A font has surfaced with `post` version 1.0 and fewer than 258 glyphs.
Its glyphs did not correspond to their names. We now reject such `post`
strictly following specifications.
* src/sfnt/ttpost.c (tt_face_get_ps_name): Check the number of glyphs
for version 1.0.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1505216
* src/sfnt/ttcolr.c (find_base_glyph_v1_record): Guard access of the search
pointer during binary search. The pointer needs to be checked as we go as
the test that compares number of v1 glyphs with table size at the time of
loading the table is not sufficient on its own.
A scenario is possible in which the `BaseGlyphRecord` list extends into
non-`BaseGlyphRecord` parts of the 'COLR' v1 table (but passed the size
comparison check). Then, at those locations, invalid glyph ID values are
read and may provoke an invalid read due to reassigning min and max values
during the binary search.
This is a follow-up to commit 26a7f047,
[cff] Make blend operator work with floats in private dicts.
which addressed the 'party baseline' bug. However, the reporting user
indicated that the default location and some other points in design space
rendered OK, but other points in design space still had problems. The most
obvious issue being that the x-heights of lower-case letters did not align;
see
https://github.com/adobe-fonts/source-serif/issues/121#issuecomment-1773794136
After some analysis we determined that this was due to an interaction
between `BlueValue` rounding and the zone-based algorithm. In short, for a
point to be considered in a zone it must fall within the bounds of the zone.
(There is a slop factor in some cases, but only a very small one.) In the
Adobe-contributed side of the code, point values are not integer-rounded,
instead they're kept as (some form of) fixed. Rounding just the `BlueValues`
means that points that need to be considered within a zone will fall outside
of it at some points in design space.
The majority of this patch changes the storage and parsing of `BlueValues`
to keep them as `FT_Fixed`. No significant code changes were needed because
the values are converted to `Fixed` anyway when stored in `CF_BlueRec`. No
attempt was made to address problems in the older pshinter code beyond
converting the values from `FT_Fixed` to `FT_Short` when copying the private
dictionary. (However, as the point values are also rounded in that code,
the problem is much less likely to occur, although inconsistency between
rounding and truncation could cause an analogous problem.)
* include/freetype/internal/cfftypes.h (CFF_PrivateRec): Use `FT_Fixed` for
`blue_values`, `other_blues`, `family_blues`, and `family_other_blues`.
* src/cff/cffload.c (cff_blend_doBlend): Updated.
* src/cff/cffobjs.c (CFF_fixedToInt): New macro.
(cff_make_private_dict): Use it.
* src/cff/cffparse.h (cff_kind_delta_fixed): New enum value.
* src/cff/cffparse.c (do_fixed): Updated.
(CFF_FIELD_DELTA, CFF_FIELD_DELTA_FIXED, CFF_DELTA_KIND): New set of macros,
replacing `CFF_FIELD_DELTA`.
(cff_parser_run): Updated to handle fixed-float deltas.
* src/cff/cfftoken.h: Updated to use `CFF_FIELD_DELTA_FIXED` for blue
values.
* src/psaux/psblues.c (cf2_blueToFixed): Removed, no longer needed.
(cf2_blues_init): Updated.
* src/pxaux/psft.c, src/pxaux/psft.h (cf2_getBlueValues, cf2_getOtherBlues,
cf2_getFamilyBlues, cf2_getFamilyOtherBlues): Updated signatures.
* src/psaux/psobjs.c (t1_make_subfont): Updated.
While it is recommended to have an explicit point at each curve
extrema, they might be missing or outline could be rotated. This
leads to excessive bisections in raster to find them. This change
helps to decrease the number of bisections. The scanline
intersections remain monotonous, of course.
* src/raster/ftraster.c (Conic_To, Cubic_To): Check that control
points cross the scanlines to bisect.
This reduces the code duplication.
* src/raster/ftraster.c (Function_Sweep_Span): Change signature.
(Vertical_Sweep_Drop, Horizontal_Sweep_Drop): Focus on pixel setting
and move duplicated the dropout control logic to...
(Draw_Sweep): ... this function and refactor.
(Vertical_Sweep_Span, Horizontal_Sweep_Span): Minor.
This results in noticeable performance improvement.
* src/raster/ftraster.c (Insert_Y_Turns): All bottom y-turns are still
sorted and stored; only the maximum top y-turn is recorded now. The
function is renamed.
(End_Profile): Updated accordingly.
(Convert_Glyph): Reserve space for the top value.
* src/raster/ftraster.c (black_TWorker): Remove the fresh flag.
(New_Profile): Set the starting scanline here based on the current
coordinate and initialize the joint crossing if necessary.
(Line_Up, Bezier_Up): Do not deal with fresh and joint starts at all.
(Line_Down, Bezier_Down): Simplify.
(Conic_To, Cubic_To): Update the current coordinate after each
subsection.
* src/raster/ftraster.c (Line_Up, Bezier_Up): Deal with the scanline
joints directly based on the initial y-coordinate.
(New_Profile, black_TWorker): Remove the boolean flag.
* src/raster/ftraster.c (black_TWorker): Store signed maximum indexes
in both directions instead of unsigned dimensions of the original bitmap.
(*_Sweep_*, Render_Glyph, ft_black_render): Updated all users.
* src/raster/ftraster.c (TProfile): Get rid of `countL`.
(Draw_Sweep): Use `start` for countdown to activation.
(Horizontal_Sweep_Drop, Vertical_Sweep_Drop): Rely on `height` and
`offset` to verify profile ends for the stub detection.
* src/raster/ftraster.c (s/Sort/Increment): Rename this function to
reflect its true purpose, delete exhausted profiles here...
(Draw_Sweep): ... instead of here.
