* src/pshinter/pshrec.c (ps_hint_table_ensure): Remove redundant size
check; avoid array zeroing because it is fully initialized when used.
(ps_hint_table_alloc): Fix off-by-one comparison and remove another
zeroing of the array elements.
The old impleemntation was not using `FT_REALLOC`, buing too careful
with the offset rebasing. It shoudl be safe to rely on the base
movements.
* src/psaux/psobjs.c (reallocate_t1_table, shift_elements): Combine
into...
(ps_table_realloc): ... this function based on `FT_REALLOC`.
(ps_table_done): Simplified.
(ps_table_add): Updated.
* src/base/ftrfork.c (raccess_make_file_name): Do not set error.
* src/sfnt/sfdriver.c (get_win_string, get_apple_string): Ditto.
* src/cff/cffobjs.c (cff_strcpy): Do not confuse about error.
* src/psaux/psobjs.c (ps_table_done): Ditto.
* src/truetype/ttgxvar.c (ft_var_readpacked*, ft_var_load_avar): Ditto.
Function `map_fixed_to_sdf` expects spread to be absolute
and not squared.
* src/sdf/ftbsdf.c (finalize_sdf): Pass absolute spread
while `map_fixed_to_sdf`.
* src/sdf/ftsdf.c (sdf_generate_bounding_box): Ditto.
* src/sfnt/ttsvg.c (SVG_TABLE_HEADER_SIZE, SVG_DOCUMENT_RECORD_SIZE,
SVG_DOCUMENT_LIST_MINIMUM_SIZE, SVG_MINIMUM_SIZE): New macros.
(tt_face_load_svg): Check offsets.
Check table and record sizes.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43918
* include/freetype/config/ftheader.h (FT_OTSVG_H): New macro.
* include/freetype/freetype.h (FT_FACE_FLAG_SVG, FT_HAS_SVG): New macros.
(FT_LOAD_SVG_ONLY): New internal macro.
* include/freetype/ftimage.h (FT_Glyph_Format): New enumeration value
`FT_GLYPH_FORMAT_SVG`.
* include/freetype/internal/ftobjs.h (FT_GLYPH_OWN_GZIP_SVG): New macro.
* include/freetype/internal/fttrace.h: Add `ttsvg` for `ttsvg.c`.
* include/freetype/internal/sfnt.h(load_svg, free_svg, load_svg_doc): New
functions.
* include/freetype/internal/tttypes.h (TT_FaceRec): Add `svg` for
the SVG table.
* include/freetype/otsvg.h (FT_SVG_DocumentRec): New structure to hold the
SVG document and other necessary information of an OT-SVG glyph in a glyph
slot.
* include/freetype/tttags.h (TTAG_SVG): New macro.
* src/base/ftobjs.c: Include `otsvg.h`.
(ft_glyphslot_init): Allocate `FT_SVG_DocumentRec` in `slot->other`
if the SVG table exists.
(ft_glyphslot_clear): Free it upon clean-up if it is a GZIP compressed
glyph.
(ft_glyphslot_done): Free the document data if it is a GZIP compressed
glyph.
(FT_Load_Glyph): Don't auto-hint SVG documents.
* src/cache/ftcbasic.c (ftc_basic_family_load_glyph): Add support for
FT_GLYPH_FORMAT_SVG.
* src/sfnt/rules.mk (SFNT_DRV_SRC): Add `ttsvg.c`.
* src/sfnt/sfdriver.c: Include `ttsvg.h`.
(sfnt_interface): Add `tt_face_load_svg`, `tt_face_free_svg` and
`tt_face_load_svg_doc`.
* src/sfnt/sfnt.c: Include `ttsvg.c`.
* src/sfnt/sfobjs.c (sfnt_load_face, sfnt_done_face): Add code to load and
free data of the the SVG table.
* src/sfnt/ttsvg.c: New file, implementing `tt_face_load_svg`,
`tt_face_free_svg` and `tt_face_load_svg_doc`.
* src/sfnt/ttsvg.h: Declarations of the SVG functions in
`ttsvg.c`.
