From 5e0b271b69355b5692b6afd1cd2c04d08c3b380c Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Thu, 10 May 2018 21:21:05 +0000
Subject: Fixup ASSERT in Bidi handling; Add bidi fuzzer.

This CL converts several asserts in the FX_Bidi code to continue instead
of asserting in the face of unexpected input.

A BIDI fuzzer has been added as well.

Bug: chromium:839695
Change-Id: If61f822bde7442c008d50be58f7cecffb6e5d658
Reviewed-on: https://pdfium-review.googlesource.com/32191
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 core/fxcrt/fx_bidi.cpp | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'core/fxcrt/fx_bidi.cpp')

diff --git a/core/fxcrt/fx_bidi.cpp b/core/fxcrt/fx_bidi.cpp
index 48504e5821..7261d80af3 100644
--- a/core/fxcrt/fx_bidi.cpp
+++ b/core/fxcrt/fx_bidi.cpp
@@ -329,12 +329,11 @@ class CFX_BidiLine {
 
     int32_t iLevelCur = 0;
     int32_t iState = FX_BWSxl;
-    size_t i = 0;
     size_t iNum = 0;
     int32_t iClsCur;
     int32_t iClsRun;
     int32_t iClsNew;
-    int32_t iAction;
+    size_t i = 0;
     for (; i <= iCount; ++i) {
       CFX_Char* pTC = &(*chars)[i];
       iClsCur = pTC->m_iBidiClass;
@@ -365,9 +364,10 @@ class CFX_BidiLine {
           continue;
         }
       }
+      if (iClsCur > FX_BIDICLASS_BN)
+        continue;
 
-      ASSERT(iClsCur <= FX_BIDICLASS_BN);
-      iAction = gc_FX_BidiWeakActions[iState][iClsCur];
+      int32_t iAction = gc_FX_BidiWeakActions[iState][iClsCur];
       iClsRun = GetDeferredType(iAction);
       if (iClsRun != FX_BWAXX && iNum > 0) {
         SetDeferredRun(chars, true, i, iNum, iClsRun);
@@ -412,8 +412,9 @@ class CFX_BidiLine {
           ++iNum;
         continue;
       }
+      if (iClsCur >= FX_BIDICLASS_AL)
+        continue;
 
-      ASSERT(iClsCur < FX_BIDICLASS_AL);
       iAction = gc_FX_BidiNeutralActions[iState][iClsCur];
       iClsRun = GetDeferredNeutrals(iAction, iLevel);
       if (iClsRun != FX_BIDICLASS_N && iNum > 0) {
@@ -445,8 +446,9 @@ class CFX_BidiLine {
       int32_t iCls = (*chars)[i].m_iBidiClass;
       if (iCls == FX_BIDICLASS_BN)
         continue;
+      if (iCls <= FX_BIDICLASS_ON || iCls >= FX_BIDICLASS_AL)
+        continue;
 
-      ASSERT(iCls > FX_BIDICLASS_ON && iCls < FX_BIDICLASS_AL);
       int32_t iLevel = (*chars)[i].m_iBidiLevel;
       iLevel += gc_FX_BidiAddLevel[FX_IsOdd(iLevel)][iCls - 1];
       (*chars)[i].m_iBidiLevel = (int16_t)iLevel;
-- 
cgit v1.2.3