ReFuel/freetype
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,897 Commits 2 Branches 117 Tags 37 MiB
3d083fc213
Commit Graph

300 Commits

Author SHA1 Message Date
Werner Lemberg
ca799e9be5 [truetype] Integer overflow. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2455

* src/truetype/ttinterp.c (Ins_SCFS): Use SUB_LONG.
 2017-07-03 06:27:52 +02:00
Werner Lemberg
dde8f5abbe [truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391

* src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
NEG_LONG.

* src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
 2017-06-27 06:16:04 +02:00
Werner Lemberg
b27cef27ff [truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364

* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
 2017-06-24 20:17:46 +02:00
Werner Lemberg
298e2ea5a6 [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328

* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.

* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
 2017-06-22 11:52:43 +02:00
Werner Lemberg
8c763fb1be [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2300
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2313

* src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use ADD_INT32.

* src/truetype/ttinterp.c (Ins_ABS): Avoid FT_ABS.
 2017-06-20 07:49:52 +02:00
Werner Lemberg
4dc00cf5c0 [truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2270
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2278

* src/truetype/ttinterp.c (Ins_MDRP, _iup_worker_interpolate): Use
ADD_LONG and SUB_LONG.
 2017-06-16 13:33:09 +02:00
Werner Lemberg
5c402d97af [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218

* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.

* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
 2017-06-13 06:56:48 +02:00
Werner Lemberg
9038837ee2 [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2144
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2151
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2153
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2173
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2186

* src/cff/cf2blues.c (cf2_blues_init): Use SUB_INT32.

* src/truetype/ttinterp.c (Round_None, Round_To_Grid,
Round_To_Half_Grid, Round_Down_To_Grid, Round_Up_To_Grid,
Round_To_Double_Grid, Round_Super, Round_Super_45): Use ADD_LONG,
SUB_LONG, NEG_LONG, FT_PIX_ROUND_LONG, FT_PIX_CEIL_LONG,
FT_PAD_ROUND_LONG
(Ins_SxVTL, Ins_MIRP): Use SUB_LONG.
(_iup_worker_shift): Use SUB_LONG and ADD_LONG.
 2017-06-09 20:42:46 +02:00
Werner Lemberg
dcd8de272f */*: Remove `OVERFLOW_' prefix. 
This increases readability.
 2017-06-09 11:21:58 +02:00
Werner Lemberg
7bffeacd7e [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2133
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2137

* src/cff/cf2hints.c (cf2_hint_init): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (PROJECT, DUALPROJ): Use
OVERFLOW_SUB_LONG.
 2017-06-07 17:08:01 +02:00
Werner Lemberg
9fa8a2997f [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2075
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2088

* src/cff/cf2font.c (cf2_font_setup): Use OVERFLOW_MUL_INT32.

* src/truetype/ttinterp.c (Ins_ISECT): Use OVERFLOW_MUL_LONG,
OVERFLOW_ADD_LONG, and OVERFLOW_SUB_LONG.
 2017-06-04 20:43:08 +02:00
Werner Lemberg
addb2dddb6 [base, cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068

* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.

* src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c
(cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32.

* src/truetype/ttgload.c (compute_glyph_metrics): User
OVERFLOW_SUB_LONG.

* src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig,
Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X,
Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
 2017-06-03 21:05:42 +02:00
Werner Lemberg
1ea343228d [cff, truetype] Integer overflows. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057

* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
 2017-06-03 06:52:13 +02:00
Werner Lemberg
8d435c463d * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again. 
Problem reported by Marek Kašík <mkasik@redhat.com>.

The problematic font that exceeds the old limit is Padauk-Bold,
version 3.002, containing bytecode generated by a buggy version of
ttfautohint.
 2017-06-01 07:09:44 +02:00
Nikolaus Waxweiler
a0455468fd [truetype] Always use interpreter v35 for B/W rendering (#51051). 
* src/truetype/ttgload.c (tt_loader_init)
[TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL]: Adjust
`subpixel_hinting_lean', `grayscale_cleartype', and
`vertical_lcd_lean' accordingly.

* src/truetype/ttinterp.c (Ins_GETINFO): Updated.
(TT_RunIns): Update `backward_compatibility' flag.
 2017-05-20 07:28:46 +02:00
Werner Lemberg
8cd31eb7b0 */*: s/backwards compatibility/backward compatibility/. 2017-05-03 23:54:29 +02:00
Werner Lemberg
5f18d867c0 [truetype] Do linear scaling for FT_LOAD_NO_HINTING (#50470). 
* src/truetype/ttobs.h (TT_SizeRec): Add field `hinted_metrics' to
hold hinted metrics.
Make `metrics' a pointer so that `tt_glyph_load' can easily switch
between metrics.

