Limit GSUB buffer size - Githubissues

yeslogic / allsorts

Font parser, shaping engine, and subsetter implemented in Rust

https://yeslogic.com/blog/allsorts-rust-font-shaping-engine/

Apache License 2.0

706 stars 23 forks source link

Limit GSUB buffer size #97

Open brawer opened 8 months ago

brawer commented 8 months ago

Allsorts 0.14.0 is vulnerable to an OpenType version of the billion laughs attack. The attack vector is a font with a malicious but well-formed GSUB table.

Failing test case: https://rawgit.com/unicode-org/text-rendering-tests/master/reports/Allsorts.html#GSUB-3 Test suite: https://github.com/unicode-org/text-rendering-tests

wezm commented 8 months ago

Hi @brawer are you just creating these issues to track the failures or make us aware of them? If it's the latter just want to note that we are aware of them as I was the one that added the Allsorts implementation for the text-rendering-tests.

brawer commented 8 months ago

Just to make you aware. Sorry for filing a security problem as a public bug, I didn't know how to reach you in private.