The subsetted demo font of the report that exhibits the bug has a
very unusual type 2 cmap for Unicode(!): It contains only two
sub-headers, one for one-byte characters (covering the range 0x20 to
0xFA), and a second one for higher byte 0x01 (just for character
code U+0131).
Before this commit, the iterator wasn't able to correctly handle a
sub-header for higher byte 0x01.
* src/sfnt/ttcmap.c (tt_cmap2_char_next): Fix character increment
for outer loop.
* src/autofit/afshaper.c: Include FT_ADVANCE_H, to use
FT_Get_Advance() in it.
* src/sfnt/ttcmap.c: Include FT_SERVICE_POSTSCRIPT_CMAPS_H
to use PS_Unicodes in it, also include `ttpost.h' to use
tt_face_get_ps_name() in it.
* src/sfnt/ttcmap.c (tt_cmap4_char_map_linear): Add code to better
skip invalid segments.
If searching the next character, provide a more efficient logic to
speed up the code.
While the current code in `FT_Get_Next_Char' correctly rejects
out-of-bounds glyph indices, it can be extremely slow for malformed
cmaps that use 32bit values. This commit tries to improve that.
* src/sfnt/ttcmap.c (tt_cmap8_char_next, tt_cmap12_next,
tt_cmap12_char_map_binary, tt_cmap13_next,
tt_cmap13_char_map_binary): Reject glyph indices larger than or
equal to the number of glyphs.
* src/base/ftobjs.c (FT_Get_Char_Index): Don't return out-of-bounds
glyph indices.
(FT_Get_First_Char): Updated.
* src/sfnt/ttcmap.c (tt_cmap6_char_next): Don't return character
codes greater than 0xFFFF.
(tt_cmap8_char_index): Avoid integer overflow in computation of
glyph index.
(tt_cmap8_char_next): Avoid integer overflows in computation of
both next character code and glyph index.
(tt_cmap10_char_index): Fix unsigned integer logic.
(tt_cmap10_char_next): Avoid integer overflow in computation of
next character code.
(tt_cmap12_next): Avoid integer overflows in computation of both
next character code and glyph index.
(tt_cmap12_char_map_binary): Ditto.
(tt_cmap12_char_next): Simplify.
(tt_cmap13_char_map_binary): Avoid integer overflow in computation
of next character code.
(tt_cmap13_char_next): Simplify.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
against overflow in additions and multiplications.
The call was (from the top-level of the FreeType tree):
cppcheck --force \
--enable=all \
-I /usr/include \
-I /usr/local/include \
-I /usr/lib/gcc/i586-suse-linux/4.7/include \
-I include \
-I include/freetype \
-I include/freetype/config \
-I include/freetype/internal \
-DFT2_BUILD_LIBRARY \
. &> cppcheck.log
using cppcheck git commit f7e93f99.
Note that cppcheck still can't handle `#include FOO' (with `FOO' a
macro).
*/* Improve variable scopes.
*/* Remove redundant initializations which get overwritten.
* src/gxvalid/*: Comment out redundant code or guard it with
FT_DEBUG_LEVEL_TRACE.
This is essentially a mechanical conversion, adding inclusion of
`FT_INTERNAL_DEBUG_H' where necessary, and providing the macros for
stand-alone compiling modes of the rasterizer modules.
To convert the remaining occurrences of FT_Err_XXX and friends it is
necessary to rewrite the code. Note, however, that it doesn't harm
if some cases are not handled since FT_THROW is a no-op.
Problem reported by Peter Breitenlohner and Akira Kakuto.
* include/freetype/config/ftstdlib.h (ft_setjmp): Updated.
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Remove cast.
Fix for Savannah bug #30059.
* src/cache/ftccmap.c (FTC_CMapCache_Lookup): Replace `16' the
minimum character code passed by a legacy rogue client by...
* include/freetype/config/ftoption.h (FT_MAX_CHARMAP_CACHEABLE):
This. It is undefined when FT_CONFIG_OPTION_OLD_INTERNALS is
undefined (thus the rogue client compatibility is not required).
* src/cff/cffobjs.c (cff_face_init): Abort the automatic
selection or synthesis of Unicode cmap subtable when the charmap
index exceeds FT_MAX_CHARMAP_CACHEABLE.
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Issue error message
when the charmap index exceeds FT_MAX_CHARMAP_CACHEABLE.
* src/base/ftobjs.c (find_unicode_charmap): When Unicode charmap
is found after FT_MAX_CHARMAP_CACHEABLE, ignore it and search
earlier one.
(find_variant_selector_charmap): When UVS charmap is found after
FT_MAX_CHARMAP_CACHEABLE, ignore it and search earlier one.
(FT_Select_Charmap): When a charmap matching with requested
encoding but after FT_MAX_CHARMAP_CACHEABLE, ignore and search
earlier one.
(FT_Set_Charmap): When a charmap matching with requested
charmap but after FT_MAX_CHARMAP_CACHEABLE, ignore and search
earlier one.
(FT_Get_Charmap_Index): When a requested charmap is found
after FT_MAX_CHARMAP_CACHEABLE, return the inverted charmap
index.