* src/truetype/ttdriver.c (tt_size_request): Updated.
(tt_glyph_load): Use top-level metrics if FT_LOAD_NO_HINTING is
used.

* src/truetype/ttgload.c (TT_Hint_Glyph, TT_Process_Simple_Glyph,
TT_Process_Composite_Component, load_truetype_glyph,
compute_glyph_metrics, TT_Load_Glyph): Updated.

* src/truetype/ttinterp.c (TT_Load_Context): Updated.

* src/truetype/ttobjs.c (tt_size_reset): Updated.

* src/truetype/ttsubpix.c (sph_set_tweaks): Updated.
 2017-04-26 11:40:28 +02:00
Werner Lemberg
093c182058 [truetype] Avoid reexecution of fpgm' and prep' in case of error. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=981

* include/freetype/fterrdef.h (FT_Err_DEF_In_Glyf_Bytecode): New
error code.

* src/truetype/ttinterp.c (Ins_FDEF, Ins_IDEF): Prohibit execution
of these two opcodes in `glyf' bytecode.
(TT_RunIns): Don't enforce reexecution of `fpgm' and `prep' bytecode
in case of error since function tables can no longer be modified
(due to the changes in `Ins_FDEF' and `Ins_IDEF').  This change can
enormously speed up handling of broken fonts.
 2017-04-03 11:37:33 +02:00
Werner Lemberg
3e79254ae7 * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter (#50573). 
The problematic font that exceeds the old limit is Lato-Regular,
version 2.007, containing bytecode generated by a buggy version of
ttfautohint.
 2017-03-18 10:06:15 +01:00
Werner Lemberg
13fa85a246 [truetype] Another limitation for bytecode loop count maximum. 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=900

* src/truetype/ttinterp.c (TT_RunIns): Limit `loopcall_counter_max'
by number of glyphs also.
 2017-03-18 09:42:58 +01:00
Werner Lemberg
9931175dcc Improve `make multi'. 
* src/autofit/aflatin2.c: Guard file with FT_OPTION_AUTOFIT2.

* src/base/ftmac.c: Guard more parts of the file with FT_MACINTOSH.

* src/psaux/afmparse.c: Guard file with T1_CONFIG_OPTION_NO_AFM.

* src/sfnt/pngshim.c: Guard file with
TT_CONFIG_OPTION_EMBEDDED_BITMAPS also.

* src/sfnt/ttbdf.c: Avoid empty source file.
* src/sfnt/ttpost.c: Guard file with
TT_CONFIG_OPTION_POSTSCRIPT_NAMES.
* src/sfnt/ttsbit.c: Guard file with
TT_CONFIG_OPTION_EMBEDDED_BITMAPS.

* src/truetype/ttgxvar.c, src/truetype/ttinterp.c: Avoid empty
source file.

* src/truetype/ttsubpix.c: Guard file with
TT_USE_BYTECODE_INTERPRETER also.

* src/type1/t1afm.c: Guard file with T1_CONFIG_OPTION_NO_AFM.

* src/autofit/autofit.c, src/base/ftbase.c, src/cache/ftcache.c,
src/cff/cff.c, src/cid/type1cid.c, src/gxvalid/gxvalid.c,
src/pcf/pcf.c, src/pfr/pfr.c, src/psaux/psaux.c,
src/pshinter/pshinter.c, src/psnames/psnames.c, src/raster/raster.c,
src/sfnt/sfnt.c, src/smooth/smooth.c, src/truetype/truetype.c,
src/type1/type1.c, src/type42/type42.c: Remove conditionals; sort
entries.
 2017-03-18 07:06:49 +01:00
Werner Lemberg
43061d6a93 * src/truetype/ttinterp.c (TT_RunIns): Adjust loop detector limits. 2017-01-20 10:16:38 +01:00
Alexei Podtelezhnikov
236bbdbef9 Typos. 2017-01-18 23:12:31 -05:00
Werner Lemberg
563ae78022 Update copyright year. 2017-01-04 20:16:34 +01:00
Werner Lemberg
f80c4473b6 Replace ++foo' and --foo' with foo++' and foo--', resp. 2016-12-26 23:57:45 +01:00
Werner Lemberg
4441f7b246 Replace foo == NULL' and foo != NULL' with !foo' and foo', resp. 
Other minor formatting.
 2016-12-26 17:08:17 +01:00
Werner Lemberg
37c72f66a5 Minor formatting. 2016-12-25 22:55:25 +01:00
Werner Lemberg
328d68449d [truetype] Remove clang warnings. 
* src/truetype/ttinterp.h (TT_ExecContextRec): Using `FT_ULong' for
loop counter handling.

