The vstore->regionCount and vstore->dataCount were read directly
from the data. However, vstore->varRegionList and vstore->varData
would still contain uninitialized entries with uninitialized
pointers in the event of an error, leading to issues when attempting
to clean up.
Reportd as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40104
* src/cff/cffload.c (cff_vstore_load): Read the region and data counts
into locals and update the vstore counts immediately after each entry
becomes free-able.
Loops with unsigned decrement can be reliably stopped when the counter
wraps around after reaching zero.
* src/cff/cffload.c (cff_charset_compute_cids): Use unsigned counter.
* src/pshinter/pshalgo.c (psh_hint_table_activate_mask): Ditto.
* src/pshinter/pshrec.c (ps_mask_table_merge): Ditto.
This ensures good logging output, with all lines having a proper
prefix (if requested).
This is a continuation of a similar patch from 2020-12-02, which
missed some locations.
Towards the end of the the function there is a call to
`FT_Outline_Get_CBox` that retrieves the glyph bbox in scaled units.
That sets `horiBearing{X,Y}` and `vertBearingX` but `vertBearingY`
is left alone, and is not scaled.
Patch from Eric Muller <emuller@amazon.com>.
* include/freetype/internal/autohint.h
(FT_DECLARE_AUTOHINTER_INTERFACE): New macro.
* src/autofit/afmodule.h: Use it to declare
`af_autofitter_interface'.
* include/freetype/internal/ftobjs.h (FT_DECLARE_GLYPH): New macro.
* src/base/ftbase.h: Use it to declare `ft_bitmap_glyph_class' and
`ft_outline_glyph_class'.
* src/base/ftglyph.c: Include `ftbase.h'.
* src/cff/cffparse.c (cff_parser_run): Fix type of `t2_size'.
* src/pcf/pcfdrivr.c (pcf_cmap_char_next): Fix type of `result'.
* src/psaux/psauxmod.c (psaux_module_class): Use `FT_DEFINE_MODULE'.
* src/psaux/psauxmod.h: Declare `afm_parser_funcs',
`t1_cmap_classes', `cff_decoder_funcs', and `psaux_module_class'.
* src/pshinter/pshmod.c: Include `pshmod.h'.
* src/sfnt/sfwoff2.c (ROUND4, WRITE_SHORT): Fix implicit sign
conversion.
(compute_ULong_sum): Fix return type.
Fix implicit sign conversion.
(store_points): Fix type of `last_flag', `repeat_count', and `flag'.
Use casts to avoid warnings.
(reconstruct_glyf): Fix implicit sign conversion.
Use cast to avoid warning.
(get_x_mins): Fix implicit sign conversion.
* src/sfnt/ttcmap.c: Undef `TTCMAPCITEM'.
* src/sfnt/ttcmap.h: Define `TTCMAPCITEM' and include `ttcmapc.h' to
declare cmap classes.
* src/smooth/ftsmooth.c (ft_smooth_overlap_spans): Use cast.
* src/truetype/ttinterp.c (Ins_MIAP): Fix typo.
* src/cff/cffobjs.c (cff_face_init): If a call to `cff_strcpy' fails
by returning NULL in `cff_face_init', `remove_style' is still
called. This means that the NULL pointer is dereferenced, causing a
crash.
* src/cff/cffobjs.c (cff_size_init): If a call to `funcs->create'
fails to allocate one of the `internal->subfont' variables, make
sure to free `internal->topfont' and any successfully allocated
subfonts.
* src/cff/cffobjs.c (cff_slot_done), src/cid/cidobjs.c
(cid_slot_done): If `ft_glyphslot_init' fails to allocate
`internal', then the class' `done_slot' callback (called by
`ft_glyphslot_done') must not dereference the pointer to `internal'.
* src/cff/cffload.c (cff_index_get_pointers): When new_bytes fails
to allocate, make sure to free the table. Do the same for both
allocations if there is a later error.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
These have not been used in a very, very long time, so better remove
them. A corresponding patch will be submitted to the
`freetype2-demos' repository.
* src/Jamfile, src/*/Jamfile, Jamrules: Delete.
* src/base/ftoutln.c (FT_Outline_Transform): Bail on empty points.
* src/cff/cffload.c (cff_subfont_load): Use `FT_OFFSET'.