It might be surprising that FreeType does not have default ppem and
the size has to be set explicitly or face undefined behavior with
undefined variables and errors. This offers an alternative to
missing or zero scale by simply setting FT_LOAD_NO_SCALE. Defined
behavior is bettr than undefined one.
This is alternative to !132 and discussed in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43708
* src/base/ftobjs.c (FT_Load_Glyph): Deal with zero scale.
* include/freetype/freetype.h: Document it.
The `normal_top.count` may be 0, implying no `normal_top.zones` exist.
The code must not access these (non-existent) `normal_top.zones`.
* src/pshinter/pshalgo.c (ps_hints_apply): Do not assume that
`normal_top.zones[0]` is initialized. Test `normal_top.count`
before using `normal_top.zones[0]`. Do not rescale if there are no
`zones`.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43675
According to the bzip documentation it is undefined what will happen if
`BZ2_bzDecompress` is called on a `bz_stream` it has previously returned an
error against. If `BZ2_bzDecompress` returns anything other than `BZ_OK`
the only valid next action is `BZ2_bzDecompressEnd`.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43564
* src/bzip2/ftbzip2.c (FT_BZip2FileRec_): Add `reset` to track the need to
reset the stream.
(ft_bzip2_file_init): Initialize `reset` to 0.
(ft_bzip2_file_reset): Set `reset` to 0 after resetting.
(ft_bzip2_file_fill_output): Set `reset` to 1 when `BZ2_bzDecompress`
returns anything other than `BZ_OK`.
This reverts commit d276bcb7f0c02c20d3585b2e5626702df6d140a6.
The original commit did avoid the use of uninitialized memory. However,
it appears that the original commit is no longer required. The
underlying issue was resolved by a change in freetype2-testing "Build
bzip2 correctly." [0]. Prior to [0] bzip2 was built without msan, so
bzip2 writes were not tracked or considered initialized. Clearing
`buffer` in the original commit allowed msan to see the `buffer` content
initialized once in FreeType code, but msan saw no writes into buffer
from bzip2. With bzip2 now built with msan, the bzip2 writes are
properly instrumented and msan sees the bzip2 writes into the buffer. As
a result the original commit can be safely reverted to allow for better
detection of other uninitialized data scenarios.
* src/bzip2/ftbzip2.c (FT_Stream_OpenBzip2): Revert to using `FT_QNEW`.
[0] 3c052a837a
Currently `T42_Open_Face` eagerly allocates 12 bytes for the ttf header
data which it expects `t42_parse_sfnts` to fill out from /sfnts data.
However, there is no guarantee that `t42_parse_sfnts` will actually be
called while parsing the type42 data as the /sfnts array may be missing
or very short. This is also confusing behavior as it means
`T42_Open_Face` is tightly coupled to the implementation of the very
distant `t42_parse_sfnts` code which requires at least 12 bytes to
already be reserved in `face->ttf_data`.
`t42_parse_sfnts` itself eagerly updates `face->ttf_size` to track how
much space is reserved for ttf data instead of traking how much data has
actually been written into `face->ttf_data`. It will also act strangely
in the presense of multiple /sfnts arrays.
* src/type42/t42objs.c (T42_Open_Face): ensure `ttf_data` is initialized
to NULL. Free `ttf_data` on error.
* src/type42/t42parse.c (t42_parse_sfnts): delay setting `ttf_size` and
set it to the actual number of bytes read. Ensure `ttf_data` is freed
if there are multiple /sfnts arrays or there are any errors.
While using zlib in 'solo' mode (via the `Z_SOLO` macro), we actually
include some standard header files, making the typedef fail on systems where
the native `ptrdiff_t` type differs.
Fixes#1124.
* src/zlib/zutil.h: Comment out definition; it doesn't work on Windows.
* src/zlib/patches/freetype-zlib.diff: Updated.
We now first apply zlib's `zlib2ansi` script, then FreeType's patch file.
* src/gzip/README.freetype: Updated.
* patches/0001-zlib-Fix-zlib-sources-to-compile-for-FreeType.patch: Renamed
to...
* patches/freetype-zlib.diff: This.
Clean up description, then regenerate it as follows:
- Copy unmodified files from `zlib` repository.
- Run `zlib2ansi` script.
