Commit Graph

3542 Commits

Author SHA1 Message Date
Werner Lemberg fba29fabb3 [pfr] Add some safety guards (#46302).
* src/pfr/pfrload.h (PFR_CHECK): Rename to...
(PFR_CHECK_SIZE): ... this.
(PFR_SIZE): [!PFR_CONFIG_NO_CHECKS]: Define to PFR_CHECK_SIZE.

* src/pfr/pfrload.c (pfr_log_font_count): Check `count'.
(pfr_extra_item_load_kerning_pairs): Remove tracing message.
(pfr_phy_font_load): Use PFR_CHECK_SIZE where appropriate.
Allocate `chars' after doing a size checks.

* src/pfr/pfrsbit.c (pfr_load_bitmap_bits): Move test for invalid
bitmap format to...
(pfr_slot_load_bitmap): ... this function.
Check bitmap size.
2015-10-27 21:04:48 +01:00
Werner Lemberg 6a19a7d332 [truetype] Fix sanitizing logic for `loca' (#46223).
* src/truetype/ttpload.c (tt_face_load_loca): A thinko caused an
incorrect adjustment of the number of glyphs, most often using far
too large values.
2015-10-26 15:40:22 +01:00
Werner Lemberg 7f00fa6462 [autofit] Improve tracing.
* src/autofit/afhints.c (af_print_idx, af_get_segment_index,
af_get_edge_index): New functions.

(af_glyph_hints_dump_points): Remove unnecessary `|', `[', and `]'.
Add segment and edge index for each point.
Slightly change printing order of some elements.
Don't print `-1' but `--' for missing elements.

(af_glyph_hints_dump_segments, af_glyph_hints_dump_edges): Remove
unnecessary `|', `[', and `]'.
Don't print `-1' but `--' for missing elements.
2015-10-25 10:59:59 +01:00
Werner Lemberg 6f09011fe6 [sfnt] Sanitize bitmap strike glyph height.
Problem reported by Nikolay Sivov <bunglehead@gmail.com>.

* src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Avoid zero value
for `metrics->height' by applying some heuristics.
2015-10-24 10:10:22 +02:00
Werner Lemberg e93d326c8b [sfnt, type42] Fix clang compiler warnings.
* src/sfnt/sfobjs.c (sfnt_init_face): Initialize `offset'.

* src/type42/t42parse.c (t42_parse_sfnts): Use proper cast.
2015-10-22 10:17:20 +02:00
Werner Lemberg f1c93439b9 [cff] Avoid overflow/module arithmetic.
This modifies the addition of subroutine number to subroutine bias
from unsigned to signed, but does not change any results.

* src/cff/cf2ft.c (cf2_initGlobalRegionBuffer,
cf2_initLocalRegionBuffer): Change variable names from (unsigned)
`idx' to (signed) `subrNum', since it is not an index until after
the bias is added.
* src/cff/cf2ft.h: Updated.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdCALLSUBR>:
Updated similarly.
2015-10-22 10:11:23 +02:00
Werner Lemberg 59ae73fe16 [cid] Better check of `SubrCount' dictionary entry (#46272).
* src/cid/cidload.c (cid_face_open): Add more sanity tests for
`fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
2015-10-22 09:26:00 +02:00
Werner Lemberg e484d36b2b [base] Pacify compiler (#46266).
* src/base/ftoutln.c (FT_Outline_EmboldenXY): Initialize `in' and
`anchor'.
2015-10-21 20:48:27 +02:00
Werner Lemberg 87fefc594e [type42] Fix heap buffer overflow (#46269).
* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
bounds checking.
2015-10-21 20:29:12 +02:00
Dave Arnold 3cfd51233c [cff] Fix limit in assert for max hints.
* src/cff/cf2interp.c (cf2_hintmask_setAll): Allow mask equal to the
limit (96 bits).
2015-10-21 14:07:25 +02:00
Dave Arnold 748e368173 [cff] Remove an assert (#46107).
* src/cff/cf2hints.c (cf2_hintmap_insertHint): Ignore paired edges
in wrong order.
2015-10-21 13:58:43 +02:00
Werner Lemberg e6593389cf [sfnt] Avoid unnecessarily large allocation for WOFFs (#46257).
* src/sfnt/sfobjs.c (woff_open_font): Use WOFF's `totalSfntSize'
only after thorough checks.
Add tracing messages.
2015-10-21 08:04:29 +02:00
Werner Lemberg 649ca5562d [type42] Better check invalid `sfnts' array data (#46255).
* src/type42/t42parse.c (t42_parse_sfnts): Table lengths must be
checked individually against available data size.
2015-10-21 07:01:45 +02:00
Werner Lemberg 3eccc3a3f8 [cid] Add a bunch of safety checks.
* src/cid/cidload.c (parse_fd_array): Check `num_dicts' against
stream size.
(cid_read_subrs): Check largest offset against stream size.
(cid_parse_dict): Move safety check to ...
(cid_face_open): ... this function.
Also test length of binary data and values of `SDBytes',
`SubrMapOffset', `SubrCount', `CIDMapOffset', and `CIDCount'.
2015-10-20 22:31:57 +02:00
Werner Lemberg d47d372c96 [cid] Avoid segfault with malformed input (#46250).
* src/cid/cidload.c (cid_read_subrs): Return a proper error code for
unsorted offsets.
2015-10-20 12:24:36 +02:00
StudioEtrange 5cf83a5335 * CMakeLists.txt: Enable shared library builds on MinGW (#46233). 2015-10-20 07:19:44 +02:00
Werner Lemberg 3c582060b2 * src/type1/t1afm.c (T1_Read_Metrics): Fix memory leak (#46229). 2015-10-20 06:57:28 +02:00
Bungeman ba8a528b19 [cid] Better handle invalid glyph stream offsets (#46221).
* src/cid/cidgload.c (cid_load_glyph): Check minimum size of glyph
length.
2015-10-19 23:27:06 +02:00
Werner Lemberg 24cee3a8a3 [psaux] Fix tracing of negative numbers.
Due to incorrect casting negative numbers were shown as very large
(positive) integers on 64bit systems.

