The previous fix for #46372 misunderstood a composite glyph referring
same component twice as a recursive reference. See the discussion
http://lists.gnu.org/archive/html/freetype/2016-05/msg00000.html
Thanks to Khaled Hosny for finding this issue.
* src/truetype/ttgload.c (ft_list_get_node_at): A function to get
the i-th node from FT_List. (load_truetype_glyph): In the traversal
scan of the reference tree in the composite glyph, we clear the
nodes filled by previous sibling chain.
Otherwise some properties could be set to arbitrary values, which is
harmless, but querying could give wrong positive results.
* src/cff/cffdrivr.c (cff_property_set) [hinting-engine],
* src/truetype/ttdriver.c (tt_property_set) [interpreter-version]:
Only allow defined values.
We probably did not notice this as all fonts we tested had only
tuple_coords[i] be +1 or -1 for non-intermediate tuples.
* src/truetype/ttgxvar.c (ft_var_apply_tuple): Implement it.
* include/freetype/internal/tttypes.h (TT_LoaderRec): New field
`composites'.
* src/truetype/ttgload.c: Include FT_LIST_H.
(load_truetype_glyph): Add composite subglyph index to a list;
abort if index is already in list.
(tt_loader_init): Updated.
(tt_loader_done): New function.
(TT_Load_Glyph): Call `tt_loader_done'.
Use the `gvar' table size instead of the remaining bytes in the
stream.
* src/truetype/ttgxvar.h (GX_BlendRec): New field `gvar_size'.
* src/truetype/ttgxvar.c (ft_var_load_gvar): Set `gvar_size'.
(ft_var_readpackedpoints, ft_var_readpackeddeltas: New argument
`size'.
(tt_face_vary_cvt, TT_Vary_Apply_Glyph_Deltas): Updated.
These tests should mainly help avoid unnecessarily large memory
allocations in case of malformed fonts.
* src/truetype/ttgxvar.c (ft_var_readpackedpoints,
ft_var_readpackeddeltas): Check number of points against stream
size.
(ft_var_load_avar): Check `pairCount' against table length.
(ft_var_load_gvar): Check `globalCoordCount' and `glyphCount'
against table length.
(tt_face_vary_cvt): Check `tupleCount' and `offsetToData'.
Fix trace.
(TT_Vary_Apply_Glyph_Deltas): Fix trace.
Free `sharedpoints' to avoid memory leak.
For functions querying a face, bits 16-30 of the face index can hold
the named instance index if we have a GX font. The indices start
with value 1; value 0 indicates font access without GX variation
data.
* include/freetype/freetype.h (FT_FaceRec): Update documentation.
* include/freetype/internal/sfnt.h: Ditto.
* src/sfnt/sfobjs.c (sfnt_init_face)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Get number of named instances and
do argument checks.
(sfnt_load_face): Updated.
* src/truetype/ttobjs.c (tt_face_init)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Use named instance, overwriting
the style name.
* src/base/ftobjs.c (open_face_from_buffer,
open_face_PS_from_sfnt_stream): Updated.
* src/bdf/bdfdrivr.c (BDF_Face_Init): Updated.
* src/cff/cffload.c (cff_font_load): Updated.
* src/cff/cffobjs.c (cff_face_init): Make function exit early for
pure CFF fonts if `font_index < 0'.
Updated.
* src/cid/cidobjs.c (cid_face_init): Updated.
* src/pcf/pcfdrivr.c (PCF_Face_Init): Updated.
* src/pfr/pfrobjs.c (pfr_face_init): Updated.
* src/type1/t1objs.c (T1_Face_Init): Updated.
* src/type42/t42objs.c (T42_Face_Init): Updated.
* src/winfonts/winfnt.c (fnt_face_get_dll_font, FNT_Face_Init):
Updated.
* docs/CHANGES: Updated.
* src/pfr/pfrgload.c (pfr_glyph_load_compound): Use multiplication,
not left-shift.
* src/truetype/ttgxvar.c (ft_var_load_avar, ft_var_load_gvar,
tt_face_vary_cvt, TT_Vary_Apply_Glyph_Deltas): Use multiplication,
not left-shift.
* src/base/ftrfork.c (FT_Raccess_Get_HeaderInfo): Only accept
positive values from header.
Check overflow.