* src/truetype/ttinterp.c: Updated.
(Ins_SCANTYPE): Use signed constant.
(TT_RunIns): Ensure `num_twilight_points' is 16bit.
 2016-10-29 00:18:56 +02:00
Werner Lemberg
5081674c5f [truetype] Fix SCANTYPE instruction (#49394). 
* src/truetype/ttinterp.c (Ins_SCANTYPE): Only use lower 16bits.
 2016-10-22 19:16:08 +02:00
Werner Lemberg
2ecf89b481 */*: s/FT_MEM_ZERO/FT_ZERO/ where appropriate. 2016-09-28 19:06:21 +02:00
Werner Lemberg
a3e2c83234 [truetype] Trace number of executed opcodes. 
* src/truetype/ttinterp.c (TT_RunIns): Implement it.
 2016-09-27 21:42:02 +02:00
Werner Lemberg
0d94592942 [truetype] Introduce dynamic limits for some bytecode opcodes. 
This speeds up FreeType's handling of malformed fonts.

* src/truetype/ttinterp.c (TT_RunIns): Set up limits for the number
of twilight points, the total number of negative jumps, and the
total number of loops in LOOPCALL opcodes.  The values are based on
the number of points and entries in the CVT table.
(Ins_JMPR): Test negative jump counter.
(Ins_LOOPCALL): Test loopcall counter.

* src/truetype/ttinterp.h (TT_ExecContext): Updated.

* docs/CHANGES: Updated.
 2016-09-27 08:44:31 +02:00
Werner Lemberg
b1e7b68efe * src/truetype/ttinterp.c: Include `ttgxvar.h'. 
This fixes the `multi' build.
 2016-09-08 08:56:34 +02:00
Werner Lemberg
a4c2a31138 [truetype] Fix `MPS' instruction. 
According to Greg Hitchcock, MPS in DWrite really returns the point
size.

* src/truetype/ttobjs.h (TT_SizeRec): Add `point_size' member.

* src/truetype/ttdriver.c (tt_size_request): Set `point_size'.

* src/truetype/ttinterp.h (TT_ExecContextRec): Add `pointSize'
member.

* src/truetype/ttinterp.c (TT_Load_Context): Updated.
(Ins_MPS): Fix instruction.
 2016-08-22 19:32:34 +02:00
Alexei Podtelezhnikov
125f2b63a5 * src/truetype/ttinterp.c (Pop_Push_Count): Revert changes. 2016-08-11 23:40:05 -04:00
Alexei Podtelezhnikov
49d474f6f6 * src/truetype/ttinterp.c (TT_RunIns): Minor and formatting. 2016-08-11 23:03:09 -04:00
Alexei Podtelezhnikov
dce554b1bd * src/truetype/ttinterp.c (Pop_Push_Count): Fix some entries. 2016-08-11 07:29:19 +02:00
Werner Lemberg
053943a757 [truetype] Comment. 2016-07-30 00:27:48 +02:00
Hin-Tak Leung
3a528bbe5a [truetype] Record the end of IDEFs. 
To match the logic in FDEF.  The value of the end is only used for
bound-checking in `Ins_JMPR', so it may not have been obvious that
it was not recorded.  Tested (as part of Font Validator 2.0) all the
fonts on Fedora and did not see any change.

* src/truetype/ttinterp.c (Ins_IDEF): Updated.
 2016-07-22 06:59:36 +02:00
Werner Lemberg
a3b70d76ba [truetype] Make GETDATA work only for GX fonts. 
* src/truetype/ttinterp.c (opcode_name): Updated.
(Ins_GETDATA): Only define for `TT_CONFIG_OPTION_GX_VAR_SUPPORT'.
(TT_RunIns): Updated.
 2016-07-18 06:23:36 +02:00
Werner Lemberg
8c93013ca3 [truetype] Add support for Apple's 
GETDATA[], opcode 0x92

bytecode instruction.  It always returns 17, and we have absolutely
no idea what it is good for...

