: DBL_MIN;
+           else
+             return neg? -DBL_MAX: DBL_MAX;
+         }
          if (exp_part != 0)
          {
            if (exp_neg)
@@ -167,7 +177,7 @@ struct DictOpSet : OpSet<Number>
          if (part != INT_PART)
          {
            substr.set_error ();
-           return v;
+           return value;
          }
          part = FRAC_PART;
          break;
@@ -180,7 +190,7 @@ struct DictOpSet : OpSet<Number>
          if (part == EXP_PART)
          {
            substr.set_error ();
-           return v;
+           return value;
          }
          part = EXP_PART;
          break;
@@ -193,18 +203,26 @@ struct DictOpSet : OpSet<Number>
              break;
 
            case FRAC_PART:
-             frac_part = (frac_part * 10) + d;
-             frac_count++;
+             if (likely ((fract_count <= MAX_FRACT / 10)))
+             {
+               frac_part = (frac_part * 10) + d;
+               frac_count++;
+             }
              break;
 
            case EXP_PART:
-             exp_part = (exp_part * 10) + d;
+             if (likely (exp_part * 10) + d <= MAX_EXP)
+             {
+               exp_part = (exp_part * 10) + d;
+             }
+             else
+               exp_overflow = true;
              break;
          }
       }
     }
 
-    return v;
+    return value;
   }
 
   static inline bool is_hint_op (OpCode op)
_______________________________________________
HarfBuzz mailing list
HarfBuzz@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/harfbuzz

[HarfBuzz] harfbuzz: Branch 'master' - 12 commits

Reply via email to