Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid integer overflows with correct signing (tracking HB) and assertions #146

Merged
merged 2 commits into from
Nov 11, 2024

Conversation

alerque
Copy link
Member

@alerque alerque commented Nov 9, 2024

See discussion in issue #142, currently known to be incomplete and untested. The lack of test cases that cover the original code made a POC hard to work on.

Closes #142.

@alerque alerque force-pushed the dodge-indexing-pitfalls branch 2 times, most recently from 61ee39e to 424d79f Compare November 9, 2024 14:15
@alerque
Copy link
Member Author

alerque commented Nov 9, 2024

After some more fiddling I ruled out most of the other potential instances of subtractions from usize that could wrap (as happened #142) being reachable in actual use, but I wasn't able to easily rule out these cases being theoretically possible with a buggy font. It doesn't mean they are definitely reachable cases, just that it isn't obvious to me what keeps the rhs from being greater than the lhs.

It might be better to fix these with an assert() of some kind to make sure they do not saturate in practice, because clamping the result is potentially going to do something different than wrapping and potentially break worse than expected.

@behdad
Copy link
Member

behdad commented Nov 9, 2024

See #142 (comment)

@alerque alerque mentioned this pull request Nov 9, 2024
@alerque alerque force-pushed the dodge-indexing-pitfalls branch from 424d79f to b7898a9 Compare November 9, 2024 21:17
@alerque alerque changed the title Use idiomatic Rust arithmetic to dodge potential integer overflows Avoid integer overflows with correct signing (tracking HB) and assertions Nov 9, 2024
@alerque alerque force-pushed the dodge-indexing-pitfalls branch from b7898a9 to 86f235c Compare November 9, 2024 21:30
@alerque alerque marked this pull request as ready for review November 9, 2024 21:42
@alerque alerque requested a review from LaurenzV November 9, 2024 21:43
@alerque alerque force-pushed the dodge-indexing-pitfalls branch from 86f235c to b7c7169 Compare November 9, 2024 21:45
@@ -977,7 +980,7 @@ fn apply_lookup(
}
}

ctx.buffer.move_to(end);
ctx.buffer.move_to(end as usize);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

end is always guaranteed to be positive here?

Copy link
Member Author

@alerque alerque Nov 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. At first blush it looks like on this point it is a bug-for-bug port of HB. The upstream function takes an unsigned integer argument:

bool
hb_buffer_t::move_to (unsigned int i)

But it is being passed a signed integer:

int end;
...
(void) buffer->move_to (end);

I don't know if/how C resolves this. @behdad?

At some point it looks like there is a guarantee that it will be at least as large as...

if (end < int (match_positions[idx]))
{
  end = match_positions[idx];

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, end is also always positive because there's at least one glyph in the match sequence... You can assert as you cast it.

Would you be able to send a PR to HB to add similar asserts?

Copy link
Member Author

@alerque alerque Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added an assertion for this case too (via Rust's TryInto trait since we aren't enforcing any context specific bounds, just making sure the cast can't loose information) and also opened a matching PR on HB.

@alerque alerque force-pushed the dodge-indexing-pitfalls branch from f33bd0c to d5b704b Compare November 11, 2024 08:06
Copy link
Collaborator

@LaurenzV LaurenzV left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't compare it with the HB code, but seems fine. 😄

@alerque alerque merged commit 2f178dc into harfbuzz:main Nov 11, 2024
2 checks passed
@alerque alerque deleted the dodge-indexing-pitfalls branch November 11, 2024 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Assertion failure
3 participants