Jump instructions are now bound to the current function. The MS
Windows rasterizer behaves the same, as confirmed by Greg Hitchcock.
* src/truetype/ttinterp.h (TT_CallRec): Add `Cur_End' element.
* src/truetype/ttobjs.h (TT_DefRecord): Add `end' element.
* src/truetype/ttinterp.c (DO_JROT, DO_JMPR, DO_JROF): Check upper
bound of jump address.
(Ins_FDEF, Ins_CALL, Ins_LOOPCALL, Ins_UNKNOWN, TT_RunIns): Updated.
* src/truetype/interp.c: Set even more TT_Err_Invalid_Reference
error codes only if pedantic hinting is active. At the same time,
try to provide sane values which hopefully allow useful
continuation. Exception to this is CALL and LOOPCALL – due to
possible stack corruption it is necessary to bail out.
* src/truetype/ttinterp.c (TT_RunIns, Ins_FLIPPT, Ins_DELTAP,
Ins_DELTAC): Exit with error only if `pedantic_hinting' is set.
Otherwise, try to do something sane.
Thanks to Greg Hitchcock who explained the issue.
* src/truetype/ttinterp.c (Ins_MIRP): Replace a `>=' operator with
`>' since the description in the specification is incorrect.
This fixes, for example, glyph `two' in font `Helvetica Neue LT Com
65 medium' at 15ppem.
On LLP64 platforms (e.g. Win64), long (32-bit) cannot cover
the memory address (64-bit). Also the casts from the pointer
type to long int should be removed to preserve the address
correctly.
* src/raster/ftraster.c (New_Profile): Replace "%lx" by "%p".
(End_Profile) Ditto.
* src/truetype/ttinterp.c (Init_Context): Ditto.
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
FT_GlyphZoneRec size->twilight to be freed. If duplicated,
FT_FREE() erases the duplicated pointers only and leave original
pointers. They can cause the double-free crash when the burst
errors occur in TrueType interpreter and free_buffer_in_size()
is invoked repeatedly. See Savannah bug #31040 for detail.
* src/truetype/ttinterp.c (TT_RunIns): Decrease the trace level
showing the error when the interpreter returns with an error,
from FT_TRACE7() to FT_TRACE1().
* src/truetype/ttinterp.c (free_buffer_in_size): New function to
free the buffer allocated during the interpretation of this glyph.
(TT_RunIns): Unset FT_Face->size->{cvt_ready,bytecode_ready} if
an error occurs in the bytecode interpretation. The interpretation
of invalid bytecode may break the function definitions and referring
them in later interpretation is danger. By unsetting these flags,
`fpgm' and `prep' tables are executed again in next interpretation.
Fix Savannah bug #30798, reported by Robert Swiecki.
* src/truetype/ttinterp.c (BOUNDSL): New macro.
Change `BOUNDS' to `BOUNDSL' where appropriate.
* src/truetype/ttinterp.h (TT_ExecContextRec): Fix type of
`cvtSize'.
Acroread does the same.
* src/truetype/ttgload.c (TT_Process_Composite_Glyph): Call
`Update_Max' to adjust size of instructions array if necessary and
add a rough safety check.
(load_truetype_glyph): Save `loader->byte_len' before recursive
call.
* src/truetype/ttinterp.h, src/truetype/ttinterp.c (Update_Max):
Declare it as FT_LOCAL.
* src/raster/ftraster.c (Render_Glyph, Render_Gray_Glyph,
Draw_Sweep): No-dropout mode is value 2, not value 0.
(Draw_Sweep): Really skip dropout handling for no-dropout mode.
Pass dropout rules from the TT bytecode interpreter to the
rasterizer; temporarily this is enabled only if
`USE_SCAN_CONVERSION_RULES' is defined.
* include/freetype/ftimage.h (FT_OUTLINE_SMART_DROPOUTS,
FT_OUTLINE_EXCLUDE_STUBS): New flags for for FT_Outline.
* src/raster/ftraster.c (Vertical_Sweep_Drop, Horizontal_Sweep_Drop,
Horizontal_Gray_Sweep_Drop): Use same mode numbers as given in the
OpenType specification.
Fix mode 4 computation.
(Render_Glyph, Render_Gray_Glyph): Handle new outline flags.
* src/truetype/ttgload.c (TT_Load_Glyph)
[USE_SCAN_CONVERSION_RULES]: Convert scan conversion mode to
FT_OUTLINE_XXX flags.
* src/truetype/ttinterp.c (Ins_SCANCTRL): Enable ppem check.
