* src/cache/ftcmru.c (FTC_MruList_RemoveSelection): Use one loop to
do it.
* src/cache/ftcmanag.c (FTC_Manager_Compress, FTC_Manager_FlushN):
Streamline loops.
Update cid_get_cid_from_glyph_index() to
return an error and CID=0 in the case that
the specified glyph index points to an invalid
entry.
cidgload.h (cid_compute_fd_and_offsets):
Declare new helper function to set the
fd_select and 2 offsets to access the glyph
description data.
cidgload.c (cid_compute_fd_and_offsets):
Move the part loading fd_select and 2 offsets
from cid_load_glyph() to here. If the loaded
parameters are broken, return the Invalid_Offset
error. This function does not load the glyph
data, only fills these parameters.
(cid_load_glyph): Use new helper function in above.
cidriver.c (cid_get_cid_from_glyph_index):
Check whether the requested glyph index points
to a valid entry, by calling cid_compute_fd_and_offsets().
If it is valid, fill the cid by the glyph
index (=CID). If it is invalid, return an
error and fill the cid by 0.
The situation can happen if `FT_New_Face` (or one of its siblings) is called
with a negative index to get the number of contained faces, followed
immediately by a call to `FT_Get_Postscript_Name`. While this is not a valid
use of the FreeType library there is no need for a crash.
Fixes#1219.
The t1cid driver catches 3 types of errors in
the charstrings retrieval;
A) The invalid FD number, there are 2 subtypes;
A-1) FD number is the maximum number fitting to FDBytes.
A-2) FD number is greater than num_dicts.
B) Declared length is overrunning.
C) Declared length is invalid (its end is before its head).
Considering that some widely distributed fonts
(e.g., "CJKV" book by O'Reilly) have A-1 errors
in the unimplemented glyphs, the trace level for
A-1 is calmed to level 1.
The errors A-2, B, and C would be irregular;
their trace levels are kept at level 0, but
the updated trace messages include the CID number.
The `MetricsVariations` `FT_Size_Reset_Func` is defined to take an
`FT_Size`. Because `tt_size_reset_height` is to be used as such a
function, it must also take an `FT_Size` instead of a `TT_Size`. Even
though the pointers passed will be the same at runtime, calling a
function through a pointer of a different type from the original
function pointer type is undefined behavior. This may be caught at
runtime by Control Flow Integrity with something like clang's
`cfi-icall`.
Issue: https://crbug.com/1433651
* src/truetype/ttobjs.h (tt_size_reset_height): take `FT_Size`
* src/truetype/ttobjs.c (tt_size_reset_height): take `FT_Size` and
update documentation
This is a generalization of commit
```
commit e6699596af
Author: Werner Lemberg <wl@gnu.org>
Date: Thu Feb 2 11:38:04 2017 +0100
[truetype] Fix MVAR post-action handling.
```
It is also possible for plain `CFF ` style fonts to contain an `fvar` and
`MVAR` table and use `cff_metrics_adjust`. `tt_size_reset` should only be
called with `TT_Size` and never with `CFF_Size`.
Allow the "metrics-variations" service to specify the correct function (if
any) to reset `FT_Size`s after adjusting metrics.
* src/truetype/ttobjs.c (tt_size_reset): Split off some functionality
into...
(tt_size_reset_height): ... this new function.
* src/truetype/ttdriver.c (tt_service_metrics_variations): Add
`size_reset`.
(tt_size_select, tt_size_request): Updated.
* src/truetype/ttobjs.h: Updated.
* include/freetype/internal/services/svmetric.h (MetricsVariations): Add
`size_reset`.
(FT_DEFINE_SERVICE_METRICSVARIATIONSREC): Updated.
* include/freetype/internal/tttypes.h (TT_FaceRec_): Rename `var` to
`tt_var` and add `face_var`.
* src/cff/cffdrivr.c (cff_service_metrics_variations): Add `size_reset`.
(cff_hadvance_adjust, cff_metrics_adjust): Updated.
