Fix fvar table size validation logic - DO NOT MERGEandroid-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74android-8.1.0_r73android-8.1.0_r72android-8.1.0_r71android-8.1.0_r70android-8.1.0_r69android-8.1.0_r68android-8.1.0_r66security-oc-mr1-release

The table size calculation was wrong.
"axisOffset + axisOffset * axisCount" should be
"axisOffset + axisSize * axisCount".

Bug: 77822336
Test: minikin_tests
Change-Id: I0cc88299f44bdad484497d9a55376764446fed12
Merged-In: I0cc88299f44bdad484497d9a55376764446fed12
(cherry picked from commit 1a408ab0ef0546dc92bf55f0e060bedf12fb7957)

4 files changed, 129 insertions, 6 deletions

diff --git a/libs/minikin/FontUtils.cpp b/libs/minikin/FontUtils.cpp
index c5a32f8..60b3163 100644
--- a/libs/minikin/FontUtils.cpp
+++ b/libs/minikin/FontUtils.cpp
@@ -19,6 +19,8 @@
 
 #include "FontUtils.h"
 
+#include <log/log.h>
+
 namespace minikin {
 
 static uint16_t readU16(const uint8_t* data, size_t offset) {
@@ -44,7 +46,7 @@ bool analyzeStyle(const uint8_t* os2_data, size_t os2_size, int* weight, bool* i
     return true;
 }
 
-void analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes) {
+bool analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes) {
     const size_t kMajorVersionOffset = 0;
     const size_t kMinorVersionOffset = 2;
     const size_t kOffsetToAxesArrayOffset = 4;
@@ -54,7 +56,7 @@ void analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<
     axes->clear();
 
     if (fvar_size < kAxisSizeOffset + 2) {
-        return;
+        return false;
     }
     const uint16_t majorVersion = readU16(fvar_data, kMajorVersionOffset);
     const uint16_t minorVersion = readU16(fvar_data, kMinorVersionOffset);
@@ -63,15 +65,19 @@ void analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<
     const uint32_t axisSize = readU16(fvar_data, kAxisSizeOffset);
 
     if (majorVersion != 1 || minorVersion != 0 || axisOffset != 0x10 || axisSize != 0x14) {
-        return;  // Unsupported version.
+        return false;  // Unsupported version.
     }
-    if (fvar_size < axisOffset + axisOffset * axisCount) {
-        return;  // Invalid table size.
+    if (fvar_size < axisOffset + axisSize * axisCount) {
+        if (axisOffset > axisSize) {
+            android_errorWriteLog(0x534e4554, "77822336");
+        }
+        return false;  // Invalid table size.
     }
     for (uint32_t i = 0; i < axisCount; ++i) {
         size_t axisRecordOffset = axisOffset + i * axisSize;
         uint32_t tag = readU32(fvar_data, axisRecordOffset);
         axes->insert(tag);
     }
+    return true;
 }
 }  // namespace minikin
diff --git a/libs/minikin/FontUtils.h b/libs/minikin/FontUtils.h
index d26d5e4..ecb9cde 100644
--- a/libs/minikin/FontUtils.h
+++ b/libs/minikin/FontUtils.h
@@ -22,7 +22,7 @@
 namespace minikin {
 
 bool analyzeStyle(const uint8_t* os2_data, size_t os2_size, int* weight, bool* italic);
-void analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes);
+bool analyzeAxes(const uint8_t* fvar_data, size_t fvar_size, std::unordered_set<uint32_t>* axes);
 
