Google Git
Sign in
android / platform / frameworks / minikin / 3085d8c96ac476a9418835e7063649e327571dd2^! / .
commit3085d8c96ac476a9418835e7063649e327571dd2[log] [tgz]
authorSeigo Nonaka <nona@google.com>Tue Apr 24 17:44:01 2018 -0700
committerSeigo Nonaka <nona@google.com>Fri May 11 17:52:40 2018 +0000
tree86d2c694deb92e1473e1759571187400e5f9f449
parent2f88f76f257d046066ede752156968aff712114b [diff]
Fix fvar table size validation logic - DO NOT MERGE

The table size calculation was wrong.
"axisOffset + axisOffset * axisCount" should be
"axisOffset + axisSize * axisCount".

Bug: 77822336
Test: minikin_tests
Change-Id: I0cc88299f44bdad484497d9a55376764446fed12
Merged-In: I0cc88299f44bdad484497d9a55376764446fed12

diff --git a/libs/minikin/FontUtils.cpp b/libs/minikin/FontUtils.cpp
index c5a32f8..60b3163 100644
--- a/libs/minikin/FontUtils.cpp
+++ b/libs/minikin/FontUtils.cpp

@@ -19,6 +19,8 @@
 
 #include "FontUtils.h"
 
+#include <log/log.h>
+
 namespace minikin {
 
 static uint16_t readU16(const uint8_t* data, size_t offset) {
@@ -44,7 +46,7 @@
     return true;
 }
 
-void analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes) {
+bool analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes) {
     const size_t kMajorVersionOffset = 0;
     const size_t kMinorVersionOffset = 2;
     const size_t kOffsetToAxesArrayOffset = 4;
@@ -54,7 +56,7 @@
     axes->clear();
 
     if (fvar_size < kAxisSizeOffset + 2) {
-        return;
+        return false;
     }
     const uint16_t majorVersion = readU16(fvar_data, kMajorVersionOffset);
     const uint16_t minorVersion = readU16(fvar_data, kMinorVersionOffset);
@@ -63,15 +65,19 @@
     const uint32_t axisSize = readU16(fvar_data, kAxisSizeOffset);
 
     if (majorVersion != 1 || minorVersion != 0 || axisOffset != 0x10 || axisSize != 0x14) {
-        return;  // Unsupported version.
+        return false;  // Unsupported version.
     }
-    if (fvar_size < axisOffset + axisOffset * axisCount) {
-        return;  // Invalid table size.
+    if (fvar_size < axisOffset + axisSize * axisCount) {
+        if (axisOffset > axisSize) {
+            android_errorWriteLog(0x534e4554, "77822336");
+        }
+        return false;  // Invalid table size.
     }
     for (uint32_t i = 0; i < axisCount; ++i) {
         size_t axisRecordOffset = axisOffset + i * axisSize;
         uint32_t tag = readU32(fvar_data, axisRecordOffset);
         axes->insert(tag);
     }
+    return true;
 }
 }  // namespace minikin

diff --git a/libs/minikin/FontUtils.h b/libs/minikin/FontUtils.h
index d26d5e4..ecb9cde 100644
--- a/libs/minikin/FontUtils.h
+++ b/libs/minikin/FontUtils.h

@@ -22,7 +22,7 @@
 namespace minikin {
 
 bool analyzeStyle(const uint8_t* os2_data, size_t os2_size, int* weight, bool* italic);
-void analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes);
+bool analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes);
 
 }  // namespace minikin
 

diff --git a/tests/unittest/Android.mk b/tests/unittest/Android.mk
index b817c46..0334d10 100644
--- a/tests/unittest/Android.mk
+++ b/tests/unittest/Android.mk

@@ -75,6 +75,7 @@
     FontCollectionItemizeTest.cpp \
     FontFamilyTest.cpp \
     FontLanguageListCacheTest.cpp \
+    FontUtilsTest.cpp \
     HbFontCacheTest.cpp \
     HyphenatorTest.cpp \
     GraphemeBreakTests.cpp \

diff --git a/tests/unittest/FontUtilsTest.cpp b/tests/unittest/FontUtilsTest.cpp
new file mode 100644
index 0000000..15675c9
--- /dev/null
+++ b/tests/unittest/FontUtilsTest.cpp

