1 #include "hb-fuzzer.hh"
2
3 #include <stdlib.h>
4 #include <stdio.h>
5 #include <string.h>
6 #include <assert.h>
7
8 #include "hb-subset.h"
9
10 static void
trySubset(hb_face_t * face,const hb_codepoint_t text[],int text_length,unsigned flag_bits,hb_subset_input_t * input)11 trySubset (hb_face_t *face,
12 const hb_codepoint_t text[],
13 int text_length,
14 unsigned flag_bits,
15 hb_subset_input_t *input)
16 {
17 if (!input) return;
18
19 hb_subset_input_set_flags (input, (hb_subset_flags_t) flag_bits);
20
21 hb_set_t *codepoints = hb_subset_input_unicode_set (input);
22
23 for (int i = 0; i < text_length; i++)
24 hb_set_add (codepoints, text[i]);
25
26 hb_face_t *result = hb_subset_or_fail (face, input);
27 if (result)
28 {
29 hb_blob_t *blob = hb_face_reference_blob (result);
30 unsigned int length;
31 const char *data = hb_blob_get_data (blob, &length);
32
33 // Something not optimizable just to access all the blob data
34 unsigned int bytes_count = 0;
35 for (unsigned int i = 0; i < length; ++i)
36 if (data[i]) ++bytes_count;
37 assert (bytes_count || !length);
38
39 hb_blob_destroy (blob);
40 }
41 hb_face_destroy (result);
42
43 hb_subset_input_destroy (input);
44 }
45
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)46 extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
47 {
48 alloc_state = _fuzzing_alloc_state (data, size);
49
50 hb_blob_t *blob = hb_blob_create ((const char *) data, size,
51 HB_MEMORY_MODE_READONLY, nullptr, nullptr);
52 hb_face_t *face = hb_face_create (blob, 0);
53
54 /* Just test this API here quickly. */
55 hb_set_t *output = hb_set_create ();
56 hb_face_collect_unicodes (face, output);
57 hb_set_destroy (output);
58
59 unsigned flags = HB_SUBSET_FLAGS_DEFAULT;
60 const hb_codepoint_t text[] =
61 {
62 'A', 'B', 'C', 'D', 'E', 'X', 'Y', 'Z', '1', '2',
63 '3', '@', '_', '%', '&', ')', '*', '$', '!'
64 };
65
66 hb_subset_input_t *input = hb_subset_input_create_or_fail ();
67 if (!input)
68 {
69 hb_face_destroy (face);
70 hb_blob_destroy (blob);
71 return 0;
72 }
73 trySubset (face, text, sizeof (text) / sizeof (hb_codepoint_t), flags, input);
74
75 unsigned num_axes;
76 hb_codepoint_t text_from_data[16];
77 if (size > sizeof (text_from_data) + sizeof (flags) + sizeof(num_axes)) {
78 hb_subset_input_t *input = hb_subset_input_create_or_fail ();
79 if (!input)
80 {
81 hb_face_destroy (face);
82 hb_blob_destroy (blob);
83 return 0;
84 }
85 size -= sizeof (text_from_data);
86 memcpy (text_from_data,
87 data + size,
88 sizeof (text_from_data));
89
90 size -= sizeof (flags);
91 memcpy (&flags,
92 data + size,
93 sizeof (flags));
94
95 size -= sizeof (num_axes);
96 memcpy (&num_axes,
97 data + size,
98 sizeof (num_axes));
99
100 if (num_axes > 0 && num_axes < 8 && size > num_axes * (sizeof(hb_tag_t) + sizeof(int)))
101 {
102 for (unsigned i = 0; i < num_axes; i++) {
103 hb_tag_t tag;
104 int value;
105 size -= sizeof (tag);
106 memcpy (&tag,
107 data + size,
108 sizeof (tag));
109 size -= sizeof (value);
110 memcpy (&value,
111 data + size,
112 sizeof (value));
113
114 hb_subset_input_pin_axis_location(input,
115 face,
116 tag,
117 (float) value);
118 }
119 }
120
121
122
123 unsigned int text_size = sizeof (text_from_data) / sizeof (hb_codepoint_t);
124 trySubset (face, text_from_data, text_size, flags, input);
125 }
126
127 hb_face_destroy (face);
128 hb_blob_destroy (blob);
129
130 return 0;
131 }
132