* src/cff/cffobjs.c (cff_face_init): Use `face_var`.
* src/sfnt/sfobjs.c (sfnt_init_face): Initialize `face_var`.
* src/sfnt/ttmtx.c (tt_face_get_metrics): Use `tt_var`.
* src/truetype/ttgxvar.c (tt_size_reset_iterator): Renamed to...
(ft_size_reset_iterator): ... this new function.
Call `size_reset`.
(tt_apply_mvar): Pass `size_reset` to `ft_size_reset_iterator`.
Fixes#1211
This is mostly cosmetic because FT_UInt and FT_UInt32 are likely identical.
* src/sfnt/ttcmap.c, src/cff/cffcmap.c, src/psaux/t1cmap.c,
src/psnames/psmodule.c, include/freetype/internal/service/svpcsmap.h,
src/pfr/pfrcmap.c, src/winfonts/winfnt.c (*_char_next): return FT_UInt.
This moves the charcode overflow checks upstream and turns some
while-loops into the do-while ones to avoid the uninitialized warnings.
This should slightly reduce the number of checks and jumps.
* src/sfnt/ttcmap.c (tt_cmap{4,12,13}_next,
tt_cmap{4.12.13}_char_map_linear): Remove the charcode overflow check.
(tt_cmap{4,12,13}_char_map_binary): Ditto and use do-while.
(tt_cmap{12,13}_char_next): Add the overflow check.
The deprecated POST version 2.5 can be handled using the data
structures of version 2.0. The goal is to reduce the footprint.
* include/freetype/internal/tttypes.h (TT_Post_Names): Absorb and...
(TT_Post_20, TT_Post_25): ... remove these structures.
src/sfnt/ttpost.c (load_post_names, tt_face_get_ps_name,
tt_face_free_ps_names, load_format_20): Updated accordingly.
(load_format_25): ditto and convert offsets to glyph indices.
* src/sfnt/ttpost.c (load_format_20): Decrease casts.
(load_format_25): Check the table length and impose a theoretical
glyph number limit usable with 8-bit offset. Decrease casts.
(load_post_names): Pass the mapping data length without 2 bytes.
* src/sfnt/ttpost.c (load_format_20): Co-allocate the string data and
their pointers, which makes it easier to handle and free them.
(tt_face_free_ps_names): Updated.
* include/freetype/internal/tttypes.h (TT_Post_20): Update type.
* src/cff/cffparse.c (cff_parser_run): Allocate the charstring buffers
and the list nodes together so that they can be freed at once.
(finalize_t2_strings): Removed as no longer needed.
(cff_parser_done): Updated.
The old stream limit checks, before 6986ddac1e, were good but
pointless for the crafted t2_strings. Checking limits there is
not necessary as they are created to hold all data. By using two
conditions, we can detect the actual crossing of the stream boundary
as appropriate for the stream pointer only. The t2_strings parsing
will not be triggering these checks.
* src/cff/cffparse.c (cff_parser_within_limits): Removed.
(cff_parse_real, cff_parse_integer): Redesign the stream limit check.
(cff_parse_num, do fixed, cff_parse_fixed_dynamic): Update callers.
* src/truetype/ttgload.c (TT_Process_Composite_Glyph,
TT_Load_Simple_Glyph): Clean up old instructions regardless of
new ones, postpone setting `control_len` and `control_data` until...
(TT_Load_Glyph): ... the exit from this function.
The number of instructions is now taken from the executed context.
Technically, this means that `control_len` and `control_data`
values are no longer _used_ internally but only expose them.
Based on ideas from Jouk Jansen <joukj@hrem.nano.tudelft.nl>.
* src/tools/vms_shorten_symbol.c: New file, taken from
https://sourceforge.net/p/vms-ports/vmsshortsym/ci/default/tree/vms_shorten_symbol.c
with some minor edits to allow compilation with C++ and being included in
another source code file.