 }  // namespace minikin
 
diff --git a/tests/unittest/Android.bp b/tests/unittest/Android.bp
index 348d186..770d7be 100644
--- a/tests/unittest/Android.bp
+++ b/tests/unittest/Android.bp
@@ -46,6 +46,7 @@ cc_test {
         "FontCollectionItemizeTest.cpp",
         "FontFamilyTest.cpp",
         "FontLanguageListCacheTest.cpp",
+        "FontUtilsTest.cpp",
         "HbFontCacheTest.cpp",
         "HyphenatorTest.cpp",
         "GraphemeBreakTests.cpp",
diff --git a/tests/unittest/FontUtilsTest.cpp b/tests/unittest/FontUtilsTest.cpp
new file mode 100644
index 0000000..15675c9
--- /dev/null
+++ b/tests/unittest/FontUtilsTest.cpp
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "FontUtils.h"
+
+#include <gtest/gtest.h>
+
+namespace minikin {
+namespace {
+
+constexpr uint32_t MakeTag(char c1, char c2, char c3, char c4) {
+    return ((uint32_t)c1 << 24) | ((uint32_t)c2 << 16) | ((uint32_t)c3 << 8) | (uint32_t)c4;
+}
+
+static size_t writeU16(uint16_t x, uint8_t* out, size_t offset) {
+    out[offset] = x >> 8;
+    out[offset + 1] = x;
+    return offset + 2;
+}
+
+static size_t writeU32(uint32_t x, uint8_t* out, size_t offset) {
+    out[offset] = x >> 24;
+    out[offset + 1] = x >> 16;
+    out[offset + 2] = x >> 8;
+    out[offset + 3] = x;
+    return offset + 4;
+}
+
+static uint32_t floatToFixed(float x) {
+    return (uint32_t)(x * 65536);
+}
+
+struct Fvar {
+    Fvar(uint32_t tag, float minValue, float defaultValue, float maxValue)
+            : tag(tag), minValue(minValue), defaultValue(defaultValue), maxValue(maxValue) {}
+
+    uint32_t tag;
+    float minValue;
+    float defaultValue;
+    float maxValue;
+};
+
+// Returns valid fvar table contents. No InstanceRecord are filled.
+static std::vector<uint8_t> buildFvarTable(const std::vector<Fvar>& fvars) {
+    const uint32_t HEADER_SIZE = 0x10;
+    const uint32_t AXIS_RECORD_SIZE = 0x14;
+    std::vector<uint8_t> out(HEADER_SIZE + fvars.size() * AXIS_RECORD_SIZE);
+    size_t head = writeU16(1, out.data(), 0);             // major version
+    head = writeU16(0, out.data(), head);                 // minor version
+    head = writeU16(HEADER_SIZE, out.data(), head);       // axes array offset
+    head = writeU16(2, out.data(), head);                 // reserved
+    head = writeU16(fvars.size(), out.data(), head);      // count of axes
+    head = writeU16(AXIS_RECORD_SIZE, out.data(), head);  // size of variaiton axis record
+    head = writeU16(0, out.data(), head);                 // number of instance record count
+    head = writeU16(0, out.data(), head);                 // instance record size
+
+    for (const Fvar& fvar : fvars) {
+        head = writeU32(fvar.tag, out.data(), head);
+        head = writeU32(floatToFixed(fvar.minValue), out.data(), head);
+        head = writeU32(floatToFixed(fvar.defaultValue), out.data(), head);
+        head = writeU32(floatToFixed(fvar.maxValue), out.data(), head);
+        head = writeU16(0, out.data(), head);  // flags
+        head = writeU16(0, out.data(), head);  // axis name ID
+    }
+
+    return out;
+}
+
+TEST(FontUtilsTest, analyzeAxes_tagCount) {
+    std::vector<uint8_t> fvarTable = buildFvarTable({
+            Fvar(MakeTag('w', 'd', 't', 'h'), 0.0f, 1.0f, 2.0f),
+            Fvar(MakeTag('w', 'g', 'h', 't'), 0.0f, 1.0f, 2.0f),
+    });
+
+    std::unordered_set<uint32_t> axes;
+    ASSERT_TRUE(analyzeAxes(fvarTable.data(), fvarTable.size(), &axes));
+    ASSERT_EQ(2u, axes.size());
+    EXPECT_EQ(1u, axes.count(MakeTag('w', 'd', 't', 'h')));
+    EXPECT_EQ(1u, axes.count(MakeTag('w', 'g', 'h', 't')));
+    EXPECT_EQ(0u, axes.count(MakeTag('s', 'l', 'n', 't')));
+}
+
+TEST(FontUtilsTest, analyzeAxes_emptyBuffer) {
+    std::vector<uint8_t> fvarTable;
+    std::unordered_set<uint32_t> axes;
+    ASSERT_FALSE(analyzeAxes(fvarTable.data(), fvarTable.size(), &axes));
+}
+
+TEST(FontUtilsTest, analyzeAxes_invalidTableSize) {
+    std::vector<uint8_t> fvarTable = buildFvarTable({
+            Fvar(MakeTag('w', 'd', 't', 'h'), 0.0f, 1.0f, 2.0f),
+            Fvar(MakeTag('w', 'g', 'h', 't'), 0.0f, 1.0f, 2.0f),
+    });
+
+    fvarTable.resize(1000);
+    writeU16(50, fvarTable.data(), 8);  // Set axisCount = 50
+
+    std::unordered_set<uint32_t> axes;
+    ASSERT_FALSE(analyzeAxes(fvarTable.data(), fvarTable.size(), &axes));
+}
+
+}  // namespace
+}  // namespace minikin