- Run `git diff -R > patches/freetype-zlib.diff.new`.
- Insert patch description of old diff file, then replace old diff with
new diff file.
This can be tested by building with the Unix development build
make setup devel
make
or by building the freetype-demos programs with
meson setup build -Dfreetype2:zlib=internal
meson compile -C out
and trying to run `ftview` with a `.pcf.gz` font file.
* src/gzip/ftgzip.c, src/gzip/rules.mk: Update for new zlib sources. Also
remove the temporary fix introduced in commit 6a431038 to work around the
fact that the internal sources were too old.
* src/gzip/README.freetype: New file describing the origin of the sources
and how they were modified.
* src/gzip/patches/*: Patch files applied to original sources.
* src/gzip/*: Updated zlib sources with the patch file(s) from
`src/gzip/patches/` applied, followed by a conversion with zlib's
`zlib2ansi` script.
* src/bzip2/ftbzip2.c (FT_Stream_OpenBzip2): Don't use `FT_QNEW` but
`FT_NEW` for setting up `zip` to avoid uninitialized memory access while
handling malformed PCF fonts later on.
Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42800
The 0-base index is equal to the number of previosly parsed entries.
It is an error to adjust it by one to get the number truncated by
a stream error. This is probably inconsequential because valid
entries are correctly accounted for.
* src/sfnt/ttload.c (check_table_dir): Do not adjust the truncated
number of tables.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
When iterating over the cvt tuples and reading in the points it is necessary
to set all of `localpoints`, `points`, and `point_count` in all cases. The
existing code did not reset `localpoints` to `NULL` when there were no
private point numbers. If the previous tuple did have private point numbers
and set `localpoints` to `ALL_POINTS` this would not be cleared and the
wrong branch would be taken later, leading to possible heap buffer overflow.
* src/truetype/ttgxvar.c (tt_face_vary_cvt): Reset `localpoints` to `NULL`
when it isn't valid.
Fixes: https://crbug.com/1284742
* src/base/ftobjs.c (FT_Get_Paint): Operator has equivalent nested operands.
* src/bdf/bdflib.c (_bdf_add_property): Value stored to `fp` is never read.
* src/sdf/ftbsdf.c (bsdf_init_distance_map): Value stored to `pixel` is
never read.
* src/sdf/ftsdf.c (split_sdf_shape): Value stored to `error` is never read.
* src/truetype/ttobjs.h (TT_SizeRec): Add `widthp` for the hdmx
widths.
* src/truetype/ttobjs.c (tt_size_reset): Initialize `widthp` even
though it might never be used by the interpreter.
* src/truetype/ttgload.c (tt_loader_init): Avoid repeated searches
in the hdmx table.
This fixes fall-out from 7809007a5b88b15, where the composite
accents were no longer hinted.
* src/truetype/ttgload.c (ttloader_init): Move the IUP-called flag
initialization from here...
* src/truetype/ttinterp.c (TT_Run_Context): ... to here.
The `hdmx` table is supposed to be sorted by ppem size, which
enables binary search. We also drop the check for the sufficient
length of the record because it is now enforced when the table
is loaded.
* include/freetype/internal/tttypes.h (TT_FaceRec): Store the `hdmx`
record pointers sorted by ppem instead of ppem's themselves.
* src/truetype/ttpload.c (tt_face_load_hdmx): Prudently sort records.
(tt_face_get_device_metrics): Implement binary search to retrieve
advances.
This simply shortcuts the glyph loading if FT_LOAD_ADVANCE_ONLY
is specified by FT_Get_Advances and the `hdmx` data are located.
Particularly, the classic v35 interpreter or "verified" ClearType
fonts might see 100x speed up in retrieving the hdmx cache.
* src/truetype/ttgload.c (TT_Load_Glyph): Insert the shortcut.
The `hdmx` matching can be done before the glyph is loaded.
* include/freetype/internal/tttypes.h (TT_LoaderRec): Add a field.
* src/truetype/ttgload.c (compute_glyph_metrics): Relocate the `hdmx`
code from here...
(tt_loader_init): ... to here, before the glyph is loaded.
