fuzzing harfbuzz

[kcc]

This in an umbrella issue for setting up regular fuzzing for harfbuzz and fixing the bugs that we find with fuzzing.

The starting point is the target function below used with libFuzzer.

#include "src/hb.h"
#include "src/hb-ot.h"
#include "Fuzzer/FuzzerInterface.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  const char text[] = "ABCDEXYZ123@_%&)*$!";

  hb_blob_t *blob = hb_blob_create((const char *)data, size,
                                   HB_MEMORY_MODE_READONLY, NULL, NULL);
  hb_face_t *face = hb_face_create(blob, 0);
  hb_font_t *font = hb_font_create(face);
  hb_ot_font_set_funcs(font);
  hb_font_set_scale(font, 12, 12);

  hb_buffer_t *buffer = hb_buffer_create();
  hb_buffer_add_utf8(buffer, text, -1, 0, -1);
  hb_buffer_guess_segment_properties(buffer);

  hb_shape(font, buffer, NULL, 0);

  hb_buffer_destroy(buffer);
  hb_font_destroy(font);
  hb_face_destroy(face);
  hb_blob_destroy(blob);
  return 0;
}

Eventually we'll need to submit this function to harfbuzz repo and extend it to cover more code.

Currently, this is my workflow to build the fuzzer:

1. Get fresh llvm and build libFuzzer.

(
cd harfbuzz
make distclean
SAN=-fsanitize=address
COV=-fsanitize-coverage=edge,8bit-counters,trace-cmp

CXX="clang++ $SAN $COV" CC="clang $SAN $COV" CCLD="clang++ $SAN $COV" ../harfbuzz/configure --enable-static --disable-shared
make -j
)
clang++ -std=c++11 harfbuzz_fuzzer.cc -fsanitize=address -fsanitize-coverage=edge -I harfbuzz -I. ./harfbuzz/src/.libs/libharfbuzz.a -lglib-2.0 Fuzzer*.o -o harfbuzz_fuzzer

[kcc]

Two recent findings:
ee9b0b6
f396fbb

[kcc]

Next catch.
Reproducer:

echo AAEAAAADgCoAKvwNUEdEKkYAKeAAdAA9AAAAM0dQT1MA1UARAAAAAAoDAAMAAQAEAAgAAgADAAEABAABAA== | base64 --decode > reproducer

==12311==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000effd at pc 0x000000619d1b bp 0x7ffccad4b690 sp 0x7ffccad4b688
READ of size 1 at 0x60600000effd thread T0
    #0 0x619d1a in OT::BEInt<unsigned short, 2>::operator unsigned short() const src/./hb-open-type-private.hh:584:13
    #1 0x619d1a in OT::IntType<unsigned short, 2u>::operator unsigned short() const src/./hb-open-type-private.hh:632
    #2 0x619d1a in OT::ValueFormat::get_len() const src/./hb-ot-layout-gpos-table.hh:93
    #3 0x619d1a in OT::PairPosFormat1::sanitize(OT::hb_sanitize_context_t*) const src/./hb-ot-layout-gpos-table.hh:708
    #4 0x617363 in bool OT::hb_sanitize_context_t::dispatch<OT::PairPosFormat1>(OT::PairPosFormat1 const&) src/./hb-open-type-private.hh:205:52
    #5 0x617363 in OT::hb_sanitize_context_t::return_t OT::PairPos::dispatch<OT::hb_sanitize_context_t>(OT::hb_sanitize_context_t*) const src/./hb-ot-layout-gpos-table.hh:848
    #6 0x617363 in OT::hb_sanitize_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_sanitize_context_t>(OT::hb_sanitize_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1410
    #7 0x6163d5 in OT::hb_sanitize_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_sanitize_context_t>(OT::hb_sanitize_context_t*) const src/./hb-ot-layout-common-private.hh:614:40
    #8 0x6163d5 in OT::hb_sanitize_context_t::return_t OT::PosLookup::dispatch<OT::hb_sanitize_context_t>(OT::hb_sanitize_context_t*) const src/./hb-ot-layout-gpos-table.hh:1476
    #9 0x6163d5 in OT::PosLookup::sanitize(OT::hb_sanitize_context_t*) const src/./hb-ot-layout-gpos-table.hh:1482
    #10 0x615909 in OT::OffsetTo<OT::PosLookup, OT::IntType<unsigned short, 2u> >::sanitize(OT::hb_sanitize_context_t*, void const*) const src/./hb-open-type-private.hh:792:5
    #11 0x615909 in OT::ArrayOf<OT::OffsetTo<OT::PosLookup, OT::IntType<unsigned short, 2u> >, OT::IntType<unsigned short, 2u> >::sanitize(OT::hb_sanitize_context_t*, void const*) const src/./hb-open-type-private.hh:893
    #12 0x5cd859 in OT::OffsetListOf<OT::PosLookup>::sanitize(OT::hb_sanitize_context_t*) const src/./hb-open-type-private.hh:950:5
    #13 0x5cd859 in OT::OffsetTo<OT::OffsetListOf<OT::PosLookup>, OT::IntType<unsigned short, 2u> >::sanitize(OT::hb_sanitize_context_t*, void const*) const src/./hb-open-type-private.hh:792
    #14 0x5cd859 in OT::GPOS::sanitize(OT::hb_sanitize_context_t*) const src/./hb-ot-layout-gpos-table.hh:1507
    #15 0x5cd859 in OT::Sanitizer<OT::GPOS>::sanitize(hb_blob_t*) src/./hb-open-type-private.hh:337
    #16 0x5a7598 in _hb_ot_layout_create(hb_face_t*) src/hb-ot-layout.cc:60:23
    #17 0x50f4c6 in hb_ot_shaper_face_data_ensure(hb_face_t*) src/./hb-shaper-list.hh:43:1
    #18 0x50f4c6 in hb_shape_plan_plan(hb_shape_plan_t*, hb_feature_t const*, unsigned int, char const* const*) src/./hb-shaper-list.hh:43
    #19 0x50f4c6 in hb_shape_plan_create src/hb-shape-plan.cc:149
    #20 0x512be5 in hb_shape_plan_create_cached src/hb-shape-plan.cc:458:33
    #21 0x50e02e in hb_shape_full src/hb-shape.cc:374:33
    #22 0x50e02e in hb_shape src/hb-shape.cc:405
    #23 0x4d3936 in LLVMFuzzerTestOneInput 

