1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
|
// ftfuzzer.cc
//
// A fuzzing function to test FreeType with libFuzzer.
//
// Copyright 2015-2018 by
// David Turner, Robert Wilhelm, and Werner Lemberg.
//
// This file is part of the FreeType project, and may only be used,
// modified, and distributed under the terms of the FreeType project
// license, LICENSE.TXT. By continuing to use, modify, or distribute
// this file you indicate that you have read the license and
// understand and accept it fully.
// we use `unique_ptr', `decltype', and other gimmicks defined since C++11
#if __cplusplus < 201103L
# error "a C++11 compiler is needed"
#endif
#include <archive.h>
#include <archive_entry.h>
#include <assert.h>
#include <stdint.h>
#include <memory>
#include <vector>
using namespace std;
#include <ft2build.h>
#include FT_FREETYPE_H
#include FT_GLYPH_H
#include FT_CACHE_H
#include FT_CACHE_CHARMAP_H
#include FT_CACHE_IMAGE_H
#include FT_CACHE_SMALL_BITMAPS_H
#include FT_SYNTHESIS_H
#include FT_ADVANCES_H
#include FT_OUTLINE_H
#include FT_BBOX_H
#include FT_MODULE_H
#include FT_DRIVER_H
#include FT_MULTIPLE_MASTERS_H
static FT_Library library;
static int InitResult;
struct FT_Global
{
FT_Global()
{
InitResult = FT_Init_FreeType( &library );
if ( InitResult )
return;
// try to activate Adobe's CFF engine; it might not be the default
unsigned int cff_hinting_engine = FT_HINTING_ADOBE;
FT_Property_Set( library,
"cff",
"hinting-engine", &cff_hinting_engine );
}
~FT_Global()
{
FT_Done_FreeType( library );
}
};
FT_Global global_ft;
// We want to select n values at random (without repetition),
// with 0 < n <= N. The algorithm is taken from TAoCP, Vol. 2
// (Algorithm S, selection sampling technique)
struct Random
{
int n;
int N;
int t; // total number of values so far
int m; // number of selected values so far
uint32_t r; // the current pseudo-random number
Random( int n_,
int N_ )
: n( n_ ),
N( N_ )
{
t = 0;
m = 0;
// Ideally, this should depend on the input file,
// for example, taking the sha256 as input;
// however, this is overkill for fuzzying tests.
r = 12345;
}
int get()
{
if ( m >= n )
return -1;
Redo:
// We can't use `rand': different C libraries might provide
// different implementations of this function. As a replacement,
// we use a 32bit version of the `xorshift' algorithm.
r ^= r << 13;
r ^= r >> 17;
r ^= r << 5;
double U = double( r ) / UINT32_MAX;
if ( ( N - t ) * U >= ( n - m ) )
{
t++;
goto Redo;
}
t++;
m++;
return t;
}
};
static int
archive_read_entry_data( struct archive *ar,
vector<FT_Byte> *vw )
{
int r;
const FT_Byte* buff;
size_t size;
int64_t offset;
for (;;)
{
r = archive_read_data_block( ar,
reinterpret_cast<const void**>( &buff ),
&size,
&offset );
if ( r == ARCHIVE_EOF )
return ARCHIVE_OK;
if ( r != ARCHIVE_OK )
return r;
vw->insert( vw->end(), buff, buff + size );
}
}
static vector<vector<FT_Byte>>
parse_data( const uint8_t* data,
size_t size )
{
struct archive_entry* entry;
int r;
vector<vector<FT_Byte>> files;
unique_ptr<struct archive,
decltype ( archive_read_free )*> a( archive_read_new(),
archive_read_free );
// activate reading of uncompressed tar archives
archive_read_support_format_tar( a.get() );
// the need for `const_cast' was removed with libarchive commit be4d4dd
if ( !( r = archive_read_open_memory(
a.get(),
const_cast<void*>(static_cast<const void*>( data ) ),
size ) ) )
{
unique_ptr<struct archive,
decltype ( archive_read_close )*> a_open( a.get(),
archive_read_close );
// read files contained in archive
for (;;)
{
r = archive_read_next_header( a_open.get(), &entry );
if ( r == ARCHIVE_EOF )
break;
if ( r != ARCHIVE_OK )
break;
vector<FT_Byte> entry_data;
r = archive_read_entry_data( a.get(), &entry_data );
if ( r != ARCHIVE_OK )
break;
files.push_back( move( entry_data ) );
}
}
if ( files.size() == 0 )
files.emplace_back( data, data + size );
return files;
}
static void
setIntermediateAxis( FT_Face face )
{
// only handle Multiple Masters and GX variation fonts
if ( !FT_HAS_MULTIPLE_MASTERS( face ) )
return;
// get variation data for current instance
FT_MM_Var* variations_ptr = nullptr;
if ( FT_Get_MM_Var( face, &variations_ptr ) )
return;
unique_ptr<FT_MM_Var,
decltype ( free )*> variations( variations_ptr, free );
vector<FT_Fixed> coords( variations->num_axis );
// select an arbitrary instance
for ( unsigned int i = 0; i < variations->num_axis; i++ )
coords[i] = ( variations->axis[i].minimum +
variations->axis[i].def ) / 2;
if ( FT_Set_Var_Design_Coordinates( face,
FT_UInt( coords.size() ),
coords.data() ) )
return;
}
// the interface function to the libFuzzer library
extern "C" int
LLVMFuzzerTestOneInput( const uint8_t* data,
size_t size_ )
{
assert( !InitResult );
if ( size_ < 1 )
return 0;
const vector<vector<FT_Byte>>& files = parse_data( data, size_ );
FT_Face face;
FT_Int32 load_flags = FT_LOAD_DEFAULT;
#if 0
FT_Render_Mode render_mode = FT_RENDER_MODE_NORMAL;
#endif
// We use a conservative approach here, at the cost of calling
// `FT_New_Face' quite often. The idea is that the fuzzer should be
// able to try all faces and named instances of a font, expecting that
// some faces don't work for various reasons, e.g., a broken subfont, or
// an unsupported NFNT bitmap font in a Mac dfont resource that holds
// more than a single font.
