Problem reported by Marek Kašík <mkasik@redhat.com>.
The problematic font that exceeds the old limit is Padauk-Bold,
version 3.002, containing bytecode generated by a buggy version of
ttfautohint.
* src/truetype/ttobs.h (TT_SizeRec): Add field `hinted_metrics' to
hold hinted metrics.
Make `metrics' a pointer so that `tt_glyph_load' can easily switch
between metrics.
* src/truetype/ttdriver.c (tt_size_request): Updated.
(tt_glyph_load): Use top-level metrics if FT_LOAD_NO_HINTING is
used.
* src/truetype/ttgload.c (TT_Hint_Glyph, TT_Process_Simple_Glyph,
TT_Process_Composite_Component, load_truetype_glyph,
compute_glyph_metrics, TT_Load_Glyph): Updated.
* src/truetype/ttinterp.c (TT_Load_Context): Updated.
* src/truetype/ttobjs.c (tt_size_reset): Updated.
* src/truetype/ttsubpix.c (sph_set_tweaks): Updated.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=981
* include/freetype/fterrdef.h (FT_Err_DEF_In_Glyf_Bytecode): New
error code.
* src/truetype/ttinterp.c (Ins_FDEF, Ins_IDEF): Prohibit execution
of these two opcodes in `glyf' bytecode.
(TT_RunIns): Don't enforce reexecution of `fpgm' and `prep' bytecode
in case of error since function tables can no longer be modified
(due to the changes in `Ins_FDEF' and `Ins_IDEF'). This change can
enormously speed up handling of broken fonts.
* src/truetype/ttinterp.h (TT_ExecContextRec): Using `FT_ULong' for
loop counter handling.
* src/truetype/ttinterp.c: Updated.
(Ins_SCANTYPE): Use signed constant.
(TT_RunIns): Ensure `num_twilight_points' is 16bit.
This speeds up FreeType's handling of malformed fonts.
* src/truetype/ttinterp.c (TT_RunIns): Set up limits for the number
of twilight points, the total number of negative jumps, and the
total number of loops in LOOPCALL opcodes. The values are based on
the number of points and entries in the CVT table.
(Ins_JMPR): Test negative jump counter.
(Ins_LOOPCALL): Test loopcall counter.
* src/truetype/ttinterp.h (TT_ExecContext): Updated.
* docs/CHANGES: Updated.
To match the logic in FDEF. The value of the end is only used for
bound-checking in `Ins_JMPR', so it may not have been obvious that
it was not recorded. Tested (as part of Font Validator 2.0) all the
fonts on Fedora and did not see any change.
* src/truetype/ttinterp.c (Ins_IDEF): Updated.
GETDATA[], opcode 0x92
bytecode instruction. It always returns 17, and we have absolutely
no idea what it is good for...
* src/truetype/ttinterp.c (Pop_Push_Count, opcode_name): Updated.
(Ins_GETDATA): New function.
(TT_RunIns): Add it.
This commit implements undocumented (but confirmed) stuff from
Apple's old bytecode engine.
GETVARIATION[], opcode 0x91
This opcode pushes normalized variation coordinates for all axes
onto the stack (in 2.14 format). Coordinate of first axis gets
pushed first.
GETINFO[], selector bit 3
If GX variation support is enabled, bit 10 of the result is set
to 1.
* src/truetype/ttinterp.c: Include FT_MULTIPLE_MASTERS_H.
(opcode_name) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Updated.
(Ins_GETINFO) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Handle selector
bit 3, checking support for variation glyph hinting.
(Ins_GETVARIATION) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New function
to implement opcode 0x91.
(TT_RunIns) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Handle opcode 0x91.
* src/truetype/ttinterp.c (Ins_SHPIX): Allow SHPIX to move points in
the twilight zone. Otherwise, treat SHPIX the same as DELTAP.
Unbreaks various fonts such as older versions of Rokkitt and DTL
Argo T Light that would glitch severly after calling ALIGNRP after a
blocked SHPIX.
=======================
Tag sources with `VER-2-6'.
* docs/VERSION.DLL: Update documentation and bump version number to
2.6.
* README, Jamfile (RefDoc), builds/windows/vc2005/freetype.vcproj,
builds/windows/vc2005/index.html,
builds/windows/vc2008/freetype.vcproj,
builds/windows/vc2008/index.html,
builds/windows/vc2010/freetype.vcxproj,
builds/windows/vc2010/index.html,
builds/windows/visualc/freetype.dsp,
builds/windows/visualc/freetype.vcproj,
builds/windows/visualc/index.html,
builds/windows/visualce/freetype.dsp,
builds/windows/visualce/freetype.vcproj,
builds/windows/visualce/index.html,
builds/wince/vc2005-ce/freetype.vcproj,
builds/wince/vc2005-ce/index.html,
builds/wince/vc2008-ce/freetype.vcproj,
builds/wince/vc2008-ce/index.html: s/2.5.5/2.6/, s/255/26/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 6.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 18:0:12.
* CMakeLists.txt (VERSION_MINOR): Set to 0.
(VERSION_PATCH): Set to 6.
* src/autofit/afmodule.c [!FT_MAKE_OPTION_SINGLE_OBJECT]: Add
declarations for dumping functions.
* src/truetype/ttinterp.c (TT_New_Context): Pacify compiler.
* builds/toplevel.mk: Use `freetype.mk's code to compute the version
string.
Don't include a zero patch level in version string.
* builds/freetype.mk: Remove code for computing the version string.
* src/truetype/ttinterp.c: Change all existing TRACE7 calls to
TRACE6.
(opcode_name): Add string lengths.
(TT_RunIns): Implement display of code position and stack.
* src/truetype/ttgload.c, src/truetype/ttinterp.c: Guard new code
with `TT_CONFIG_OPTION_SUBPIXEL_HINTING'.
Problem reported by Nikolaus Waxweiler <madigens@gmail.com>.
