1 // This is a fuzzing harness for Harfbuzz. Since Harfbuzz's input is generally
2 // expected to be controlled by a remote party it's a possible vector for
3 // security issues.
4 //
5 // Fuzzing is a black-box testing scheme where the black-box (Harfbuzz's shaping
6 // engine in this case) is fed random input to see if it will misbehave.
7 // Misbehaviours can often be turned into security or crash issues.
8 //
9 // It's expected that one will generally run this under valgrind in order to get
10 // better detection of problems.
11
12 #include <stdint.h>
13 #include <stdio.h>
14
15 #include <ft2build.h>
16 #include FT_FREETYPE_H
17
18 #include "../../src/harfbuzz-shaper.h"
19 #include "../../src/harfbuzz-global.h"
20 #include "../../src/harfbuzz-gpos.h"
21
22 extern "C" {
23 #include "../../contrib/harfbuzz-unicode.h"
24 #include "../../contrib/harfbuzz-freetype.h"
25 }
26
27 static FT_Library freetype;
28
loadFace(const char * path)29 static FT_Face loadFace(const char *path)
30 {
31 FT_Face face;
32
33 if (FT_New_Face(freetype, path, /* index */ 0, &face))
34 return 0;
35 return face;
36 }
37
38 static const int kWidth = 100;
39 static const int kHeight = 100;
40
41 static int
usage(const char * argv0)42 usage(const char *argv0) {
43 fprintf(stderr, "Usage: %s <TTF file>\n", argv0);
44 return 1;
45 }
46
47 int
main(int argc,char ** argv)48 main(int argc, char **argv) {
49 FT_Init_FreeType(&freetype);
50
51 if (argc != 2)
52 return usage(argv[0]);
53
54 FT_Face face;
55 if (FT_New_Face(freetype, argv[1], 0 /* face index */, &face)) {
56 fprintf(stderr, "Failed to load font file\n");
57 return 1;
58 }
59
60 HB_Face hbFace = HB_NewFace(face, hb_freetype_table_sfnt_get);
61
62 HB_FontRec hbFont;
63 hbFont.klass = &hb_freetype_class;
64 hbFont.userData = face;
65 hbFont.x_ppem = face->size->metrics.x_ppem;
66 hbFont.y_ppem = face->size->metrics.y_ppem;
67 hbFont.x_scale = face->size->metrics.x_scale;
68 hbFont.y_scale = face->size->metrics.y_scale;
69
70 // This is the maximum number of bytes of input which we'll feed to Harfbuzz
71 // in one shot. We also overload it and make it the size of the output arrays
72 // as well. (Must be a power of two.)
73 static const unsigned kMaxInputBytes = 1024;
74 uint8_t str[kMaxInputBytes];
75
76 HB_ShaperItem shaper_item;
77 shaper_item.kerning_applied = false;
78 shaper_item.string = (HB_UChar16 *) str;
79 shaper_item.stringLength = 0;
80 shaper_item.item.bidiLevel = 0;
81 shaper_item.shaperFlags = 0;
82 shaper_item.font = &hbFont;
83 shaper_item.face = hbFace;
84 shaper_item.glyphIndicesPresent = false;
85 shaper_item.initialGlyphCount = 0;
86
87 HB_Glyph out_glyphs[kMaxInputBytes];
88 HB_GlyphAttributes out_attrs[kMaxInputBytes];
89 HB_Fixed out_advs[kMaxInputBytes];
90 HB_FixedPoint out_offsets[kMaxInputBytes];
91 unsigned short out_logClusters[kMaxInputBytes];
92
93 shaper_item.glyphs = out_glyphs;
94 shaper_item.attributes = out_attrs;
95 shaper_item.advances = out_advs;
96 shaper_item.offsets = out_offsets;
97 shaper_item.log_clusters = out_logClusters;
98 shaper_item.num_glyphs = kMaxInputBytes;
99
100 FILE *urandom = fopen("/dev/urandom", "rb");
101 if (!urandom) {
102 fprintf(stderr, "Cannot open /dev/urandom\n");
103 return 1;
104 }
105
106 for (;;) {
107 uint16_t len;
108 fread(&len, sizeof(len), 1, urandom);
109 len &= (kMaxInputBytes - 1);
110 len &= ~1;
111 fread(str, len, 1, urandom);
112
113 ssize_t iterator = 0;
114
115 for (;;) {
116 if (!hb_utf16_script_run_next(NULL, &shaper_item.item, (uint16_t *) str, len >> 1, &iterator))
117 break;
118
119 HB_ShapeItem(&shaper_item);
120 }
121 }
122
123 HB_FreeFace(hbFace);
124 }
125