Problems reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40
We now map the strike index right before accessing the physical
data, not earlier.
* src/sfnt/sfobjs.c (sfnt_load_face): Set `face->sbit_strike_map'
after creating the map so that...
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics): ... this function
can be used before and after setting up `sbit_strike_map'.
(tt_face_set_sbit_strike): Revert change.
(tt_sbit_decoder_init, tt_face_load_sbix_image): Map strike index.
* src/truetype/ttdriver.c (tt_size_select): Revert change.
FreeType tries to sanitize strike header data; we now reject
completely broken ones.
* include/freetype/internal/tttypes.h (TT_FaceRec): New
`sbit_strike_map' array pointer.
* src/base/ftobjs.c (FT_Match_Size): Reject matches where either
width or height would be zero.
Add tracing message in case of error.
* src/sfnt/sfobjs.c (sfnt_load_face): Populate `sbit_strike_map',
only using (more or less) valid strike header data for
FT_Face's `available_sizes' array.
(sfnt_done_face): Updated.
* src/sfnt/ttsbit.c (tt_face_set_sbit_strike): Use
`sbit_strike_map'.
(tt_face_load_strike_metrics): Improve tracing.
* src/truetype/ttdriver.c (tt_size_select): Use `sbit_strike_map'.
This commit avoids `EBDT' and friends being looked up again and
again while loading a single embedded bitmap.
* include/freetype/internal/tttypes.h (TT_FaceRec)
[TT_CONFIG_OPTION_EMBEDDED_BITMAPS]: New fields `ebdt_start' and
`ebdt_size'.
* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Move table lookup to ...
(tt_face_load_sbit): ... this function; also store the table size
and offset.
`FT_Get_Advance' returns 0 for bitmap fonts. It first gets the
advance value from the font table and then scales it by the
`font->size->metrics->x_scale' field. But `FT_Select_Size' doesn't
set that value for bitmap fonts and the advance gets scaled to zero.
Taken from
https://github.com/behdad/harfbuzz/issues/252
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics)
<TT_SBIT_TABLE_TYPE_EBLC>: Set scale values.
Since 2016-05-16 we detect infinite recursion directly.
* src/sfnt/ttload.c (tt_face_load_maxp): Don't adjust
`maxComponentDepth'.
* src/truetype/ttgload.c (load_truetype_glyph): Don't abort if
`maxComponentDepth' is not valid. Instead, simply adjust its value
and emit a tracing message.
The new code only displays the first master in the font.
* src/cff/cffgload.c (cff_decode_parse_charstrings): Add new
parameter to allow function calls from dictionaries also.
<cff_op_blend>: Partially implement it.
Update all callers.
* src/cff/cffgload.h: Updated.
* src/cff/cffparse.c (cff_parser_init): Add new parameter to pass the
number of Multiple Master designs.
Update all callers.
(cff_parse_multiple_master): New function to rudimentarily parse
operator.
(cff_parser_run): Handle `T2' operator.
* src/cff/cffparse.h: Updated.
(CFF_ParserRec): Add `num_designs' field.
* src/cff/cffload.c: Updated.
* src/cff/cfftoken.h: Handle `MultipleMaster' operator.
* src/cff/cfftypes.h (CFF_FontRecDictRec): Add `num_designs' field.
* src/sfnt/sfobjs.c (sfnt_init_face): Don't handle `fvar' table for
MM CFFs.
Problem reported by Nikolay Sivov <bunglehead@gmail.com>.
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Avoid zero value
for `metrics->height' by applying some heuristics.
* src/sfnt/ttcmap.c (tt_cmap4_char_map_linear): Add code to better
skip invalid segments.
If searching the next character, provide a more efficient logic to
speed up the code.
While the current code in `FT_Get_Next_Char' correctly rejects
out-of-bounds glyph indices, it can be extremely slow for malformed
cmaps that use 32bit values. This commit tries to improve that.
* src/sfnt/ttcmap.c (tt_cmap8_char_next, tt_cmap12_next,
tt_cmap12_char_map_binary, tt_cmap13_next,
tt_cmap13_char_map_binary): Reject glyph indices larger than or
equal to the number of glyphs.
* src/base/ftobjs.c (FT_Get_Char_Index): Don't return out-of-bounds
glyph indices.
(FT_Get_First_Char): Updated.
* src/sfnt/ttcmap.c (tt_cmap6_char_next): Don't return character
codes greater than 0xFFFF.
(tt_cmap8_char_index): Avoid integer overflow in computation of
glyph index.
(tt_cmap8_char_next): Avoid integer overflows in computation of
both next character code and glyph index.
(tt_cmap10_char_index): Fix unsigned integer logic.
(tt_cmap10_char_next): Avoid integer overflow in computation of
next character code.
(tt_cmap12_next): Avoid integer overflows in computation of both
next character code and glyph index.
(tt_cmap12_char_map_binary): Ditto.
(tt_cmap12_char_next): Simplify.
(tt_cmap13_char_map_binary): Avoid integer overflow in computation
of next character code.
(tt_cmap13_char_next): Simplify.