While curving close to a pixel center, vertical and horizontal pass
might split the curve differently and cause a rare dropout. This
makes the split condition invariant of the sweep direction and more
robust.
* src/raster/ftraster.c (Bezier_Up): Modify the split condition.
The jitter exception used to be applied when two neighboring pixels
were barely inside the outline. One the left one was turned on then,
which contradicts the OpenType specifications. Intended to remove
glitches, it caused disappearing lines and was softened by adding an
exception to the exception (#54589).
* src/raster/ftraster.c (Vertical_Sweep_Span): Drop the jitter exception.
* src/raster/ftraster.c (Draw_Sweep): Use y-turns to set the range,
correctly set the initial position, directly loop through y_turns,
and remove a 5-gray remnant at exit.
This is mostly cosmetic and removes a few casts, plus Short is
promoted to Int in calculations anyway.
* src/raster/ftraster.c (Vertical_Sweep_Init, Vertical_Sweep_Span,
Vertical_Sweep_Drop, Horizontal_Sweep_Init, Horizontal_Sweep_Span,
Horizontal_Sweep_Drop, Draw_Sweep): Mostly s/Short/Int/ and remove
casting.
This only helps to delay the pool overflow and bisections to larger
sizes and benefits only very intricate glyphs at reasonable sizes.
* src/raster/ftraster.c (TProfile): Use Int instead of Long or PLong
when it is sufficient.
(New_Profile, End_Profuile, Bezier_Up, Sort): Updated accordingly.
* src/raster/ftraster.c (TProfile): Include the variable array member
and repackage with pointers first.
(New_Profile): Advance the top using the variable array pointer.
These ancient builtins have been supported by clang since 2013. We
condition it somewhat stricter but still around 2017. This is more
portable than `__has_builtin`. Fixes#1260.
* src/raster/ftraster.c (New_Profile): Set important fields only and
delay setting `gProfile` until...
(End_Profile): ... it is checked to be valid here.
(Convert_Glyph): Updated.
This fixes a subtle bug when the last profile in a contour was not
properly short-circuited if it was still empty at `End_Profile`.
We finalize all linking in `Finalize_Profile_List` now and do nothing
else there. The turns are added in `End_Profile`.
* src/raster/ftraster.c (Insert_Y_Turn): Moved up unchanged.
(End_Profile): Take care of turns but set only preliminary linking.
(Finalize_Profile_Table): Take care of linking and null-termination.
(Convert_Glyph): Adjusted accordingly.
* src/raster/ftraster.c (End_Profile): Do not initiate next profile.
(New_Profile): Fully initiate new profile.
(Convert_Glyph): Clean up variables, initialize `fProfile` here.
The general square root calculations are not necessary in FreeType.
For vector normalization or length, FreeType uses special functions.
It is, however, required in the legacy CFF specifications.
* src/base/ftcalc.c (FT_SqrtFixed): New function that uses either
Babylonian or bit-wise algorithm, whichever is faster for the given
situation.
* include/freetype/internal/ftcalc.h (FT_SqrtFixed): Declare it.
When matching the keywords, we avoid calculating their lengths by
checking the stored values. This itself is a sufficient pre-check
before diving into `memcmp`. Therefore, we remove explicit check of
the first characters.
* include/freetype/internal/psaux.h (T1_FieldRec): Store length.
* src/cid/cidload.c (cid_parse_dict): Use `memcmp` and stored length.
* src/type1/t1load.c (parse_dict): Ditto.
* src/type42/t42parse.c (t42_parse_dict): Ditto.
* src/cff/cffobjs.c (remove_style): Rewrite using pointers.
(remove_subset_prefix): Unwrap loop and use `memmove`.
* src/truetype/ttobjs.c (tt_skip_pdffont_random_tag): Unwrap loop
and avoid `strlen`.
This also reduces the used heap size by a large factor.
From Behdad.
* src/autofit/afcjk.h (AF_CJKAxisRec): Use `AF_BLUE_STRINGSET_MAX_LEN`.
* src/autofit/aflatin.h (AF_LatinAxisRec): Ditto.
==========================
Tag sources with `VER-2-13-2'.
* docs/VERSION.TXT: Add entry for version 2.13.2.
* docs/CHANGES: Updated.
* docs/release, docs/README, builds/macs/README: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.13.1/2.13.2/, s/2131/2132/.
* include/freetype/freetype.h (FREETYPE_PATCH): Set to 2.
* builds/unix/configure.raw (version_info): Set to 26:1:20.
* CMakeLists.txt (VERSION_PATCH): Set to 2.
`FT_NEW_ARRAY(p, 0)` sets `p` to `NULL`. `FT_Stream_ReadAt` with a
memory based stream uses `FT_MEM_COPY` which is `memcpy` which specifies
that it is undefined behavior for either the `src` or `dst` to be
`NULL`. Instead of forcing all callers work around calling
`FT_Stream_Read` when `buffer == NULL && count == 0` do the check in
`FT_StreamRead`. This allows any call with `count == 0` to succesfully
read zero bytes without UB.
* src/base/ftstream.c (FT_Stream_ReadAt): skip `FT_MEM_COPY` when
`count == 0`. (FT_Stream_TryRead): ditto
Fixes: #1250
The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long`
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.
On the other hand `table_size` has already been tested to be at least
`COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it.
* src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size`
instead of adding 4 to font data offsets in bounds checks
Fixes: https://crbug.com/1469348
This is a fix for commit 85167dbd5, reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60615
* src/sfnt/sfwoff2.c (MAX_SFNT_SIZE): New macro.
(woff2_open_font): Use it to limit the maximum size of an uncompressed WOFF2
font.
