[GSUB] Billion laughs attack

[brawer]

fontkit can be tricked into an OpenType version of the ‘billion laughs’ attack. See failing test case GSUB-3 which has a test font.

[Pomax]

Not sure I understand the description - if each lookup is for expanding l+o+l as l + o + l + o + l, then the first lookup turns lol into lolol (1 => 2), the second turns it into lolololol (2 => 4), the third forms lolololololololol (4 => 8) and so on. doubling at every lookup. That's still exponential growth, but certainly not as bad as the 10^9 the description alludes to. Where does the factor 10 come from?

[brawer]

Just checked by de-compiling the test font with fonttools. Yes, the font’s GSUB table contains a multiple substitution that replaces o by olololololololololo, so the base is indeed 10.

[Pomax]

Ah, in that case the description for that test probably needs an update, because it currently says "Each lookup replaces the glyph o by the string olo, provided that the o is surrounded (both preceded and followed) by an l. "

[Pomax]

Do you happen to know if there's a prescribed stack size for GSUB (I know CFF has several, but I don't think I've ever read about a formally imposed limit for GSUB. Then again, it's a big spec, I might have missed it)?

[brawer]

Afaik not; might be worth looking at what limits HarfBuzz is imposing (other than fontkit, HarfBuzz is protecting itself against this attack). By the way, fontkit is also still vulnerable to the AAT version of this attack; see https://github.com/foliojs/fontkit/issues/174 and https://github.com/foliojs/fontkit/issues/175.

[brawer]

Friendly reminder: fontkit 2.0.2 is still vulnerable to this attack https://rawgit.com/unicode-org/text-rendering-tests/master/reports/fontkit.html#GSUB-3