// get number of faces
if ( FT_New_Memory_Face( library,
files[0].data(),
(FT_Long)files[0].size(),
-1,
&face ) )
return 0;
long num_faces = face->num_faces;
FT_Done_Face( face );
// loop over up to 20 arbitrarily selected faces
// from index range [0;num-faces-1]
long max_face_cnt = num_faces < 20
? num_faces
: 20;
Random faces_pool( (int)max_face_cnt, (int)num_faces );
for ( long face_cnt = 0;
face_cnt < max_face_cnt;
face_cnt++ )
{
long face_index = faces_pool.get() - 1;
// get number of instances
if ( FT_New_Memory_Face( library,
files[0].data(),
(FT_Long)files[0].size(),
-( face_index + 1 ),
&face ) )
continue;
long num_instances = face->style_flags >> 16;
FT_Done_Face( face );
// loop over the face without instance (index 0)
// and up to 20 arbitrarily selected instances
// from index range [1;num_instances]
long max_instance_cnt = num_instances < 20
? num_instances
: 20;
Random instances_pool( (int)max_instance_cnt, (int)num_instances );
for ( long instance_cnt = 0;
instance_cnt <= max_instance_cnt;
instance_cnt++ )
{
long instance_index = 0;
if ( !instance_cnt )
{
if ( FT_New_Memory_Face( library,
files[0].data(),
(FT_Long)files[0].size(),
face_index,
&face ) )
continue;
}
else
{
instance_index = instances_pool.get();
if ( FT_New_Memory_Face( library,
files[0].data(),
(FT_Long)files[0].size(),
( instance_index << 16 ) + face_index,
&face ) )
continue;
}
// if we have more than a single input file coming from an archive,
// attach them (starting with the second file) using the order given
// in the archive
for ( size_t files_index = 1;
files_index < files.size();
files_index++ )
{
FT_Open_Args open_args = {};
open_args.flags = FT_OPEN_MEMORY;
open_args.memory_base = files[files_index].data();
open_args.memory_size = (FT_Long)files[files_index].size();
// the last archive element will be eventually used as the
// attachment
FT_Attach_Stream( face, &open_args );
}
// loop over an arbitrary size for outlines
// and up to ten arbitrarily selected bitmap strike sizes
// from the range [0;num_fixed_sizes - 1]
int max_size_cnt = face->num_fixed_sizes < 10
? face->num_fixed_sizes
: 10;
Random sizes_pool( max_size_cnt, face->num_fixed_sizes );
for ( int size_cnt = 0;
size_cnt <= max_size_cnt;
size_cnt++ )
{
FT_Int32 flags = load_flags;
int size_index = 0;
if ( !size_cnt )
{
// set up 20pt at 72dpi as an arbitrary size
if ( FT_Set_Char_Size( face, 20 * 64, 20 * 64, 72, 72 ) )
continue;
flags |= FT_LOAD_NO_BITMAP;
}
else
{
// bitmap strikes are not active for font variations
if ( instance_index )
continue;
size_index = sizes_pool.get() - 1;
if ( FT_Select_Size( face, size_index ) )
continue;
flags |= FT_LOAD_COLOR;
}
// test MM interface only for a face without a selected instance
// and without a selected bitmap strike
if ( !instance_index && !size_cnt )
setIntermediateAxis( face );
// loop over all glyphs
for ( unsigned int glyph_index = 0;
glyph_index < (unsigned int)face->num_glyphs;
glyph_index++ )
{
if ( FT_Load_Glyph( face, glyph_index, flags ) )
continue;
// Rendering is the most expensive and the least interesting part.
//
// if ( FT_Render_Glyph( face->glyph, render_mode) )
// continue;
// FT_GlyphSlot_Embolden( face->glyph );
#if 0
FT_Glyph glyph;
if ( !FT_Get_Glyph( face->glyph, &glyph ) )
FT_Done_Glyph( glyph );
FT_Outline* outline = &face->glyph->outline;
FT_Matrix rot30 = { 0xDDB4, -0x8000, 0x8000, 0xDDB4 };
FT_Outline_Transform( outline, &rot30 );
FT_BBox bbox;
FT_Outline_Get_BBox( outline, &bbox );
#endif
}
}
FT_Done_Face( face );
}
}
return 0;
}
// END
|