0x60600000effd is located 0 bytes to the right of 61-byte region [0x60600000efc0,0x60600000effd)
allocated by thread T0 here:
    #0 0x4a92db in __interceptor_malloc 
    #1 0x4d786b in _try_writable(hb_blob_t*) src/hb-blob.cc:465:23
    #2 0x5a7598 in _hb_ot_layout_create(hb_face_t*) src/hb-ot-layout.cc:60:23
    #3 0x50f4c6 in hb_ot_shaper_face_data_ensure(hb_face_t*) src/./hb-shaper-list.hh:43:1
    #4 0x50f4c6 in hb_shape_plan_plan(hb_shape_plan_t*, hb_feature_t const*, unsigned int, char const* const*) src/./hb-shaper-list.hh:43
    #5 0x50f4c6 in hb_shape_plan_create src/hb-shape-plan.cc:149

[behdad]

Should be fixed. Please reopen with next issue :).

[kcc]

Gooood! This has unblocked further fuzzing.
Next item that is a minor headache for fuzzing, but is also a bug worth fixing:

==1899==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 152 byte(s) in 1 object(s) allocated from:
    #0 0x4b79fc in calloc /home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
    #1 0x4e9bf3 in _ZL16hb_object_createI9hb_blob_tEPT_v src/./hb-object-private.hh:129:24
    #2 0x4e9bf3 in hb_blob_create src/hb-blob.cc:108
    #3 0x4e9bf3 in hb_blob_create_sub_blob src/hb-blob.cc:164
    #4 0x50acf4 in _hb_face_for_data_reference_table(hb_face_t*, unsigned int, void*) src/hb-face.cc:146:21
    #5 0x52f135 in hb_face_t::reference_table(unsigned int) const src/./hb-face-private.hh:72:12
    #6 0x52f135 in hb_ot_face_glyf_accelerator_t::init(hb_face_t*) src/hb-ot-font.cc:121
    #7 0x5293c4 in _hb_ot_font_create(hb_face_t*) src/hb-ot-font.cc:253:3
    #8 0x5293c4 in hb_ot_font_set_funcs src/hb-ot-font.cc:425
    #9 0x4e4ce4 in LLVMFuzzerTestOneInput /home/kcc/harfbuzz/test/fuzzing/hb-fuzzer.cc:12:3
    #10 0x4e5633 in main /home/kcc/harfbuzz/test/fuzzing/hb-fuzzer.cc:44:5
    #11 0x7fc341b06ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #12 0x41a4ce in _start (/home/kcc/harfbuzz_run+0x41a4ce)
Indirect leak of 152 byte(s) in 1 object(s) allocated from:
    #0 0x4b79fc in calloc /home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
    #1 0x4e8bf5 in _ZL16hb_object_createI9hb_blob_tEPT_v src/./hb-object-private.hh:129:24
    #2 0x4e8bf5 in hb_blob_create src/hb-blob.cc:108
    #3 0x4e4cbb in LLVMFuzzerTestOneInput /home/kcc/harfbuzz/test/fuzzing/hb-fuzzer.cc:8:21
    #4 0x4e5633 in main /home/kcc/harfbuzz/test/fuzzing/hb-fuzzer.cc:44:5
    #5 0x7fc341b06ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #6 0x41a4ce in _start (/home/kcc/harfbuzz_run+0x41a4ce)

