/src/harfbuzz/test/fuzzing/hb-subset-fuzzer.cc

Source (jump to first uncovered line)
#include "hb-fuzzer.hh"

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <assert.h>

#include "hb-subset.h"

static void
trySubset (hb_face_t *face,
     const hb_codepoint_t text[],
     int text_length,
           unsigned flag_bits,
           hb_subset_input_t *input)
{
  if (!input) return;

  hb_subset_input_set_flags (input, (hb_subset_flags_t) flag_bits);

  hb_set_t *codepoints = hb_subset_input_unicode_set (input);

  for (int i = 0; i < text_length; i++)
    hb_set_add (codepoints, text[i]);

  hb_face_t *result = hb_subset_or_fail (face, input);
  if (result)
  {
    hb_blob_t *blob = hb_face_reference_blob (result);
    unsigned int length;
    const char *data = hb_blob_get_data (blob, &length);

    // Something not optimizable just to access all the blob data
    unsigned int bytes_count = 0;
    for (unsigned int i = 0; i < length; ++i)
      if (data[i]) ++bytes_count;
    assert (bytes_count || !length);

    hb_blob_destroy (blob);
  }
  hb_face_destroy (result);

  hb_subset_input_destroy (input);
}

extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
{
  alloc_state = _fuzzing_alloc_state (data, size);

  hb_blob_t *blob = hb_blob_create ((const char *) data, size,
            HB_MEMORY_MODE_READONLY, nullptr, nullptr);
  hb_face_t *face = hb_face_create (blob, 0);

  /* Just test this API here quickly. */
  hb_set_t *output = hb_set_create ();
  hb_face_collect_unicodes (face, output);
  hb_set_destroy (output);

  unsigned flags = HB_SUBSET_FLAGS_DEFAULT;
  const hb_codepoint_t text[] =
      {
  'A', 'B', 'C', 'D', 'E', 'X', 'Y', 'Z', '1', '2',
  '3', '@', '_', '%', '&', ')', '*', '$', '!'
      };

  hb_subset_input_t *input = hb_subset_input_create_or_fail ();
  if (!input)
  {
    hb_face_destroy (face);
    hb_blob_destroy (blob);
    return 0;
  }
  trySubset (face, text, sizeof (text) / sizeof (hb_codepoint_t), flags, input);

  unsigned num_axes;
  hb_codepoint_t text_from_data[16];
  if (size > sizeof (text_from_data) + sizeof (flags) + sizeof(num_axes)) {
    hb_subset_input_t *input = hb_subset_input_create_or_fail ();
    if (!input)
    {
      hb_face_destroy (face);
      hb_blob_destroy (blob);
      return 0;
    }
    size -= sizeof (text_from_data);
    memcpy (text_from_data,
      data + size,
      sizeof (text_from_data));

    size -= sizeof (flags);
    memcpy (&flags,
      data + size,
      sizeof (flags));

    size -= sizeof (num_axes);
    memcpy (&num_axes,
      data + size,
      sizeof (num_axes));

    if (num_axes > 0 && num_axes < 8 && size > num_axes * (sizeof(hb_tag_t) + sizeof(int)))
    {
      for (unsigned i = 0; i < num_axes; i++) {
        hb_tag_t tag;
        int value;
        size -= sizeof (tag);
        memcpy (&tag,
                data + size,
                sizeof (tag));
        size -= sizeof (value);
        memcpy (&value,
                data + size,
                sizeof (value));

        hb_subset_input_pin_axis_location(input,
                                          face,
                                          tag,
                                          (float) value);
      }
    }



    unsigned int text_size = sizeof (text_from_data) / sizeof (hb_codepoint_t);
    trySubset (face, text_from_data, text_size, flags, input);
  }

  hb_face_destroy (face);
  hb_blob_destroy (blob);

