Ensure that all driver functions use the signature of the service or driver.
This avoids pointer mismatches, which are technically undefined behaviour.
Recent compilers are more picky in catching them as part of Control Flow
Integrity tests.
Update cid_get_cid_from_glyph_index() to
return an error and CID=0 in the case that
the specified glyph index points to an invalid
entry.
cidgload.h (cid_compute_fd_and_offsets):
Declare new helper function to set the
fd_select and 2 offsets to access the glyph
description data.
cidgload.c (cid_compute_fd_and_offsets):
Move the part loading fd_select and 2 offsets
from cid_load_glyph() to here. If the loaded
parameters are broken, return the Invalid_Offset
error. This function does not load the glyph
data, only fills these parameters.
(cid_load_glyph): Use new helper function in above.
cidriver.c (cid_get_cid_from_glyph_index):
Check whether the requested glyph index points
to a valid entry, by calling cid_compute_fd_and_offsets().
If it is valid, fill the cid by the glyph
index (=CID). If it is invalid, return an
error and fill the cid by 0.
The t1cid driver catches 3 types of errors in
the charstrings retrieval;
A) The invalid FD number, there are 2 subtypes;
A-1) FD number is the maximum number fitting to FDBytes.
A-2) FD number is greater than num_dicts.
B) Declared length is overrunning.
C) Declared length is invalid (its end is before its head).
Considering that some widely distributed fonts
(e.g., "CJKV" book by O'Reilly) have A-1 errors
in the unimplemented glyphs, the trace level for
A-1 is calmed to level 1.
The errors A-2, B, and C would be irregular;
their trace levels are kept at level 0, but
the updated trace messages include the CID number.
Technically, `strtol` can only be used with C strings terminated with
`\0`. CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded. AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.
To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.
* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.
Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329
This is mainly for better diagnostics of malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Stop font format testing if the first
input line is too long or doesn't end with `\r` or `\n`.
* src/cid/cidparse.c (cid_parser_new): Don't handle too short input as an
error but as an unknown format.
* src/pfr/pfrobjs.c (pfr_face_init): Ditto.
* src/winfonts/winfnt.c (fnt_font_load, fnt_face_get_dll_font): Ditto.
Add argument to return the actual number of bytes that were decoded.
The actual number of bytes decoded can be quite variable depending
on the number of ignored 'whitespace' bytes or early termination
with `>`.
(cid_face_open): Updated to use this calculated value. This avoids
trusting `parser->binary_length` is always be correct and reading
uninitialized bits if fewer are actually decoded.
First reported as
https://crbug.com/1203240
This ensures good logging output, with all lines having a proper
prefix (if requested).
This is a continuation of a similar patch from 2020-12-02, which
missed some locations.
* src/cff/cffobjs.c (cff_slot_done), src/cid/cidobjs.c
(cid_slot_done): If `ft_glyphslot_init' fails to allocate
`internal', then the class' `done_slot' callback (called by
`ft_glyphslot_done') must not dereference the pointer to `internal'.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
These have not been used in a very, very long time, so better remove
them. A corresponding patch will be submitted to the
`freetype2-demos' repository.
* src/Jamfile, src/*/Jamfile, Jamrules: Delete.
This change should allow Freetype to work on WASM/Emscripten without
needing `-s EMULATE_FUNCTION_POINTER_CASTS=1'.
* src/autofit/afdummy.c (af_dummy_hints_apply): Fix signature.
* src/cid/cidload.c (cid_parse_font_matrix, parse_fd_array,
parse_expansion_factor, parse_font_name): Return `void', not
`FT_Error'.
* include/freetype/internal/ftobjs.h (FT_CMap_CharVarIsDefaultFunc):
Fix signature.
Before this commit we had code like
(FT_Bool)( globals->glyph_styles[gindex] & 0x8000)
Since `FT_Bool' is defined to be an `unsigned char', the code
evaluated to something like
(unsigned char)( 0x8532 & 0x8000)
which in turn expanded to
(unsigned char)( 0x8000)
and finally yielded 0x00 – i.e., false – not as expected.
Problem reported and analyzed by Tony Smith <tony.smith@macro4.com>.
* include/freetype/fttypes.h (FT_BOOL): Add a comparison against
zero so that we always have a Boolean expression.
*/*: Replace castings to `FT_Bool' with calls to `FT_BOOL' where
possible.
* src/cid/cidload.c: Include FT_INTERNAL_POSTSCRIPT_AUX_H
(cid_load_keyword, cid_parse_font_matrix, parse_fd_array,
parse_expansion_factor, cid_parse_dict): Add tracing calls.
(parse_font_name): New function to trace `/FontName' keywords in
/FDArray dict.
(cid_field_records): Register `parse_font_name'.
This code is taken from the type1 module.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9510
* src/cid/cidload.c (parse_fd_array): Set some private dict default
values.
(cid_face_open): Do the sanitizing.
Fix some tracing messages.
* src/base/ftcalc.c (FT_Matrix_Check): New base function to properly
reject degenerate font matrices.
* include/freetype/internal/ftcalc.h: Updated.
* src/cff/cffparse.c (cff_parse_font_matrix), src/cid/cidload.c
(cid_parse_font_matrix), src/type1/t1load.c (t1_parse_font_matrix),
src/type42/t42parse.c (t42_parse_font_matrix): Use
`FT_Matrix_Check'.
This monster commit was created by applying Nikhil's scripts
`docconverter.py' and `markify.py' to all C header and source files,
followed up by minor manual clean-up.
No change in functionality, of course.
I used commit f7419907bc6044b9b7057f9789866426c804ba82 from
https://github.com/nikramakrishnan/freetype-docs.git.
*/* [FT_CONFIG_OPTION_PIC]: Remove all code guarded by this
preprocessor symbol.
*/*: Replace `XXX_GET' macros (which could be either a function in
PIC mode or an array in non-PIC mode) with `xxx' arrays.
* include/freetype/internal/ftpic.h, src/autofit/afpic.c,
src/autofit/afpic.h, src/base/basepic.c, src/base/basepic.h,
src/base/ftpic.c, src/cff/cffpic.c, src/cff/cffpic.h,
src/pshinter/pshpic.c, src/pshinter/pshpic.h, src/psnames/pspic.c,
src/psnames/pspic.h, src/raster/rastpic.c, src/raster/rastpic.h,
src/sfnt/sfntpic.c, src/sfnt/sfntpic.h, src/smooth/ftspic.c,
src/smooth/ftspic.h, src/truetype/ttpic.c, src/truetype/ttpic.h:
Removed.
