From 269a120f137ca69ca83b6fa00bb6a0ff1a87ae3e Mon Sep 17 00:00:00 2001 From: Ebrahim Byagowi Date: Sun, 25 Aug 2019 20:37:00 +0430 Subject: [PATCH] [subset] Raise the bar in new vs old table size https://crbug.com/oss-fuzz/16740 This is actually an interesting thing that {h,v}mtx allocates as much as a font pretends to have glyphs but the solution is not that obvious as regular fonts can have less than actually containing metrics in their {h,v}mtx. This change raises the bar to consider this hmtx 4 byte for every glyph case. Initially we wanted to just find things allocating crazy amount of memory but having the assert has led to interesting findings also so let's don't remove the assert and see what we can find elsewhere. --- src/hb-subset.cc | 2 +- ...se-minimized-hb-subset-fuzzer-5667673584697344 | Bin 0 -> 178 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5667673584697344 diff --git a/src/hb-subset.cc b/src/hb-subset.cc index f18901705..16ea3bcb6 100644 --- a/src/hb-subset.cc +++ b/src/hb-subset.cc @@ -92,8 +92,8 @@ _subset2 (hb_subset_plan_t *plan) bool needed = table->subset (&c); if (serializer.ran_out_of_room) { + assert (buf_size <= (source_blob->length + plan->num_output_glyphs ()) * 16 + 4096); buf_size += (buf_size >> 1) + 32; - assert (buf_size <= source_blob->length * 16 + 4096); DEBUG_MSG(SUBSET, nullptr, "OT::%c%c%c%c ran out of room; reallocating to %u bytes.", HB_UNTAG (tag), buf_size); if (unlikely (!buf.alloc (buf_size))) { diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5667673584697344 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5667673584697344 new file mode 100644 index 0000000000000000000000000000000000000000..e08ab56ed3053a29fdcaba23579744ca1769fa19 GIT binary patch literal 178 zcmZQzWME)mR{(