* src/tools/apinames.c: Include `vms_shorten_symbol.c`.
(PROGRAM_VERSION): Set to '0.5'.
(names_dump) [OUTPUT_VMS_OPT]: Call `vms_shorten_symbol` to get unique function
identifiers not longer than 31 characters.
* src/cff/cffparse.c (finalize_t2_strings): Fix NULL-dereferencing
in the out-of-memory situation, use `FT_FREE`.
(cff_parser_run): Use FreeType memory allocation macros and avoid
uninitialized pointers.
Technically, `strtol` can only be used with C strings terminated with
`\0`. CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded. AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.
To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.
* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.
Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329
Without this patch, static linking with MS Visual Studio causes linking
errors.
* src/gzip/ftgzip.c: Set `ZEXPORT` to nothing and `ZEXTERN` to static for
all compilers.
This is unnecessary for predefined standard and expert encodings.
Even for custom encodings the arrays might be already zeroed when
CFF_FontRec is created but we keep it just in case.
Also short-circuit on `offset` to avoid checking `count` a second time when
`ft_ansi_stream_io` is used for reading.
Per ISO/IEC 9899:
If an argument to a function has an invalid value (such as a value outside
the domain of the function, or a pointer outside the address space of the
program, or a null pointer, or apointer to non-modifiable storage when the
corresponding parameter is not const-qualified) or a type (after
promotion) not expected by a function with variable number of arguments,
the behavior is undefined. If a function argument is described as being
an array, the pointer actually passed to the function shall have a value
such that all address computations and accesses to objects (that would be
valid if the pointer did point to the first element of such an array) are
in fact valid.
Per IEEE Std 1003.1:
size_t fread(void *restrict ptr, size_t size, size_t nitems,
FILE *restrict stream);
The `fread` function shall read into the array pointed to by `ptr` up to
`nitems` elements whose size is specified by `size` in bytes, from the
stream pointed to by `stream`.
Since the first argument to `fread` is described as being an array, its
behavior is undefined when that argument is a null pointer.
Per the documentation on `ft_ansi_stream_io`:
If `count' is zero (this is, the function is used for seeking), a non-zero
return value indicates an error.
Thus the intent is clear, and the call to `fread` can be skipped, avoiding
undefined behaviour.
* src/base/ftoutln.c (FT_Outline_Reverse, FT_Outline_EmboldenXY,
FT_Outline_Get_Orientation): Set the first and last indexes together.
(FT_Outline_Decompose): Ditto and check them more stringently.
* src/smooth/ftgrays.c (FT_Outline_Decompose)[STANDALONE_]: Ditto.
A cubic contour has to always start from an on-point. Therefore, we
should not swap the first with the last point, which might be off, and
obtain an invalid contour. This does not matter for conic contours.
If anything, it also saves one swap there. Fixes#1207.
The design coordinates for MM fonts were not rounded. For example,
`FT_Get_Var_Design_Coordinates` returned values with fractional part.
* src/type1/t1load.c (mm_axis_unmap): Refactor with rounding.
* include/freetype/ftmm.h (FT_Var_Axis, FT_Set_Var_Design_Coordinates,
FT_Get_Var_Design_Coordinates): Reword documentation.
==========================
Tag sources with `VER-2-13-0'.
* docs/VERSION.TXT: Add entry for version 2.13.
* docs/CHANGES: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.12.1/2.13/, s/2121/2130/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 13.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 25:0:19.
* CMakeLists.txt (VERSION_MINOR): Set to 13.
(VERSION_PATCH): Set to 0.
* src/autofit/ft-hb.c: Decorate with `FT_LOCAL_DEF`.
Add ANSI boilerplate code for otherwise empty file.
* src/autofit/ft-hb.h: Include `compiler-macros.h` and `freetype.h`.
Use `FT_BEGIN_HEADER` and `FT_END_HEADER`.
Decorate with `FT_LOCAL`.
* src/autofit/rules.mk (AUTOF_DRV_SRC): Add `ft-hb.c`.
