search

mooman219 / fontdue

The fastest font renderer in the world, written in pure rust.
Apache License 2.0
1.44k stars 72 forks source link

Slow parsing of malformed font files #97

Closed 5225225 closed 2 years ago

5225225 commented 2 years ago

Fuzz target:

#![no_main]
use libfuzzer_sys::fuzz_target;

fuzz_target!(|data: &[u8]| {
    fontdue::Font::from_bytes(data, Default::default());
});

Samples are in a zip file to stop github complaining about the file type

155 seconds: slow.zip 33 seconds: slow.zip

mooman219 commented 2 years ago

Very neat. I'm not sure if I can reasonably defend against this, but I'll look into this.

Rush commented 2 years ago

I think this is critical for any applications where users can provide their own font files.

mooman219 commented 2 years ago

The two sample fonts specifically:

Both trigger a Result::err() immediately for me right now for being too malformed. So this is fixed.

The DoS issue in general:

I do not recommend using fontdue for untrusted input because it can be used to take an unreasonable amount of time. The user won't be able to trigger any unsafe behavior, but it can be used to lockup compute resources on parsing the file. There are upper limits for fields that I parse, but it can still be unreasonable. I can imagine a conforming font that's explicitly written to exist at those limits. These issues also exist for rusttype, but those libraries don't do their parsing upfront, and may trigger slow behavior later into their lifecycles.