`TT_RunIns` is too busy to deal with subpixel flags. It is better
to set them in `tt_loader_init`, which is executed before each
glyph program.
* src/truetype/ttinterp.c (TT_RunIns): Move the flag setting from
here...
* src/truetype/ttgload.c (tt_loader_init): ... to here.
* src/truetype/ttinterp.c (Ins_INSTCTRL): Limit its global effects
to the CVT program and local effects to the glyph program.
This also fixes an Infinality buglet. The `ignore_x_mode` should be
locally unset by the glyph program.
In _bdf_readstream if the data contained no newline then the buffer
would continue to grow and uninitialized data read until either the
uninitialized data contained a newline or the buffer reached its
maxiumum size. The assumption was that the line was always too long and
the buffer had been filled, however this case can also happen when there
is not enough data to fill the buffer.
Correct this by properly setting the cursor to the end of the available
data, which may be different from the end of the buffer. This may still
result in one extra allocation, but only on malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Correctly update cursor. Remove
unread set of `avail`.
Bug: https://lists.nongnu.org/archive/html/freetype-devel/2021-12/msg00001.html
==========================
Tag sources with `VER-2-11-1'.
* docs/VERSION.TXT: Add entry for version 2.11.1.
* docs/CHANGES, docs/release: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.11.0/2.11.1/, s/2110/2111/.
* include/freetype/freetype.h (FREETYPE_PATCH): Set to 1.
* builds/unix/configure.raw (version_info): Set to 24:1:18.
* CMakeLists.txt (VERSION_PATCH): Set to 1.
* builds/toplevel.mk (version_tag, CHANGELOG_SCRIPT): New variables.
(do-dist): Generate `ChangeLog` file with all commits since last release.
The `hdmx` table is optional and can be safely rejected without
an error if it does not follow specifications. The record size
must be equal to the number of glyphs + 2 + 32-bit padding.
* src/truetype/ttpload.c (tt_face_load_hdmx): Thoroughly check
the record size and improve tracing.
We really have to use double casts to avoid issues with C's and C++'s
signedness propagation rules in implicit casts.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41178https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41182
* include/freetype/config/public-macros.h (FT_STATIC_CAST,
FT_REINTERPRET_CAST): Modify macro to take two arguments.
Update all callers.
(FT_STATIC_BYTE_CAST): New macro.
* include/freetype/freetype.h (FT_ENC_TAG): Use `FT_STATIC_BYTE_CAST`.
* include/freetype/ftimage.h (FT_IMAGE_TAG): Ditto.
* include/freetype/fttypes.h (FT_MAKE_TAG): Ditto.
Use `FT_Tag` for casting.
* src/ftraster/ftmisc.h (FT_MAKE_TAG): Removed, no longer needed.
(FT_STATIC_BYTE_CAST): New macro.
* src/smooth/ftgrays.c (FT_STATIC_CAST): Replace with...
(FT_STATIC_BYTE_CAST): ... this.
Many FreeType clients use C++. However `g++ -Wold-style-cast` warns for
macros with C-style casts even for system header files; this also affects
directories included with `-isystem`. While this could be seen as a problem
with g++, the problem is more a philosophical one: Over the time, C and C++
diverged more and more, and some features of C are no longer the 'right'
solution in C++.
* include/freetype/config/public-macros.h (FT_STATIC_CAST,
FT_REINTERPRET_CAST): New macros.
* include/freetype/freetype.h (FT_ENC_TAG, FT_LOAD_TARGET_,
FT_LOAD_TARGET_MODE): Use `FT_STATIC_CAST`.
Correctly handle negative 'signed char' input.
* include/freetype/ftimage.h (FT_IMAGE_TAG): Ditto.
* include/freetype/fttypes.h (FT_MAKE_TAG, FT_BOOL): Ditto.
* include/freetype/ftmodapi.h (FT_FACE_DRIVER_NAME): Use
`FT_REINTERPRET_CAST`.
* src/smooth/ftgrays.c (FT_STATIC_CAST)[STANDALONE_]: New macro.
[!STANDALONE]: Include `FT_CONFIG_CONFIG_H`.
Fixes#1116.