* src/psaux/psft.c (cf2_decoder_parse_substrings): Early out if
`charstring_base' or `charstring_len' are null.
* src/sfnt/ttload.c (tt_face_load_name): Use `FT_OFFSET'.
642bc7590c introduced dynamically
allocated memory when parsing CFF files with the "old" engine. Bounds
checks have never been updated, however, leading to pointless
comparisons of pointers in some cases. This commit presents a
solution for bounds checks in the CFF module with an extended logic
for the "old" engine while staying as concise as possible for the
"new" one.
* src/cff/cffparse.h: Introduce the struct `CFF_T2_StringRec' and
the additional field `t2_strings' within `CFF_ParserRec'.
* src/cff/cffparse.c (cff_parser_within_limits): Move all boundary
checks into this new function and update the rest of `cffparse.c' to
use it.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12137
==========================
Tag sources with `VER-2-10-0'.
* docs/VERSION.TXT: Add entry for version 2.10.0.
* docs/CHANGES: Updated.
* README, Jamfile (RefDoc), src/base/ftver.rc,
builds/windows/vc2010/freetype.vcxproj,
builds/windows/vc2010/index.html,
builds/windows/visualc/freetype.dsp,
builds/windows/visualc/freetype.vcproj,
builds/windows/visualc/index.html,
builds/windows/visualce/freetype.dsp,
builds/windows/visualce/freetype.vcproj,
builds/windows/visualce/index.html,
builds/wince/vc2005-ce/freetype.vcproj,
builds/wince/vc2005-ce/index.html,
builds/wince/vc2008-ce/freetype.vcproj,
builds/wince/vc2008-ce/index.html: s/2.9.1/2.10.0/, s/291/2100/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 10.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 23:0:17.
* CMakeLists.txt (VERSION_MINOR): Set to 10.
(VERSION_PATCH): Set to 0.
* builds/toplevel.mk (version, winversion): Since the minor version
number has two digits now, never omit the patch number. We would
get ambiguous zip file names otherwise.
(dist): Remove remnants of `docmaker' tool.
(do-dist): Remove unused intermediate files.
* src/cff/cffparse.c (destrict_c2s_item): Guard function with
CFF_CONFIG_OPTION_OLD_ENGINE macro.
For multiple master fonts, common usage (in Postscript) is to modify
the WeightVector of an existing font instance, this addition
supports that use.
* include/freetype/ftmm.h, src/base/ftmm.c (FT_Set_MM_WeightVector,
FT_Get_MM_WeightVector): New API functions.
* include/freetype/internalservices/svmm.h
(FT_Set_MM_WeightVector_Func, FT_Get_MM_WeightVector_Func): New
function types.
(MultiMasters): Add `set_mm_weightvector' and `get_mm_weightvector'
members.
(FT_DEFINE_SERVICE_MULTIMASTERSREC): Updated.
* src/cffcffdrivr.c (cff_set_mm_weightvector,
cff_get_mm_weightvector): New functions.
(cff_service_multi_masters): Register them.
* src/truetype/ttdriver.c (tt_service_gx_multi_masters): Updated.
This driver doesn't use the new interface.
* src/type1/t1load.c (T1_Set_MM_WeightVector,
T1_Get_MM_WeightVector): New functions.
* src/type1/t1driver.c (t1_service_multi_masters): Register them.
* src/type1/t1load.h: Updated.
This is a follow-up to the previous commit.
* src/cff/cffobjs.c (cff_face_init), src/sfnt/sfobjs.c
(sfnt_load_face), src/type1/t1objs.c (T1_Face_Init),
src/type42/t42objs.c (T42_Face_Init): Implement it.
Before this commit we had code like
(FT_Bool)( globals->glyph_styles[gindex] & 0x8000)
Since `FT_Bool' is defined to be an `unsigned char', the code
evaluated to something like
(unsigned char)( 0x8532 & 0x8000)
which in turn expanded to
(unsigned char)( 0x8000)
and finally yielded 0x00 – i.e., false – not as expected.
Problem reported and analyzed by Tony Smith <tony.smith@macro4.com>.
* include/freetype/fttypes.h (FT_BOOL): Add a comparison against
zero so that we always have a Boolean expression.
*/*: Replace castings to `FT_Bool' with calls to `FT_BOOL' where
possible.
Werner Lemberg