Malformed fonts often have large values for the number of bitmap
strikes, and FreeType doesn't check the validity of all bitmap
strikes in advance.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=353
* src/tools/ftfuzzer/ftfuzzer.cc: Include `stdlib.h' for `rand'.
(Random): Small class to provide n randomly selected numbers
(without repitition) out of the value set [0,N].
(LLVMFuzzerTestOneInput): Use it to test only up to 10 bitmap
strikes.
Currently, libFuzzer only supports mutation of a single file. We
circumvent this problem by using an uncompressed tar archive as
multiple-file input for the fuzzer.
This patch enables tests of `FT_Attach_Stream' and AFM/PFM parsing;
a constructed tarball should contain a font file as the first
element, and files to be attached as further elements.
* src/tools/ftfuzzer/ftfuzzer.cc: Include libarchive headers.
(archive_read_entry_data, parse_data): New functions.
(LLVMFuzzerTestOneInput): Updated.
* src/tools/ftfuzzer/ftmutator.cc: New file, providing a custom
mutator for libFuzzer that can mutate tarballs in a sensible way.
This patch also contains various other improvements.
* src/tools/ftfuzzer/ftfuzzer.cc: Add preprocessor guard to reject
pre-C++11 compilers.
(FT_Global): New class. Use it to provide a global constructor and
destructor for the `FT_Library' object.
(setIntermediateAxis): New function to select an (arbitrary)
instance.
(LLVMFuzzerTestOneInput): Loop over all faces and named instances.
Also call `FT_Set_Char_Size'.