Modern compilers get more insistent on that...
* include/freetype/internal/compiler-macros.h (FALL_THROUGH): Define.
* src/*: Use it instead of `/* fall through */` comments.
Otherwise we get zillions of clang 15 warnings.
* src/autofit/afcjk.c, src/autofit/afhints.c, src/autofit/aflatin.c,
src/base/ftobjs.c, src/base/ftoutln.c, src/cff/cffparse.c,
src/raster/ftraster.c, src/sfnt/pngshim.c, src/truetype/ttgload.c,
src/truetype/ttgxvar.c, src/truetype/ttobjs.c, src/type1/t1gload.c: Use
`double` cast in debugging and tracing macros.
This is mandated by the C99 standard, and clang 15 produces zillions of
warnings otherwise.
* devel/ftoption.h, include/freetype/config/ftoption.h,
include/freetype/internal/ftmemory.h, src/autofit/afhints.h,
src/autofit/afmodule.c, src/autofit/aftypes.h, src/base/ftadvanc.c,
src/base/ftdbgmem.c, src/base/ftstream.c, src/bdf/bdflib.c,
src/truetype/ttinterp.c: Replace identifiers of the form `_foo` with `foo_`.
* src/sdf/ftsdfcommon.h (FT_16D16, FT_26D6): Use 32-bit integers
instead of `FT_Fixed` for internal data types. `FT_Fixed` i.e.
`signed long` is 64-bit on some architectures.
The ascender and descender are optional in the AFM specifications.
They could be omitted or even set to zero, e.g., in the current release
of URW++ base 35 fonts.
In `open_face_from_buffer` it is possible that a driver is requested but
FreeType was built without the requested module. Return an error in this
case to indicate that the request could not be satisfied, rather than trying
all existing driver modules.
* src/base/ftobjs.c (open_face_from_buffer): Return `FT_Err_Missing_Module`
if a driver is specified but not found.
The documentation for `FT_StreamRec::memory` states that it 'shouldn't be
touched by stream implementations'. This is true even for internal
implementations of the 'close' callback, since it is not guaranteed that
`memory` will even be set when the 'close' callback occurs.
* src/base/ftobjs.c (new_memory_stream): stash current `memory` in
`stream->descriptor`.
(memory_stream_close): Use it.
The `FT_Open_Face` documentation states
> If `FT_OPEN_STREAM` is set in `args->flags`, the stream in `args->stream`
> is automatically closed before this function returns any error (including
> `FT_Err_Invalid_Argument`).
However, if the user provides a stream in `args.stream` with
`FT_OPEN_STREAM` set and a `close` function, but then for some reason passes
NULL for `aface` and a non-negative `face_index`, the error
`Invalid_Argument` is returned but the `close` callback will not be called
on the user-provided stream. This may cause resource leaks if the caller is
depending on the `close` callback to free resources.
The difficulty is that a user may fill out a `FT_StreamRec` and pass its
address as `args.stream`, but the stream isn't really 'live' until
`FT_Stream_New` is called on it (and `memory` is set). In particular, it
cannot really be cleaned up properly in `ft_open_face_internal` until the
stream pointer has been copied into the `stream` local variable.
* src/base/ftobj.c (ft_open_face_internal): Ensure that user-provided
`args.stream.close` is called even with early errors.
`open_face_from_buffer` allocates a new `FT_Stream` to pass to
`ft_open_face_internal`. Because this is an `FT_OPEN_STREAM`,
`ft_open_face_internal` will mark this as an 'external stream', which the
caller must free. However, `open_face_from_buffer` cannot directly free it
because the stream must last as long as the face. There is currently an
attempt at this by clearing the 'external stream' bit after
`open_face_from_buffer` returns successfully. However, this is too late as
the original stream may have already been closed and the stream on the face
may not be the same stream as originally passed.
It is tempting to use `FT_OPEN_MEMORY` and let `ft_open_face_internal`
create the stream internally. However, with this method there is no means
to pass through a 'close' function to the created stream to free the
underlying data, which must be owned by the stream.
