When creating a CID parser the location of the 'StartData' or '/sfnts'
tokens needs to be known. However, the token parser requires that the
entire document be in memory and flattening the entire stream into memory is
to be avoided.
To avoid forcing the entire stream into memory, previously this code would
scan through the stream looking for 'StartData' or '/sfnts' as strings.
However, these strings could have been in a comment or string token, so the
stream would be read into memory up to that point and the parser run to
check that these strings were actually tokens. This forced a parser restart
from the beginning each time; as a result, data with many 'StartData'
non-tokens would take n^2 time to check.
* src/cid/cidparse.c (cid_parser_new): Change algorithm to make the initial
scan look for the last possible 'StartData' or '/sfnts' string in the
stream. The stream is read forward instead of backward as a typical normal
CID font will have one 'StartData' toward the beginning of the data and it
it much faster to read the data from beginning to end instead of end to
beginning. For memory-based fonts the limit is set to the end of the stream
since the stream is already in memory. Then the parser is run once to look
for 'StartData' or '/sfnts' tokens. If they are found the parser is re-set
to reflect this new information.
Reported as
https://issues.chromium.org/issues/40201695
When matching the keywords, we avoid calculating their lengths by
checking the stored values. This itself is a sufficient pre-check
before diving into `memcmp`. Therefore, we remove explicit check of
the first characters.
* include/freetype/internal/psaux.h (T1_FieldRec): Store length.
* src/cid/cidload.c (cid_parse_dict): Use `memcmp` and stored length.
* src/type1/t1load.c (parse_dict): Ditto.
* src/type42/t42parse.c (t42_parse_dict): Ditto.
In C it is undefined behavior to call a function through a function pointer
of a different type. This is now detected by the Control Flow Integrity
Sanitizer. All known issues have already been fixed. Prevent any
accidental re-introduction by removing function pointer casts when defining
services. The services will call the service functions through the function
pointers on the service. As a result the functions must have the same type
so there should be no need to cast. Removing the casts allows compilers to
warn about assignment to an incompatible function pointer type.
* cidobjs.c (cid_face_init): Set FT_FACE_FLAG_CID_KEYED.
* cidriver.c (cid_get_is_cid): Comment about the case that
is_cid cannot guarantee the glyph collection specification.
Ensure that all driver functions use the signature of the service or driver.
This avoids pointer mismatches, which are technically undefined behaviour.
Recent compilers are more picky in catching them as part of Control Flow
Integrity tests.
Update cid_get_cid_from_glyph_index() to
return an error and CID=0 in the case that
the specified glyph index points to an invalid
entry.
cidgload.h (cid_compute_fd_and_offsets):
Declare new helper function to set the
fd_select and 2 offsets to access the glyph
description data.
cidgload.c (cid_compute_fd_and_offsets):
Move the part loading fd_select and 2 offsets
from cid_load_glyph() to here. If the loaded
parameters are broken, return the Invalid_Offset
error. This function does not load the glyph
data, only fills these parameters.
(cid_load_glyph): Use new helper function in above.
cidriver.c (cid_get_cid_from_glyph_index):
Check whether the requested glyph index points
to a valid entry, by calling cid_compute_fd_and_offsets().
If it is valid, fill the cid by the glyph
index (=CID). If it is invalid, return an
error and fill the cid by 0.
The t1cid driver catches 3 types of errors in
the charstrings retrieval;
A) The invalid FD number, there are 2 subtypes;
A-1) FD number is the maximum number fitting to FDBytes.
A-2) FD number is greater than num_dicts.
B) Declared length is overrunning.
C) Declared length is invalid (its end is before its head).
Considering that some widely distributed fonts
(e.g., "CJKV" book by O'Reilly) have A-1 errors
in the unimplemented glyphs, the trace level for
A-1 is calmed to level 1.
The errors A-2, B, and C would be irregular;
their trace levels are kept at level 0, but
the updated trace messages include the CID number.
Technically, `strtol` can only be used with C strings terminated with
`\0`. CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded. AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.
To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.
* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.
Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329
This is mainly for better diagnostics of malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Stop font format testing if the first
input line is too long or doesn't end with `\r` or `\n`.
* src/cid/cidparse.c (cid_parser_new): Don't handle too short input as an
error but as an unknown format.
* src/pfr/pfrobjs.c (pfr_face_init): Ditto.
* src/winfonts/winfnt.c (fnt_font_load, fnt_face_get_dll_font): Ditto.
Add argument to return the actual number of bytes that were decoded.
The actual number of bytes decoded can be quite variable depending
on the number of ignored 'whitespace' bytes or early termination
with `>`.
(cid_face_open): Updated to use this calculated value. This avoids
trusting `parser->binary_length` is always be correct and reading
uninitialized bits if fewer are actually decoded.
First reported as
https://crbug.com/1203240
This ensures good logging output, with all lines having a proper
prefix (if requested).
This is a continuation of a similar patch from 2020-12-02, which
missed some locations.
* src/cff/cffobjs.c (cff_slot_done), src/cid/cidobjs.c
(cid_slot_done): If `ft_glyphslot_init' fails to allocate
`internal', then the class' `done_slot' callback (called by
`ft_glyphslot_done') must not dereference the pointer to `internal'.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
These have not been used in a very, very long time, so better remove
them. A corresponding patch will be submitted to the
`freetype2-demos' repository.
* src/Jamfile, src/*/Jamfile, Jamrules: Delete.
This change should allow Freetype to work on WASM/Emscripten without
needing `-s EMULATE_FUNCTION_POINTER_CASTS=1'.
* src/autofit/afdummy.c (af_dummy_hints_apply): Fix signature.
* src/cid/cidload.c (cid_parse_font_matrix, parse_fd_array,
parse_expansion_factor, parse_font_name): Return `void', not
`FT_Error'.
* include/freetype/internal/ftobjs.h (FT_CMap_CharVarIsDefaultFunc):
Fix signature.
Ben Wagner