Open brawer opened 8 months ago
Hi @brawer are you just creating these issues to track the failures or make us aware of them? If it's the latter just want to note that we are aware of them as I was the one that added the Allsorts implementation for the text-rendering-tests.
Just to make you aware. Sorry for filing a security problem as a public bug, I didn't know how to reach you in private.
Allsorts 0.14.0 is vulnerable to an OpenType version of the billion laughs attack. The attack vector is a font with a malicious but well-formed
GSUB
table.Failing test case: https://rawgit.com/unicode-org/text-rendering-tests/master/reports/Allsorts.html#GSUB-3 Test suite: https://github.com/unicode-org/text-rendering-tests