A possibility is to check on success if the stream of the face is the same
as the original stream. If it is then unset the external flag. If not,
then free the original stream. Unfortunately, while no current
implementation does so, it is possible that the face still has the original
stream somewhere other than as the `FT_FaceRec::stream`. The stream needs
to remain available for the life of the face or until it is closed,
whichever comes earlier.
The approach taken here is to let the stream own itself. When the stream is
closed it will free itself.
* src/base/ftobjs.c (memory_stream_close): Free `stream`.
(open_face_from_buffer): Simplify error handling, since
`ft_open_face_internal` always closes `args.stream` on any error.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54930
Currently the cvt and storage are saved and restored in `TT_RunIns`.
However, this is too granular as the cvt and storage area should be set to
the original cvt and storage area only when setting up the hinting context.
This allows for the cvt and storage area to be modified while parsing
multiple glyphs, as is the case with composite glyphs.
* src/truetype/ttinterp.h (TT_ExecContextRec): Remove `origCvt` and
`origStorage`.
* src/truetype/ttinterp.c (TT_RunIns): Don't save and restore the cvt and
storage area.
(Modify_CVT_Check, Ins_WS): Switch from "if in glyph and using original data
do copy on write" to "if in glyph and not using glyph specific data do copy
on write".
The circular dependency is still there, but at least we no longer depend on
the HarfBuzz API that is only present if HarfBuzz has been built with
FreeType support, making the bootstrapping a bit easier.
* src/autofit/ft-hb.c, src/autofit/ft-hb.h: New files, providing
`_hb_ft_font_create`, which is more or less a verbatim copy of the
corresponding HarfBuzz code from file `hb-ft.cc`.
* src/autofit/afglobal.c (af_face_globals_new): Use it.
* src/autofit/afshaper.h: Don't include `hb-ft.h` but `ft-hb.h`.
* src/autofit/autofit.c: Include `ft-hb.c`.
* LICENSE.TXT: Updated.
`tt_var_load_item_variation_store` fills out a `GX_ItemVarStore`. While it
may return an error, the item store must be left in a consistent state so
that any use or destruction of the item store can properly use or free the
data in it. Before this change the counts from the font data were read
directly into the item store before the actual allocation of the arrays to
which they referred. There exist many opportunities between the time the
counts are read and the arrays are allocated to return early due to invalid
data. When this happened the item store claimed to have entires it actually
did not, leading to crashes later when it was used.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54449
* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Read the counts
into local variables and store them in the item store only after the related
arrays are actually created on the item store.
In `open_face` the initial stream is set on the face, along with the
information about if FreeType is the owner of the stream object itself. The
loaders may in the course of their work replace this stream with a new
stream (as is the case for 'woff' and 'woff2'), which may have a different
ownership than the initial stream object (likely the original stream object
is owned by the user and is external, while the new stream object is created
internally to FreeType and is internal). When the stream is replaced, the
face's flags are updated with the new ownership status.
However, `open_face` cannot itself free this stream as its caller
`ft_open_face_internal` is responsible for this. In addition, in the case
of an error `open_face` cannot return an actual face with the new stream and
its ownership status to the caller. As a result, it must pass this
information back to the caller as a sort of "failed face" so that the caller
can clean up.
`open_face` was already passing back the new stream but was not passing back
the stream ownership information. As a result the stream may not have been
free'd when needed.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54700
* src/base/ftobjs.c (open_face): Pass back the ownership information as
well.
(ft_open_face_internal): Updated.
Fixes https://bugs.chromium.org/p/skia/issues/detail?id=14021
* src/sfnt/ttcolr.c (VAR_IDX_BASE_SIZE): New macro.
(tt_face_get_colorline_stops): Fix off-by-one bounds check calculation, take
`VarColorStop` into account, and hopefully make it easier to read.
The division-by-zero might happen in broken fonts (see #1194).
