search

harfbuzz / rustybuzz

A complete harfbuzz's shaping algorithm port to Rust
MIT License
551 stars 37 forks source link

Problematic files found by fuzzer #129

Open qarmin opened 3 months ago

qarmin commented 3 months ago

Used this code

fn check_file(path: &str) {
    let data = std::fs::read(path).unwrap();
    let _ = process_face(&data);
}
fn process_face(data: &[u8]) -> Option<()> {
    let face =  rustybuzz::Face::from_slice(data, 0)?;
    let buffer = rustybuzz::UnicodeBuffer::new();
    rustybuzz::shape(&face, &[], buffer);
    let mut buffer = rustybuzz::UnicodeBuffer::new();
    buffer.push_str("fi");
    rustybuzz::shape(&face, &[], buffer);
    let mut buffer = rustybuzz::UnicodeBuffer::new();
    buffer.push_str("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFfASFAMFIQAWNFWOIQBFOBFOABFOBAWOFBQWOFBOABFOASBOFBASOFBOASBFOIAWBOFBQWOFBOAWBFOIAWBFOAWBFOAWBODBAWODNQWOFBQOWBFOABFOAWBODBAOWWAOFBNOQWTGPOQWNGFPOWQNBFDOQWNFONQWDFNASODNBAWOBDFWQOFBNQWODOQWFNBOQWBNFOWAF");
    rustybuzz::shape(&face, &[], buffer);
    let mut buffer = rustybuzz::UnicodeBuffer::new();
    buffer.push_str("ĄĆŹŻĆŒĆŁΩŒ™ΩŒ™ΩŒ® ̵ŁŁ®Ω¡¿®¡˝¿∧¡×¿£∧ס¿¼¡—®ÞŁ¡¿¡¿™GŒÐΩŒÐÞΩŒÆŊ ̵ΩŒŊ°ÞΩ¡Ff");
    rustybuzz::shape(&face, &[], buffer);
    Some(())
}

files - Untitled Folder.zip

probably I created issue a little too late, because https://github.com/RazrFalcon/rustybuzz/pull/126 seems to fix some/all of these issues

example of panics

thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/cb08d76/src/hb/ot_layout_gsubgpos.rs:610:67:
called `Option::unwrap()` on a `None` value
thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/cb08d76/src/hb/set_digest.rs:93:12:
attempt to subtract with overflow
thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ttf-parser-0.24.0/src/lib.rs:351:9:
attempt to subtract with overflow

More panics - Untitled Folder 2.zip

thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ttf-parser-0.24.0/src/var_store.rs:144:49:
attempt to multiply with overflow
thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ttf-parser-0.24.0/src/tables/gpos.rs:97:34:
attempt to subtract with overflow
thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/388d78d/src/hb/buffer.rs:1236:22:
index out of bounds: the len is 16384 but the index is 16384
thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/388d78d/src/hb/buffer.rs:1187:43:
index out of bounds: the len is 339 but the index is 339
LaurenzV commented 3 months ago

That PR is more fuzzing for correctness, not for crashes. I haven't changed any of the lines of codes that trigger those panics, so it would surprise me if they are fixed in the PR.

RazrFalcon commented 3 months ago

Thanks, ttf-parser bug is an easy fix.