Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problematic files found by fuzzer #129

Open
qarmin opened this issue Jul 11, 2024 · 2 comments
Open

Problematic files found by fuzzer #129

qarmin opened this issue Jul 11, 2024 · 2 comments

Comments

@qarmin
Copy link

qarmin commented Jul 11, 2024
edited
Loading

Used this code

fn check_file(path: &str) {
    let data = std::fs::read(path).unwrap();
    let _ = process_face(&data);
}
fn process_face(data: &[u8]) -> Option<()> {
    let face =  rustybuzz::Face::from_slice(data, 0)?;
    let buffer = rustybuzz::UnicodeBuffer::new();
    rustybuzz::shape(&face, &[], buffer);
    let mut buffer = rustybuzz::UnicodeBuffer::new();
    buffer.push_str("fi");
    rustybuzz::shape(&face, &[], buffer);
    let mut buffer = rustybuzz::UnicodeBuffer::new();
    buffer.push_str("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFfASFAMFIQAWNFWOIQBFOBFOABFOBAWOFBQWOFBOABFOASBOFBASOFBOASBFOIAWBOFBQWOFBOAWBFOIAWBFOAWBFOAWBODBAWODNQWOFBQOWBFOABFOAWBODBAOWWAOFBNOQWTGPOQWNGFPOWQNBFDOQWNFONQWDFNASODNBAWOBDFWQOFBNQWODOQWFNBOQWBNFOWAF");
    rustybuzz::shape(&face, &[], buffer);
    let mut buffer = rustybuzz::UnicodeBuffer::new();
    buffer.push_str("ĄĆŹŻĆŒĆŁΩŒ™ΩŒ™ΩŒ® ̵ŁŁ®Ω¡¿®¡˝¿∧¡×¿£∧ס¿¼¡—®ÞŁ¡¿¡¿™GŒÐΩŒÐÞΩŒÆŊ ̵ΩŒŊ°ÞΩ¡Ff");
    rustybuzz::shape(&face, &[], buffer);
    Some(())
}

files - Untitled Folder.zip

probably I created issue a little too late, because #126 seems to fix some/all of these issues

example of panics

thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/cb08d76/src/hb/ot_layout_gsubgpos.rs:610:67:
called `Option::unwrap()` on a `None` value

thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/cb08d76/src/hb/set_digest.rs:93:12:
attempt to subtract with overflow

thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ttf-parser-0.24.0/src/lib.rs:351:9:
attempt to subtract with overflow

More panics - Untitled Folder 2.zip

thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ttf-parser-0.24.0/src/var_store.rs:144:49:
attempt to multiply with overflow

thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ttf-parser-0.24.0/src/tables/gpos.rs:97:34:
attempt to subtract with overflow

thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/388d78d/src/hb/buffer.rs:1236:22:
index out of bounds: the len is 16384 but the index is 16384

thread 'main' panicked at /home/runner/.cargo/git/checkouts/rustybuzz-7a6574c4a2403783/388d78d/src/hb/buffer.rs:1187:43:
index out of bounds: the len is 339 but the index is 339
@LaurenzV
Copy link
Collaborator

That PR is more fuzzing for correctness, not for crashes. I haven't changed any of the lines of codes that trigger those panics, so it would surprise me if they are fixed in the PR.

@RazrFalcon
Copy link
Collaborator

Thanks, ttf-parser bug is an easy fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RazrFalcon @qarmin @LaurenzV