* src/psaux/t1decode.c (t1_decoder_parse_charstrings) <op_none>:
Use division instead of shift.
2015-10-19 23:00:28 +02:00
Werner Lemberg 14213b5409 [truetype] Improve TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES (#46223).
* devel/ftoption.h, include/freetype/config/ftoption.h: Surround it
with #ifndef ... #endif, as suggested in the tracker issue.
2015-10-18 18:15:04 +02:00
Werner Lemberg dcfc4d9c21 [truetype] Better protection against malformed `fpgm' (#46223).
* src/truetype/ttobjs.c (tt_size_init_bytecode): Don't execute a
malformed `fpgm' table more than once.
2015-10-18 16:47:06 +02:00
Werner Lemberg 7643b5839b * src/cid/cidgload.c (cid_load_glyph): Fix memory leak.
Reported by Kostya Serebryany <kcc@google.com>.
2015-10-17 15:51:29 +02:00
Werner Lemberg b185747dd6 [bdf] Prevent memory leak (#46217).
* src/bdf/bdflib.c (_bdf_parse_glyphs) <STARTCHAR>: Check
_BDF_GLYPH_BITS.
2015-10-17 14:21:41 +02:00
Werner Lemberg e1ca18d449 [bdf] Use stream size to adjust number of glyphs.
* src/bdf/bdflib.c (ACMSG17): New message macro.
(_bdf_parse_t): Add member `size'.
(bdf_load_font): Set `size'.
(_bdf_parse_glyphs): Adjust `cnt' if necessary.
2015-10-17 11:51:27 +02:00
Werner Lemberg 0af21dcf13 * src/cid/cidload.c (cid_parse_dict): Check `[FG]DBytes' size. 2015-10-17 09:29:52 +02:00
Werner Lemberg 0ba98da472 * src/cid/cidgload.c (cid_glyph_load): Check file offsets (#46222). 2015-10-17 09:11:02 +02:00
Werner Lemberg 8edfcbed53 [psaux] Fix heap buffer overflow (#46221).
* src/psaux/t1decode.c (t1_decoder_parse_charstring) <operator 12>:
Fix limit check.
2015-10-17 08:11:16 +02:00
Werner Lemberg a5ecfb4ce6 * src/cid/cidload.c (cid_parse_dict): Handle invalid input (#46220). 2015-10-17 06:15:55 +02:00
Kostya Serebryany 266976b163 add src/tools/ftfuzzer/README 2015-10-15 22:15:53 -07:00
Bungeman 65d8980491 [bdf] Fix memory leak (#46213).
* src/bdf/bdflib.c (bdf_load_font): Always go to label `Fail' in
case of error.
2015-10-15 23:50:16 +02:00
Werner Lemberg 24a1fcdfce [truetype] Add TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES (#46208).
* devel/ftoption.h, include/freetype/config/ftoption.h
(TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES): New configuration macro.

* src/truetype/ttinterp.c (MAX_RUNNABLE_OPCODES): Removed.
(TT_RunIns): Updated.
2015-10-15 21:50:15 +02:00
Werner Lemberg 837ad9d411 * src/truetype/ttinterp.c (TT_RunIns): Fix bytecode stack tracing.
The used indices were off by 1.
2015-10-15 21:15:45 +02:00
Werner Lemberg 8b76eaf092 * src/tools/ftfuzzer/ftfuzzer.cc: Handle fixed sizes (#46211). 2015-10-15 18:28:43 +02:00
Werner Lemberg e03214e166 [base] Compute MD5 checksums only if explicitly requested.
This improves profiling accuracy.

