Currently `T42_Open_Face` eagerly allocates 12 bytes for the ttf header
data which it expects `t42_parse_sfnts` to fill out from /sfnts data.
However, there is no guarantee that `t42_parse_sfnts` will actually be
called while parsing the type42 data as the /sfnts array may be missing
or very short. This is also confusing behavior as it means
`T42_Open_Face` is tightly coupled to the implementation of the very
distant `t42_parse_sfnts` code which requires at least 12 bytes to
already be reserved in `face->ttf_data`.
`t42_parse_sfnts` itself eagerly updates `face->ttf_size` to track how
much space is reserved for ttf data instead of traking how much data has
actually been written into `face->ttf_data`. It will also act strangely
in the presense of multiple /sfnts arrays.
* src/type42/t42objs.c (T42_Open_Face): ensure `ttf_data` is initialized
to NULL. Free `ttf_data` on error.
* src/type42/t42parse.c (t42_parse_sfnts): delay setting `ttf_size` and
set it to the actual number of bytes read. Ensure `ttf_data` is freed
if there are multiple /sfnts arrays or there are any errors.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
Reported by Sender Ghost <lightside@gmx.com>.
* src/autofit/afcjk.c (af_cjk_hints_compute_edges): Catch a corner
case where `edge->first' could be NULL.
* src/pfr/pfrobjs.c (pfr_slot_load): Remove unnecessary test of
`size'.
* src/raster/ftraster.c (Draw_Sweep): Catch a corner case where
`draw_right' might be NULL.
* src/sfnt/ttmtx.c (tt_face_get_metrics): Fix limit test for
`aadvance'.
Ensure `abearing' always hold a meaningful result.
* src/truetype/ttgload.c (load_truetype_glyph): Ensure `subglyph' is
not NULL before accessing it.
* src/truetype/ttgxvar.c (TT_Set_Named_Instance): Remove unnecessary
test of `namedstyle'.
* src/type42/t42parse.c (t42_parser_done): Ensure
`parser->root.funcs.done' is not NULL before accessing it.
* src/base/ftcalc.c (FT_Matrix_Check): New base function to properly
reject degenerate font matrices.
* include/freetype/internal/ftcalc.h: Updated.
* src/cff/cffparse.c (cff_parse_font_matrix), src/cid/cidload.c
(cid_parse_font_matrix), src/type1/t1load.c (t1_parse_font_matrix),
src/type42/t42parse.c (t42_parse_font_matrix): Use
`FT_Matrix_Check'.
This monster commit was created by applying Nikhil's scripts
`docconverter.py' and `markify.py' to all C header and source files,
followed up by minor manual clean-up.
No change in functionality, of course.
I used commit f7419907bc6044b9b7057f9789866426c804ba82 from
https://github.com/nikramakrishnan/freetype-docs.git.
* src/type1/t1load.c (t1_parse_font_matrix): Scale units per EM only
when necessary. Refresh comments.
* src/cid/cidload.c (cid_parse_font_matrix): Ditto.
* src/type42/t42parse.c (t42_parse_font_matrix): Refresh comments.
We use a cast to indicate that we intentionally ignore a function's
return value. However, this doesn't apply to API functions where
errors can only happen for trivially invalid input.
* src/base/ftstroke.c (FT_Glyph_Stroke, FT_Glyph_StrokeBorder),
src/base/ftsynth.c (FT_GlyphSlot_Embolden), src/cff/cffgload.c
(cff_slot_load), src/pfr/pfrdrivr.c (pfr_get_kerning),
src/type1/t1load.c (parse_encoding), src/type42/t42parse.c
(t42_parse_encoding): Do it.
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
* src/type42/t42parse.c (t42_parse_sfnts): Always set
`face->ttf_size' directly. This ensures a correct stream size in
the call to `FT_Open_Face', which follows after parsing, even for
buggy input data.
Fix error messages.
* src/type1/t1load.c (t1_parse_font_matrix): Properly handle result
of `T1_ToFixedArray'.
* src/cid/cidload.c (cid_parse_font_matrix): Synchronize with
`t1_parse_font_matrix'.
* src/type42/t42parse.c (t42_parse_font_matrix): Synchronize with
`t1_parse_font_matrix'.
(t42_parse_encoding): Synchronize with `t1_parse_encoding'.
* src/psaux/psobjs.c (ps_parser_load_field) <T1_FIELD_TYPE_BBOX>,
<T1_FIELD_TYPE_MMOX>: Properly handle result of `ps_tofixedarray'.
Werner Lemberg