@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "FontUtils.h"
+
+#include <gtest/gtest.h>
+
+namespace minikin {
+namespace {
+
+constexpr uint32_t MakeTag(char c1, char c2, char c3, char c4) {
+    return ((uint32_t)c1 << 24) | ((uint32_t)c2 << 16) | ((uint32_t)c3 << 8) | (uint32_t)c4;
+}
+
+static size_t writeU16(uint16_t x, uint8_t* out, size_t offset) {
+    out[offset] = x >> 8;
+    out[offset + 1] = x;
+    return offset + 2;
+}
+
+static size_t writeU32(uint32_t x, uint8_t* out, size_t offset) {
+    out[offset] = x >> 24;
+    out[offset + 1] = x >> 16;
+    out[offset + 2] = x >> 8;
+    out[offset + 3] = x;
+    return offset + 4;
+}
+
+static uint32_t floatToFixed(float x) {
+    return (uint32_t)(x * 65536);
+}
+
+struct Fvar {
+    Fvar(uint32_t tag, float minValue, float defaultValue, float maxValue)
+            : tag(tag), minValue(minValue), defaultValue(defaultValue), maxValue(maxValue) {}
+
+    uint32_t tag;
+    float minValue;
+    float defaultValue;
+    float maxValue;
+};
+
+// Returns valid fvar table contents. No InstanceRecord are filled.
+static std::vector<uint8_t> buildFvarTable(const std::vector<Fvar>& fvars) {
+    const uint32_t HEADER_SIZE = 0x10;
+    const uint32_t AXIS_RECORD_SIZE = 0x14;
+    std::vector<uint8_t> out(HEADER_SIZE + fvars.size() * AXIS_RECORD_SIZE);
+    size_t head = writeU16(1, out.data(), 0);             // major version
+    head = writeU16(0, out.data(), head);                 // minor version
+    head = writeU16(HEADER_SIZE, out.data(), head);       // axes array offset
+    head = writeU16(2, out.data(), head);                 // reserved
+    head = writeU16(fvars.size(), out.data(), head);      // count of axes
+    head = writeU16(AXIS_RECORD_SIZE, out.data(), head);  // size of variaiton axis record
+    head = writeU16(0, out.data(), head);                 // number of instance record count
+    head = writeU16(0, out.data(), head);                 // instance record size
+
+    for (const Fvar& fvar : fvars) {
+        head = writeU32(fvar.tag, out.data(), head);
+        head = writeU32(floatToFixed(fvar.minValue), out.data(), head);
+        head = writeU32(floatToFixed(fvar.defaultValue), out.data(), head);
+        head = writeU32(floatToFixed(fvar.maxValue), out.data(), head);
+        head = writeU16(0, out.data(), head);  // flags
+        head = writeU16(0, out.data(), head);  // axis name ID
+    }
+
+    return out;
+}
+
+TEST(FontUtilsTest, analyzeAxes_tagCount) {
+    std::vector<uint8_t> fvarTable = buildFvarTable({
+            Fvar(MakeTag('w', 'd', 't', 'h'), 0.0f, 1.0f, 2.0f),
+            Fvar(MakeTag('w', 'g', 'h', 't'), 0.0f, 1.0f, 2.0f),
+    });
+
+    std::unordered_set<uint32_t> axes;
+    ASSERT_TRUE(analyzeAxes(fvarTable.data(), fvarTable.size(), &axes));
+    ASSERT_EQ(2u, axes.size());
+    EXPECT_EQ(1u, axes.count(MakeTag('w', 'd', 't', 'h')));
+    EXPECT_EQ(1u, axes.count(MakeTag('w', 'g', 'h', 't')));
+    EXPECT_EQ(0u, axes.count(MakeTag('s', 'l', 'n', 't')));
+}
+
+TEST(FontUtilsTest, analyzeAxes_emptyBuffer) {
+    std::vector<uint8_t> fvarTable;
+    std::unordered_set<uint32_t> axes;
+    ASSERT_FALSE(analyzeAxes(fvarTable.data(), fvarTable.size(), &axes));
+}
+
+TEST(FontUtilsTest, analyzeAxes_invalidTableSize) {
+    std::vector<uint8_t> fvarTable = buildFvarTable({
+            Fvar(MakeTag('w', 'd', 't', 'h'), 0.0f, 1.0f, 2.0f),
+            Fvar(MakeTag('w', 'g', 'h', 't'), 0.0f, 1.0f, 2.0f),
+    });
+
+    fvarTable.resize(1000);
+    writeU16(50, fvarTable.data(), 8);  // Set axisCount = 50
+
+    std::unordered_set<uint32_t> axes;
+    ASSERT_FALSE(analyzeAxes(fvarTable.data(), fvarTable.size(), &axes));
+}
+
+}  // namespace
+}  // namespace minikin