* src/base/ftobjs.c (FT_Render_Glyph_Internal): Implement it.
2015-10-15 16:58:13 +02:00
Werner Lemberg 2a20c92c4b [base] Use `FT_' namespace for MD5 functions (#42366).
* src/base/ftobjs.c (MD5_*): Define as `FT_MD5_*'.
Undefine HAVE_OPENSSL.
2015-10-14 15:23:15 +02:00
Werner Lemberg 8539915d18 [type1] Correctly handle missing MM axis names (#46202).
* src/type1/t1load.c (T1_Get_MM_Var): Implement it.
2015-10-13 20:43:19 +02:00
Werner Lemberg 58b61b6e05 [pcf] Quickly exit if font index < 0.
Similar to other font formats, this commit makes the parser no
longer check the whole PCF file but only the header and the TOC if
we just want to get the number of available faces (and a proper
recognition of the font format).

* src/pcf/pcfdrivr.c (PCF_Face_Init): Updated.
Exit quickly if face_index < 0.

* src/pcfread.c (pcf_load_font): Add `face_index' argument.
Exit quickly if face_index < 0.

* src/pcf/pcf.h: Updated.
2015-10-13 18:26:18 +02:00
Werner Lemberg bdb56bba86 [ftfuzzer] Handle TTCs and MM/GX variations.
This patch also contains various other improvements.

* src/tools/ftfuzzer/ftfuzzer.cc: Add preprocessor guard to reject
pre-C++11 compilers.
(FT_Global): New class.  Use it to provide a global constructor and
destructor for the `FT_Library' object.
(setIntermediateAxis): New function to select an (arbitrary)
instance.
(LLVMFuzzerTestOneInput): Loop over all faces and named instances.
Also call `FT_Set_Char_Size'.
2015-10-13 11:51:13 +02:00
Werner Lemberg 43a96eb26f [truetype] Refine some GX sanity tests.
Use the `gvar' table size instead of the remaining bytes in the
stream.

* src/truetype/ttgxvar.h (GX_BlendRec): New field `gvar_size'.

* src/truetype/ttgxvar.c (ft_var_load_gvar): Set `gvar_size'.
(ft_var_readpackedpoints, ft_var_readpackeddeltas: New argument
`size'.
(tt_face_vary_cvt, TT_Vary_Apply_Glyph_Deltas): Updated.
2015-10-13 11:18:55 +02:00
Werner Lemberg 052f6c5649 [truetype] Another GX sanity test.
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Check
`tupleCount'.
Add tracing message.
2015-10-13 08:24:32 +02:00
Werner Lemberg 7ef0d8661a [truetype] Fix memory leak for broken GX fonts (#46188).
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Fix scope of
deallocation.
2015-10-13 08:14:20 +02:00
Werner Lemberg f96094eef0 [truetype] Fix commit from 2015-10-10.
* src/truetype/ttgxvar.c (ft_var_load_gvar): Add missing error
handling body to condition.
2015-10-13 07:13:56 +02:00
Werner Lemberg b9880aa0f8 [unix] Make MKDIR_P actually work.
* builds/unix/configure.raw: Fix underquoting of `INSTALL' and
`MKDIR_P'.

Problem reported by Dan Liddell <lddll@yahoo.com>.
2015-10-12 10:13:26 +02:00
Werner Lemberg 4f7f6f6e47 [sfnt] Improve extraction of number of named instances.
* src/sfnt/sfobjs.c (sfnt_init_face)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Check number of instances against
`fvar' table size.
2015-10-11 07:55:25 +02:00
Werner Lemberg a724dcf5c3 Split off ChangeLog.25. 2015-10-11 05:50:07 +02:00
Alexei Podtelezhnikov c14ae9c5fd * src/base/ftoutln.c (FT_Outline_Get_Orientation): Fix overflow (#46149). 2015-10-10 22:28:26 -04:00
Werner Lemberg 8de39a7919 [sfnt] Fix infinite loops with broken cmaps (#46167).
* src/sfnt/ttcmap.c (tt_cmap8_char_next, tt_cmap12_next): Take care
of border condidions (i.e., if the loops exit naturally).
2015-10-10 13:34:11 +02:00
Werner Lemberg da34673e54 [truetype] More sanity tests for GX handling.
These tests should mainly help avoid unnecessarily large memory
allocations in case of malformed fonts.

* src/truetype/ttgxvar.c (ft_var_readpackedpoints,
ft_var_readpackeddeltas): Check number of points against stream
size.
(ft_var_load_avar): Check `pairCount' against table length.
(ft_var_load_gvar): Check `globalCoordCount' and `glyphCount'
against table length.
(tt_face_vary_cvt): Check `tupleCount' and `offsetToData'.
Fix trace.
(TT_Vary_Apply_Glyph_Deltas): Fix trace.
Free `sharedpoints' to avoid memory leak.
2015-10-10 10:21:27 +02:00
Werner Lemberg c220d8b498 [truetype] Better protection against malformed GX data (#46166).
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Correctly
handle empty `localpoints' array.
2015-10-10 08:13:04 +02:00
Werner Lemberg d353f6e012 * src/pcf/pcfread.c (pcf_read_TOC): Check stream size (#46162). 2015-10-10 06:54:46 +02:00