Reproducer in base64:

AAEAAAAOAIAAAwBgR1NVQuIT4Q4AAAgYAAAARE9TLzJxolP2AAAB0AAAAFZjbWFwAAwwXwAAAigA
AAA0Y3YAAQAAAAMCAgAqRUZRDfzQU0cpA+AAAD0AAAA0R1BPUwAVSAEAAAAAAwoAAQAEAAV0IA/A
EAAAAAWUAAACAGZwZ20BUpwYAAACXAAAALNnbHlmR9rfuAAAAOwAAABYaGVhZNv2AAAABAABAAMA
AgBoxARfNAAAAWwAAAA2aGhlYQejA0EAAAGsAAAAJGhtdHgGyAAAAq0AAAGkAAAACGxvY2EAFgAs
AAABZAAAAAhtYXhwGDUSawAAAUQAAAAgbmFtZQOoDBEAAAeUAAAARHBvc3QdaKP9AAAH2AAAAD1w
cmVwDyU+pQAAAxAAAAKCAAECyAA= 

[behdad]

You should be able to reopen issues now.

[behdad]

Leak fixed.

[kcc]

Now, the bane of fuzzing: non-linear algorithms.
I am attaching several inputs that consume multiple seconds each.
In case these are different problems, please check all after fixing one.

For slow-unit-03b06616c9de07c85802e6a9a0652354266af8fd (takes 5 minutes to finish)
the profile looks like this:

 37.81%  harfbuzz_run  harfbuzz_run       [.] OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int)
 21.42%  harfbuzz_run  harfbuzz_run       [.] hb_buffer_t::move_to(unsigned int)
 11.99%  harfbuzz_run  harfbuzz_run       [.] OT::SubstLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int)

ARTIFACTS.tgz.pdf

(hm... github does not allow to upload .tgz file. The .pdf file attached is actually a tgz file. Weird)

[behdad]

I pushed out a change that makes these edge cases significantly faster (over 10x). We still can do better, but this should give you a boost for now.

[kcc]

Did some tricks out of my sleeve...

==304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00000fa98 at pc 0x0000005188a4 bp 0x7fffc8c70cf0 sp 0x7fffc8c70ce8
READ of size 1 at 0x61f00000fa98 thread T0
    #0 0x5188a3 in OT::BEInt<unsigned short, 2>::operator unsigned short() const src/./hb-open-type-private.hh:583:13
    #1 0x5188a3 in OT::IntType<unsigned short, 2u>::operator unsigned short() const src/./hb-open-type-private.hh:632
    #2 0x5188a3 in hb_ot_face_metrics_accelerator_t::get_advance(unsigned int) const src/hb-ot-font.cc:92
    #3 0x5188a3 in hb_ot_get_glyph_h_advance(hb_font_t*, void*, unsigned int, void*) src/hb-ot-font.cc:290
    #4 0x52c9cb in hb_font_t::get_glyph_h_advance(unsigned int) src/./hb-font-private.hh:164:12
    #5 0x52c9cb in hb_font_t::get_glyph_advance_for_direction(unsigned int, hb_direction_t, int*, int*) src/./hb-font-private.hh:257
    #6 0x52c9cb in hb_ot_position_default(hb_ot_shape_context_t*) src/hb-ot-shape.cc:652
    #7 0x52c9cb in hb_ot_position(hb_ot_shape_context_t*) src/hb-ot-shape.cc:752
    #8 0x52c9cb in hb_ot_shape_internal(hb_ot_shape_context_t*) src/hb-ot-shape.cc:796
    #9 0x52c9cb in _hb_ot_shape src/hb-ot-shape.cc:816
    #10 0x51130b in hb_shape_plan_execute src/./hb-shaper-list.hh:43:1
    #11 0x50e325 in hb_shape_full src/hb-shape.cc:375:19
    #12 0x50e325 in hb_shape src/hb-shape.cc:405
    #13 0x4d3946 in LLVMFuzzerTestOneInput