Instead of returning a huge number from FT_DivFix and failing
to scale later, we now bail immediately.
* src/gzip/ftgzip.c (HAVE_HIDDEN): Do not define; it is no longer needed
because everything is static.
(HAVE_MEMCPY): Define.
(zcalloc, zcfree): Remove no longer needed definitions (because `Z_SOLO` is
active).
* src/gzip/patches/freetype-zlib.diff: Regenerated.
Fixes#1146.
Co-authored-by: Werner Lemberg <wl@gnu.org>
This gives users a possibility to deactivate new features not (yet) in the
OpenType standard.
* include/freetype/config/ftoption.h, devel/ftoption.h
(TT_CONFIG_OPTION_NO_BORING_EXPANSION): New macro.
* src/truetype/ttgxvar.c (ft_var_load_avar): Use it to disable 'avar'
version 2.0 support.
* src/truetype/ttgxvar.c (tt_hvadvance_adjust): Move bounds check ...
(tt_var_get_item_delta): ... to this function, because it is safer. For
example, the 'avar' table 2.0 codepath was not performing a bounds check at
all.
* src/truetype/ttgcvar.c (ft_var_load_hvvar): restore previous behavior
In a previous change [0] the behavior of `ft_var_load_hvvar` was changed
to not load the item variation store if it was at offset 0, but not
return an error when this happened. This broke any users, like
`tt_hvadvance_adjust`, that rely on successful completion of
`ft_var_load_hvvar` to imply that returned table's `itemStore` had been
initialized. This lead such users to dereference NULL.
This change appears to have been unintentional and unrelated to the
actual avar2 changes. As a result, fix these NULL dereferences by
restoring the code to always attempt to initialize the `itemStore`.
[0] ae4eb996 "[truetype] Add support for `avar` table 2.0 format."
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53061
Fix "make multi" by MR !223
* include/freetype/internal/services/svmm.h: include ftmm.h to define FT_Get_MM_Func.
* src/truetype/ttgxvar.h: include ftmmtypes.h to use GX_AVarTable properly.
* src/base/ftmac.c: include ftdebug.h to use FT_THROW() properly.
The binary searches within charmaps can be accelerated because they
often contain dense continuous blocks of character codes. Within such
blocks, you can predict matches based on misses. This method has been
deployed in `bdf` since 0f122fef34; we only refactor it there. We now
use it in `pfr` and `psnames`, which speeds up the unicode charmap
access by about 50% in PFR and Type 1 fonts.
* src/bdf/bdfdrivr.c (bdf_cmap_char_{index,next}): Refactor.
* src/pfr/pfrcmap.c (pfr_cmap_char_{index,next}): Predict `mid` based
on the mismatch distance.
* src/psnames/psmodule.c (ps_unicodes_char_{index,next}): Ditto.
See
https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md
for the specification.
Currently, this is implemented only in most recent OS versions on Apple
platforms and in the HarfBuzz library, but it is expected to be added to the
OpenType standard soon.
* src/truetype/ttgxvar.h (GX_AVarTableRec): New structure.
(GX_BlendRec): Use it to replace `avar_segment` with `avar_table`.
* src/truetype/ttgxvar.c (ft_var_load_avar): Load new table version.
(ft_var_to_normalized, tt_done_blend): Extend for new format.
(ft_var_load_hvvar, ft_var_to_design): Updated.
Use pre-calculated scaling factors. Also, the advance widths used
to be rounded, which was incorrect.
* src/cff/cffgload.c (cff_slot_load): Use `x_scale` and `y_scale`.
* src/truetype/ttgload.c (TT_Load_Glyph): Ditto.
* src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for...
... another use of `ENSURE_READ_BYTES`.
Update callers.
(tt_face_get_paint_layers): Ensure that the 4-byte paint table
offset can be read.
This is a follow-up to !124 and issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
* src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro.