* src/base/ftoutln.c (SCALED): Correctly handle left-shift of
negative values.
* src/bdf/bdf.h (_bdf_glyph_modified, _bdf_set_glyph_modified,
_bdf_clear_glyph_modified): Use unsigned long constant.
* src/bdf/bdfdrivr.c (BDF_Size_Select, BDF_Glyph_Load): Don't
left-shift values that can be negative.
* src/pcf/pcfdrivr.c (PCF_Size_Select, PCF_Glyph_Load): Don't
left-shift values that can be negative.
* src/raster/ftraster.c (SCALED): Correctly handle left-shift of
negative values.
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Don't left-shift
values that can be negative.
* src/truetype/ttgload.c (TT_Load_Composite_Glyph,
compute_glyph_metrics, load_sbit_image): Don't left-shift values
that can be negative.
See
http://lists.nongnu.org/archive/html/freetype-devel/2015-07/msg00008.html
for a rationale.
* src/autofit/afpic.h, src/base/basepic.h, src/cff/cffpic.h,
src/pshinter/pshpic.h, src/psnames/pspic.h, src/raster/rastpic.h,
src/sfnt/sfntpic.h, src/smooth/ftspic.h, src/truetype/ttpic.h
(FT_BEGIN_HEADER, FT_END_HEADER): Move macro calls to not enclose
header files that contain FT_{BEGIN,END}_HEADER macros by
themselves.
* src/autofit/aftypes.h [FT_DEBUG_AUTOFIT]: Include
FT_CONFIG_STANDARD_LIBRARY_H earlier.
* src/truetype/ttpic.h: Include FT_INTERNL_PIC_H.
This is just very basic stuff and just a little bit tested on
GNU/Linux only. I won't delve into this since I'm not a Jam user.
* Jamfile: Call `HDRMACRO' for `ftserv.h' also.
(DEFINES): Replace with...
(CCFLAGS): ... this.
* src/Jamfile: Don't call `HDRMACRO' for `internal.h'; this is
already handled in the top-level Jamfile.
* src/autofit/Jamfile (DEFINES): Replace with...
(CCFLAGS): ... this.
(_sources): Add missing files.
* src/cache/Jamfile: Don't call `HDRMACRO' for `ftcache.h'; it no
longer contains macro header definitions.
* src/base/Jamfile, src/cff/Jamfile, src/sfnt/Jamfile,
src/truetype/Jamfile (_sources): Add missing files.
=======================
Tag sources with `VER-2-6'.
* docs/VERSION.DLL: Update documentation and bump version number to
2.6.
* README, Jamfile (RefDoc), builds/windows/vc2005/freetype.vcproj,
builds/windows/vc2005/index.html,
builds/windows/vc2008/freetype.vcproj,
builds/windows/vc2008/index.html,
builds/windows/vc2010/freetype.vcxproj,
builds/windows/vc2010/index.html,
builds/windows/visualc/freetype.dsp,
builds/windows/visualc/freetype.vcproj,
builds/windows/visualc/index.html,
builds/windows/visualce/freetype.dsp,
builds/windows/visualce/freetype.vcproj,
builds/windows/visualce/index.html,
builds/wince/vc2005-ce/freetype.vcproj,
builds/wince/vc2005-ce/index.html,
builds/wince/vc2008-ce/freetype.vcproj,
builds/wince/vc2008-ce/index.html: s/2.5.5/2.6/, s/255/26/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 6.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 18:0:12.
* CMakeLists.txt (VERSION_MINOR): Set to 0.
(VERSION_PATCH): Set to 6.
* src/autofit/afmodule.c [!FT_MAKE_OPTION_SINGLE_OBJECT]: Add
declarations for dumping functions.
* src/truetype/ttinterp.c (TT_New_Context): Pacify compiler.
* builds/toplevel.mk: Use `freetype.mk's code to compute the version
string.
Don't include a zero patch level in version string.
* builds/freetype.mk: Remove code for computing the version string.
Problem reported by Grissiom <chaos.proton@gmail.com>; in
http://lists.nongnu.org/archive/html/freetype/2015-05/msg00013.html
there is an example code to trigger the bug.
* src/truetype/ttobjs.c (tt_size_init_bytecode): Free old `size'
data before allocating again. Bug most probably introduced four
years ago in version 2.4.3.