0x61f00000fa98 is located 127 bytes to the right of 1049-byte region [0x61f00000f600,0x61f00000fa19)
allocated by thread T0 here:
    #0 0x4d19eb in operator new(unsigned long)
    #1 0x7fd000411668 in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) 
    #2 0x7fd000411668 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) 
    #3 0x4d5474 in char* std::string::_S_construct_aux<std::istreambuf_iterator<char, std::char_traits<char> > >(std::istreambuf_iterator<char, std::char_traits<char> >, std::
    #4 0x4d4fe4 in char* std::string::_S_construct<std::istreambuf_iterator<char, std::char_traits<char> > >(std::istreambuf_iterator<char, std::char_traits<char> >, std::istr
    #5 0x4d4b03 in std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string<std::istreambuf_iterator<char, std::char_traits<char> > >(std::istreamb
    #6 0x4d3c6f in FileToString(std::string const&) 

Note the "is located 127 bytes to the right of 1049-byte region" bit.
you will need ASAN_OPTIONS=redzone=128 to get reliable report.

Repro (base64)

AAEAAAALAIAAAwAwR1NVQrKltSEAACNoAAAAfk9TLzJpynqEAAABOAAAAGBjbWFwAGUDrAAAAogA
AACIZ2x5ZsL9NwYAAAOMAAAZMmhlYWQw2sRrAAAAvAAAADZoaGVhOOY4LQAAAPQAAAAkaG10eKLe
DeEAAAOYAAAA8GxvY2HhQ+fQAAADEAAAAHxtYXhwAF8DbwAAARgAAAAgbmFtZUVYv/YAABzAAAAF
EHBvc3TZ1eHyAAAh0AAAAZcAAQAAAAVMzIO9wBJfDzz1Ah0IAAAAAADMFoLdAAAAANHWrBb/nv4Z
MhwFlgAAAAgAAAAAAAAAAAABAAAHJ/4IAAA6mP+e/1EyHgABAAAAAAAAAAAAAAAAAAAAOwABAAAA
PQBdAAMCzQAVAAEAAABBAAAAAAAAAAAACQADAAMP5gGQAAUAAAUzBZkAAAEeBTMFmQAAA9cAZgIS
AQUCAAUDAAAAAAAAAAAAAQAAAAAAAAAAAAAAAFBmRWQAQAAgAHoHJ/4IAAAHJwH4AAAAAQAAAAAD
bwVEAEAAFAAHBAAAAAIAAAADuABQA7gAtgO4AGoDuABaA7gAOQO4AG8DuABaA7gAaAO4AF4DuABm
A6cASgPxABADbABMBAwAUAOTAEwCegAtBAAAQgRNABwCKwA1Ai3/ngQYAB0CHAAlBlEALQRWAC0E
CABUBCYACAQGAEgC+QAtAx4AYgKHADMEPwAtA/kADAX5AAwD6wAhBB4AGQNkAEwOEABODhAATg4Q
AE4OEABODhAATg4QAE4OEABODhAATg4QAE46mABOOpgATjqYAE46mABOOpgATjqYAE46mABOOpgA
TjqYAE46mAAAOpgAABOIAAAAAAAAAAAABAAAAAMAAAAkAAAACgAAAFQAAwABAAAAJAADAAoAAABU
AAQAMAAAAAgACAACAAAAIAA5AHr//wAAACAAMABh////4f/S/6sAAQAAAAAAAAAAAAwAAAAAADQA
AAAAAAAAAwAAACAAAAAgAAAAAQAAADAAAAA5AAAAOwIAAABhAAAAegAAAAwAAAAAAAAAOwBrALEB
BQFNAYwBxgHzAj4CeALLAxUDRAOfA9YEHASVBPwFOgWBBfQGIwanBwMHMQePB+QILQh5CLQJCglT
CckKQgqbCtkK6Qr5CwkLGQspCzkLSQtZC2kLhQuRC50LxQvRC90MAQwNDBkMNQxVDG0MhQyZAAIA
UP/sA2AE4QARACIAAAEiDgIVEBcxPgI3NhEQJyYDIicmAjUQEjMyFxYRFAIGBgHbJ0VEKdMSKTgz
ECN3Jz16VlRf66CWZItOfIQEmjJ2/LL98AEMI1A8fwEmAX9lI/tSVlMBIKUBIwFkhbj+yar++Q==