* src/truetype/ttinterp.c (Pop_Push_Count, opcode_name): Updated.
(Ins_GETDATA): New function.
(TT_RunIns): Add it.
 2016-07-17 22:40:31 +02:00
Werner Lemberg
e084360961 [truetype] Add bytecode support for GX variation fonts. 
This commit implements undocumented (but confirmed) stuff from
Apple's old bytecode engine.

  GETVARIATION[], opcode 0x91
    This opcode pushes normalized variation coordinates for all axes
    onto the stack (in 2.14 format).  Coordinate of first axis gets
    pushed first.

  GETINFO[], selector bit 3
    If GX variation support is enabled, bit 10 of the result is set
    to 1.

* src/truetype/ttinterp.c: Include FT_MULTIPLE_MASTERS_H.
(opcode_name) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Updated.
(Ins_GETINFO) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Handle selector
bit 3, checking support for variation glyph hinting.
(Ins_GETVARIATION) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New function
to implement opcode 0x91.
(TT_RunIns) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Handle opcode 0x91.
 2016-07-16 18:46:28 +02:00
Werner Lemberg
32a320625e [truetype] Fix GETINFO bytecode instruction. 
* src/truetype/ttinterp.c (Ins_GETINFO): Fix return value for
stretching information.
 2016-07-16 16:39:26 +02:00
Nikolaus Waxweiler
86eb43a994 * src/truetype/ttinterp.c (Ins_MIRP): Fix copy-and-paste error. 
Problem reported by Hin-Tak Leung.
 2016-07-16 06:37:57 +02:00
Werner Lemberg
474682ff87 * src/truetype/ttinterp.c (TInstruction_Function): Removed, unused. 2016-07-06 08:54:35 +02:00
Nikolaus Waxweiler
b459882804 [truetype] Let SHPIX move points in the twilight zone in v40. 
* src/truetype/ttinterp.c (Ins_SHPIX): Allow SHPIX to move points in
the twilight zone.  Otherwise, treat SHPIX the same as DELTAP.
Unbreaks various fonts such as older versions of Rokkitt and DTL
Argo T Light that would glitch severly after calling ALIGNRP after a
blocked SHPIX.
 2016-05-31 08:39:52 +02:00
Nikolaus Waxweiler
ed1d8983f3 [truetype] New implementation of v38 bytecode interpreter [2/3]. 
This patch actually modifies the bytecode interpreter.

See added comments in `ttinterp.h' for more information on this and
the following commit in the series.

* src/truetype/ttinterp.c (SUBPIXEL_HINTING): Replaced by...
(NO_SUBPIXEL_HINTING, SUBPIXEL_HINTING_INFINALITY,
SUBPIXEL_HINTING_MINIMAL): ...new macros.
(Direct_Move, Direct_Move_X, Direct_Move_Y): Handle backwards
compatibility.
Updated.
(Ins_RS, Ins_FDEF, Ins_ENDF, Ins_CALL, Ins_LOOPCALL, Ins_MD):
Updated.
(Ins_INSTCTRL): Handle native ClearType mode flag.
Updated.
(Ins_FLIPPT, Ins_FLIPRGON, Ins_FLIPRGOFF): Handle backwards
compatibility.
(Move_Zp2_Point): Ditto.
(Ins_SHP): Updated.
(Ins_SHPIX): Handle backwards compatibility.
Updated.
(Ins_MSIRP, Ins_MDAP, Ins_MIAP, Ins_MDRP, Ins_MIRP): Updated.
(Ins_ALIGNRP): Updated.
(Ins_IUP, Ins_DELTAP): Handle backwards compatibility.
Updated.
(Ins_GETINFO): Handle v38 flags.
Updated.
(TT_RunIns): Handle backwards compatibility mode.
Updated.
 2016-05-18 06:58:44 +02:00
Alexei Podtelezhnikov
e85422606d Typos. 2016-04-08 23:21:34 -04:00
Nikolaus Waxweiler
6875093a17 Remove unpatented hinter (1/3). 
* src/truetype/ttinterp.c [TT_CONFIG_OPTION_UNPATENTED_HINTING]:
Remove all code related to this macro.
 2016-01-28 12:24:36 +01:00
Werner Lemberg
9adeab6452 Update copyright year. 2016-01-13 11:54:10 +01:00