  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		#include "hb-fuzzer.hh"
2
3		#include <stdlib.h>
4		#include <stdio.h>
5		#include <string.h>
6		#include <assert.h>
7
8		#include "hb-subset.h"
9
10		static void
11		trySubset (hb_face_t *face,
12		const hb_codepoint_t text[],
13		int text_length,
14		unsigned flag_bits,
15		hb_subset_input_t *input)
16	64.8k	{
17	64.8k	if (!input) return;
18
19	64.8k	hb_subset_input_set_flags (input, (hb_subset_flags_t) flag_bits);
20
21	64.8k	hb_set_t *codepoints = hb_subset_input_unicode_set (input);
22
23	1.20M	for (int i = 0; i < text_length; i++)
24	1.14M	hb_set_add (codepoints, text[i]);
25
26	64.8k	hb_face_t *result = hb_subset_or_fail (face, input);
27	64.8k	if (result)
28	21.9k	{
29	21.9k	hb_blob_t *blob = hb_face_reference_blob (result);
30	21.9k	unsigned int length;
31	21.9k	const char *data = hb_blob_get_data (blob, &length);
32
33		// Something not optimizable just to access all the blob data
34	21.9k	unsigned int bytes_count = 0;
35	214M	for (unsigned int i = 0; i < length; ++i)
36	214M	if (data[i]) ++bytes_count;
37	21.9k	assert (bytes_count \|\| !length);
38
39	21.9k	hb_blob_destroy (blob);
40	21.9k	}
41	64.8k	hb_face_destroy (result);
42
43	64.8k	hb_subset_input_destroy (input);
44	64.8k	}
45
46		extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
47	34.6k	{
48	34.6k	alloc_state = _fuzzing_alloc_state (data, size);
49
50	34.6k	hb_blob_t blob = hb_blob_create ((const char ) data, size,
51	34.6k	HB_MEMORY_MODE_READONLY, nullptr, nullptr);
52	34.6k	hb_face_t *face = hb_face_create (blob, 0);
53
54		/* Just test this API here quickly. */
55	34.6k	hb_set_t *output = hb_set_create ();
56	34.6k	hb_face_collect_unicodes (face, output);
57	34.6k	hb_set_destroy (output);
58
59	34.6k	unsigned flags = HB_SUBSET_FLAGS_DEFAULT;
60	34.6k	const hb_codepoint_t text[] =
61	34.6k	{
62	34.6k	'A', 'B', 'C', 'D', 'E', 'X', 'Y', 'Z', '1', '2',
63	34.6k	'3', '@', '_', '%', '&', ')', '*', '$', '!'
64	34.6k	};
65
66	34.6k	hb_subset_input_t *input = hb_subset_input_create_or_fail ();
67	34.6k	if (!input)
68	365	{
69	365	hb_face_destroy (face);
70	365	hb_blob_destroy (blob);
71	365	return 0;
72	365	}
73	34.2k	trySubset (face, text, sizeof (text) / sizeof (hb_codepoint_t), flags, input);
74
75	34.2k	unsigned num_axes;
76	34.2k	hb_codepoint_t text_from_data[16];
77	34.2k	if (size > sizeof (text_from_data) + sizeof (flags) + sizeof(num_axes)) {
78	33.0k	hb_subset_input_t *input = hb_subset_input_create_or_fail ();
79	33.0k	if (!input)
80	2.43k	{
81	2.43k	hb_face_destroy (face);
82	2.43k	hb_blob_destroy (blob);
83	2.43k	return 0;
84	2.43k	}
85	30.5k	size -= sizeof (text_from_data);
86	30.5k	memcpy (text_from_data,
87	30.5k	data + size,
88	30.5k	sizeof (text_from_data));
89
90	30.5k	size -= sizeof (flags);
91	30.5k	memcpy (&flags,
92	30.5k	data + size,
93	30.5k	sizeof (flags));
94
95	30.5k	size -= sizeof (num_axes);
96	30.5k	memcpy (&num_axes,
97	30.5k	data + size,
98	30.5k	sizeof (num_axes));
99
100	30.5k	if (num_axes > 0 && num_axes < 8 && size > num_axes * (sizeof(hb_tag_t) + sizeof(int)))
101	2.27k	{
102	10.5k	for (unsigned i = 0; i < num_axes; i++) {
103	8.30k	hb_tag_t tag;
104	8.30k	int value;
105	8.30k	size -= sizeof (tag);
106	8.30k	memcpy (&tag,
107	8.30k	data + size,
108	8.30k	sizeof (tag));
109	8.30k	size -= sizeof (value);
110	8.30k	memcpy (&value,
111	8.30k	data + size,
112	8.30k	sizeof (value));
113
114	8.30k	hb_subset_input_pin_axis_location(input,
115	8.30k	face,
116	8.30k	tag,
117	8.30k	(float) value);
118	8.30k	}
119	2.27k	}
120
121
122
123	30.5k	unsigned int text_size = sizeof (text_from_data) / sizeof (hb_codepoint_t);
124	30.5k	trySubset (face, text_from_data, text_size, flags, input);
125	30.5k	}
126
127	31.8k	hb_face_destroy (face);
128	31.8k	hb_blob_destroy (blob);
129
130	31.8k	return 0;
131	34.2k	}

Coverage Report

Created: 2025-07-01 07:07