This patch fixes weaknesses in function `tt_face_load_font_dir'.
- It incorrectly assumed that valid tables are always at the
beginning. As a consequence, some valid tables after invalid
entries (which are ignored) were never seen.
- Duplicate table entries (this is, having the same tag) were not
rejected.
- The number of valid tables was sometimes too large, leading to
access of invalid tables.
* src/sfnt/ttload.c (check_table_dir): Add argument to return number
of valid tables.
Add another tracing message.
(tt_face_load_font_dir): Only allocate table array for valid
entries as returned by `check_table_dir'.
Reject duplicate tables and adjust number of valid tables
accordingly.
For functions querying a face, bits 16-30 of the face index can hold
the named instance index if we have a GX font. The indices start
with value 1; value 0 indicates font access without GX variation
data.
* include/freetype/freetype.h (FT_FaceRec): Update documentation.
* include/freetype/internal/sfnt.h: Ditto.
* src/sfnt/sfobjs.c (sfnt_init_face)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Get number of named instances and
do argument checks.
(sfnt_load_face): Updated.
* src/truetype/ttobjs.c (tt_face_init)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Use named instance, overwriting
the style name.
* src/base/ftobjs.c (open_face_from_buffer,
open_face_PS_from_sfnt_stream): Updated.
* src/bdf/bdfdrivr.c (BDF_Face_Init): Updated.
* src/cff/cffload.c (cff_font_load): Updated.
* src/cff/cffobjs.c (cff_face_init): Make function exit early for
pure CFF fonts if `font_index < 0'.
Updated.
* src/cid/cidobjs.c (cid_face_init): Updated.
* src/pcf/pcfdrivr.c (PCF_Face_Init): Updated.
* src/pfr/pfrobjs.c (pfr_face_init): Updated.
* src/type1/t1objs.c (T1_Face_Init): Updated.
* src/type42/t42objs.c (T42_Face_Init): Updated.
* src/winfonts/winfnt.c (fnt_face_get_dll_font, FNT_Face_Init):
Updated.
* docs/CHANGES: Updated.
* src/base/ftrfork.c (FT_Raccess_Get_HeaderInfo): Only accept
positive values from header.
Check overflow.
* src/base/ftoutln.c (SCALED): Correctly handle left-shift of
negative values.
* src/bdf/bdf.h (_bdf_glyph_modified, _bdf_set_glyph_modified,
_bdf_clear_glyph_modified): Use unsigned long constant.
* src/bdf/bdfdrivr.c (BDF_Size_Select, BDF_Glyph_Load): Don't
left-shift values that can be negative.
* src/pcf/pcfdrivr.c (PCF_Size_Select, PCF_Glyph_Load): Don't
left-shift values that can be negative.
* src/raster/ftraster.c (SCALED): Correctly handle left-shift of
negative values.
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Don't left-shift
values that can be negative.
* src/truetype/ttgload.c (TT_Load_Composite_Glyph,
compute_glyph_metrics, load_sbit_image): Don't left-shift values
that can be negative.
See
http://lists.nongnu.org/archive/html/freetype-devel/2015-07/msg00008.html
for a rationale.
* src/autofit/afpic.h, src/base/basepic.h, src/cff/cffpic.h,
src/pshinter/pshpic.h, src/psnames/pspic.h, src/raster/rastpic.h,
src/sfnt/sfntpic.h, src/smooth/ftspic.h, src/truetype/ttpic.h
(FT_BEGIN_HEADER, FT_END_HEADER): Move macro calls to not enclose
header files that contain FT_{BEGIN,END}_HEADER macros by
themselves.
* src/autofit/aftypes.h [FT_DEBUG_AUTOFIT]: Include
FT_CONFIG_STANDARD_LIBRARY_H earlier.
* src/truetype/ttpic.h: Include FT_INTERNL_PIC_H.
* include/freetype/internal/sfnt.h (TT_Get_Name_Func): New
prototype.
(SFNT_Interface, FT_DEFINE_SFNT_INTERFACE): New member `get_name'.
* src/sfnt/sfdriver.c (sfnt_interface): Updated.
* src/sfnt/sfobjs.c (tt_face_get_name): Tag it with `LOCAL_DEF'.
* src/sfnt/sfobjs.h: Add prototype for it.
This is just very basic stuff and just a little bit tested on
GNU/Linux only. I won't delve into this since I'm not a Jam user.
* Jamfile: Call `HDRMACRO' for `ftserv.h' also.
(DEFINES): Replace with...
(CCFLAGS): ... this.
* src/Jamfile: Don't call `HDRMACRO' for `internal.h'; this is
already handled in the top-level Jamfile.
* src/autofit/Jamfile (DEFINES): Replace with...
(CCFLAGS): ... this.
(_sources): Add missing files.
* src/cache/Jamfile: Don't call `HDRMACRO' for `ftcache.h'; it no
longer contains macro header definitions.
* src/base/Jamfile, src/cff/Jamfile, src/sfnt/Jamfile,
src/truetype/Jamfile (_sources): Add missing files.