* src/truetype/ttgxvar.c (ft_var_load_item_variation_store):
s/shortDeltaCount/wordDeltaCount/ (as done in the specification, too).
Recognize new format and reject it for now.
This is in preparation for implementing `DeltaSetIndexMap` format 1, which
is used by `COLR` v1 tables, and which allows 32bit indices.
https://docs.microsoft.com/en-us/typography/opentype/otspec190/delta/otvarcommonformats_delta.html
* src/truetype/ttgxvar.h (GX_DeltaSetIdxMapRec): Change type of `mapCount`
to `FT_ULong`.
* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping): Add argument
for passing the table size; update caller.
Implement new format.
Based on a patch from metarutaiga (MR !106). The gist of this commit is
that it doesn't make sense to support WOFF without compression (which would
be only possible in WOFF 1.0 anyway).
* src/sfnt/sfobjs.c (sfnt_open_font): Guard WOFF code with
`FT_CONFIG_OPTION_USE_ZLIB` block.
Guard WOFF2 code with `FT_CONFIG_OPTION_USE_BROTLI` block.
* src/sfnt/sfwoff.c, src/sfnt/sfwoff.h: Guard files with
`FT_CONFIG_OPTION_USE_ZLIB` blocks, not parts of the code.
* src/sfnt/sfwoff2.c, src/sfnt/sfwoff2.h, src/sfnt/woff2tags.c,
src/sfnt/woff2tags.h: Guard files with `FT_CONFIG_OPTION_USE_BROTLI` blocks,
not parts of the code.
Fixes#1111.
Based on a patch from metarutaiga (MR !106).
* src/truetype/ttobjs.c (tt_skip_pdffont_random_tag,
tt_check_trickyness_family, tt_synth_sfnt_checksum, tt_get_sfnt_checksum,
tt_check_trickyness_sfnt_ids, tt_check_trickyness): Put functions into a
`TT_USE_BYTECODE_INTERPRETER` block.
(tt_face_init): Put trickyness checks into a `TT_USE_BYTECODE_INTERPRETER`
block.
Fixes#1111.
DLG_STATIC is intended to disable Windows DLL linking attributes.
It does not hurt to define it explicitly when we wrap DLG code.
This fixes tons of LNK4286 and C4273 warnings from MSVC if we
forget to define DLG_STATIC as a compiler option.
* builds/windows/vc2010/freetype.vcxproj: Remove DLG_STATIC option.
* src/dlg/dlgwrap.c [FT_DEBUG_LOGGING]: Define DLG_STATIC.
* include/freetype/internal/ftdebug.h [FT_DEBUG_LOGGING]: Ditto.
The DLG wrapper needs to know if FT_DEBUG_LOGGING is defined in
`ftoption.h`. It does not need entire FreeType.
* src/dlg/dlgwrap.c: Include FT_CONFIG_OPTIONS_H directly.
* src/truetype/ttgxvar.c (ft_var_readpackeddeltas, ft_var_load_avar,
ft_var_load_item_variation_store, ft_var_load_gvar): Use FT_QNEW_ARRAY
if memory immediately initialized or discarded otherwise.
* src/truetype/ttgxvar (ft_var_readpackeddeltas): Don't expect the number of
bytes used to encode the deltas to be higher than the number of encoded
values. The specification allows a very compact encoding; for example, a
list of 200 zeros can be encoded with just a couple of bytes.
We now count the consumed bytes to make sure to not read more than expected.
* src/truetype/ttgxvar (tt_face_vary_cvt): Function
`ft_var_readpackedpoints`, when it returns `ALL_POINTS`, also sets
`point_count` to value 0. However, the CVAR code was incorrectly expecting
that `point_count` would be set to match the length of the CVT table.
In a Multiple Master font, the Blend dictionary must contain valid
Private, FontInfo, and FontBBox. The current code will error if any of
these are present and invalid, but will not error and will provide
uninitialized data if the Blend dictionary exists but does not contain
one of these entries. This change reverts to the older behavior of
treating any missing entries as containing all zero data and not
returning an error.
In the future it may be best to keep track of when these are actually
initialized and error if they are not.
* src/type1/t1load.c (t1_allocate_blend): Zero initiailize.