(read_paint): Use it – after the start pointer `p` has been checked for
whether it allows reading the format byte, each successive paint table field
read need to be bounds-checked before reading further values.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
This ancient option stayed completely undocumented. Given that the 'cff'
driver requires the 'psnames' module, it makes no sense today to have this
macro.
* src/cff/cffdrivr.c (cff_services), src/cff/cffobjs.c (cff_face_init):
Remove corresponding conditional code.
There is no need to validate the original charmap in `FT_Set_Charmap`.
It can be reset directly.
* src/autofit/afglobal.c (af_face_globals_compute_style_coverage):
Use direct assignment.
* src/autofit/af{latin,cjk,indic}.c (af_latin_metrics_init): Ditto.
Set charmap aggressively without all validations of `FT_Set_Charmap`
because we take it from the available array and only temporarily.
Even CMap Format 14 will gracefully return 0.
Add a check that the document content is actually contained within the
`SVG ` table. Without this check a malformed font may claim arbitrary
memory as its document content.
* src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when
testing 'documentRecord' extents.
(find_doc): Rename `stream` to `document_records` for clarity.
(tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity.
Test that the document content is contained within the table.
Ensure minimum length of document before testing for gzip format.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812
* src/base/ftbitmap.c (FT_Bitmap_Copy): Flip the copy if its pitch
is trully opposite, zero is not a positive value.
(FT_Bitmap_Convert): Set negative pitch as needed, accept negative
alignment values.
Reusing target bitmaps for copying and converting is permitted. It is,
however, pointless to preserve their content before overwriting. Free-
malloc might be faster than realloc.
* src/base/ftbitmap.c (FT_Bitmap_Copy, FT_Bitmap_Convert): Free
an old buffer and create a new one.
* src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to
be 1, then the table size has to be at least the size of the v1 header.
Also, for peeking the number of base glyphs and entries in the layer list,
ensure that the table is sufficiently long.
Fixes#1179. Original patch by Sergey Temnikov.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Reject retrieving master when
'fvar' values locally do not match with sanitized values from initialization
at `sfnt_init_face` time.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1360295
Fixes#1178.
* src/sfnt/ttcolr.c (get_deltas_for_var_index_base): Set outer index to
0 and inner index to the delta index when retrieving deltas if the
`COLR` table has no delta set index map.
Fixes#1172.
* src/sfnt/sfobjs.c (sfnt_load_face): Tag font as Multiple Masters font if
`fvar` is present; do not require other tables to be present.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Allow for a missing 'gvar' table
when setting variation coordinates. However, if a 'gvar' table is actually
present, do perform a sanity check and fail on malformedness.
(TT_Get_MM_Var): Don't assume 'fvar' needs 'gvar' or 'CFF2 tables in all
cases, which is an overly tight check.
This follows similar code in `cff_slot_done`.
* src/base/ftobjs.c (ft_glyphslot_done), src/type1/t1objs.c
(T1_GlyphSlot_Done): Check `internal` pointer.
The Type1 problems was reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50057.
Any array index must be strictly less then the array size. Therefore,
we must reject indexes that are equal to the array size. Alternatively,
we should move the bounds check before the index decrement but that
would be confusing.
In addition, it is ok to decrement zero (.notdef) and get UINT_MAX,
which is then automatically rejected in the bounds check.
* src/pfr/pfrobjs.c (pfr_face_get_kerning): Fix the bounds checking.
When resizing the loader's points and contours, resize them to at least 1.5
times their current size. The code currently only reserves as much space as
is currently required, leading to O(n^2) runtime when adding points one at a
time.
This change does not attempt to ever shrink the loader's point and contour
storage since this was not attempted previously either. The 1.5 multiple
was chosen as a trade-off between potentially unused space and the runtime.
* src/base/ftgloader.c (FT_GlyphLoader_CheckPoints): Implement it.
Fixes#1173.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW`,
`FT_COLR_PAINTFORMAT_INTERNAL_SKEW_CENTER`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER`.
(read_paint): Handle new enumeration values.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE` and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE_CENTER`.
