Fix unbounded ReadGlyph allocation (issue #191)#192
Open
parasol-aser wants to merge 2 commits intogoogle:masterfrom
Open
Fix unbounded ReadGlyph allocation (issue #191)#192parasol-aser wants to merge 2 commits intogoogle:masterfrom
parasol-aser wants to merge 2 commits intogoogle:masterfrom
Conversation
In ReadGlyph's simple-glyph branch, endPtsOfContours is treated as a uint16_t without enforcing monotonicity. A crafted sfnt with point_index < last_point_index wraps the subtraction and drives std::vector<Point>::resize to ~65535 entries per contour, producing multi-GB allocations and OOM DoS in ConvertTTFToWOFF2. Enforce the spec's monotonic-non-decreasing requirement on endPtsOfContours, and bound num_points by the remaining glyph buffer so allocations stay proportional to input size. Add a libFuzzer harness (convert_ttf2woff2_fuzzer) mirroring the reporter's setup, unit tests for ReadGlyph's per-contour guards, and an end-to-end test over fontTools-generated TTF fixtures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #191:
ReadGlyphcan allocate an oversized contour when a malformed simple glyph has non-monotonicendPtsOfContoursvalues. The subtraction that computesnum_pointscan wrap beforestd::vector<Glyph::Point>::resize.Fix
src/glyph.ccnow rejects simple glyphs where a laterendPtsOfContoursentry is smaller than the previous entry:This is the spec-level invariant needed for the reported allocation bug. I removed the earlier remaining-byte cap because it was based on a wrong assumption: simple-glyph flags are RLE-encoded, so logical point count is not bounded by one stored flag byte per point.
StoreEndPtsOfContoursalso confirms that the endpoint value itself may reachuint16_t::max().Changes
src/glyph.cc— reject decreasingendPtsOfContoursbefore computingnum_points.src/convert_ttf2woff2_fuzzer.cc— add an encoder fuzz entry point.CMakeLists.txt— register the encoder fuzzer and opt-in regression tests.test/test_read_glyph.cc— cover non-monotonic endpoints and RLE-encoded flags.test/test_convert_ttf2woff2.cc/test/generate_fixtures.py— cover valid baseline input and malformed non-monotonic TTF fixtures.Test plan
cmake -S . -B build -G Ninjacmake --build buildctest --test-dir build --output-on-failure./build/test_read_glyphReviewer follow-up still useful: run a longer encoder fuzzing session against a normal sfnt corpus and compare
woff2_compressoutput on a known-good corpus.