(read_paint): Handle new enumeration values.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSLATE`.
(read_paint): Handle new enumeration value.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSFORM`.
(read_paint): Handle new enumeration value.
* src/sfnt/ttcolr.c (read_paint) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Read and
apply deltas to radial, linear, and sweep gradient coordinates such as 'p0',
'p1', 'p2', 'center', 'radii', and 'angles'.
* include/freetype/ftcolor.h (FT_ColorStopIterator): Add field
`read_variable` to indicate whether a variation index base should be read.
* src/sfnt/ttcolr.c: (FT_PaintFormat_Internal): New enumerations
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_LINEAR_GRADIENT`
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_RADIAL_GRADIENT`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SWEEP_GRADIENT`.
(read_color_line): New parameter `read_variable`; update callers.
(read_paint): Handle new enumerations.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal_): New enumeration
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`.
(get_deltas_for_var_index_base) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New
function to retrieve an array of delta values, which will be used for most
of 'COLR' v1 variation formats (in follow-up commits).
(read_paint): Add `face` parameter; update caller.
Handle `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`.
* src/sfnt/ttcolr.c: Include `ttobjs.h` temporarily.
(VARIABLE_COLRV1_ENABLED): New temporary macro to detect whether variable
COLRv1 is enabled.
(Colr): New fields `var_store` and `delta_set_idx_map`.
(tt_face_load_colr, tt_face_free_colr) [VARIABLE_COLRV1_ENABLED]: Load and
free variation store data using the functions from the Multiple Masters
service.
If `FT_GlyphLoader_CreateExtra` returns an error (and a couple of other
places), `FT_GlyphLoader_CheckPoints` would propagate the error immediately,
rather than cleaning up the partially set up `FT_GlyphLoader`. As a
consequence, a subsequent attempt to create a glyph could result in a crash.
* src/base/ftgloadr.c (FT_GlyphLoader_CheckPoints): Ensure all the error
conditions exits are consistent, eventually calling `FT_GlyphLoader_Reset`.
This avoids regressing Blink layout tests and makes `FT_MulAdd_Fix` delta
retrieval implementation consistent with the previous implementation, which
used `FT_fixedToInt` and included rounding.
* src/base/ftcalc.c (FT_MulAdd_Fix): Implement it.
Also fix remaining `temp` initialization compilation issue.
Fixes#1169.
* include/freetype/internal/ftmmtypes.h (FT_ItemVarDelta): Make type
explicitly 32-bit.
* include/freetype/internal/services/svmm.h
(FT_Var_Get_Item_Delta_Func): Change return type to `FT_ItemVarDelta`
* truetype/ttgxvar.h (tt_var_get_item_delta): Change return type to
`FT_ItemVarDelta`.
* truetype/ttgxvar.c (tt_var_get_item_delta): Store scalars and deltas
to intermediate array, perform computation using new method
`FT_MulAddFix`.
This function, based on the code of `FT_MulFix`, uses 64-bit precision
internally for intermediate computations.
* include/freetype/internal/ftcalc.h, base/ftcalc.c (FT_MulAddFix):
Implement it.
This formalizes that the phantom points appended in the outline
do not increase its point count, nor are they tagged or included
in any additional contours. Only their coordinates are stored.
They are counted in the glyph zone, however.
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Infer `n_points`
from the outline size plus four phantom points.
* src/truetype/ttgxvar.h (TT_Vary_Apply_Glyph_Deltas): Remove this
argument.
* src/truetype/ttgload.c (tt_prepare_zone): Add phantom four.
(TT_Process_Simple_Glyph, load_truetype_glyph): Update all callers.
This moves phantom point and advance variation adjustment next to
calculations. The logic stays the same, HVAR and VVAR take priority.
* src/truetype/ttgload.c (load_truetype_glyph): Move it from here...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): ... to here
and check for HVAR and VVAR presence outside the main loop.
`FT_READ_LONG`, `FT_GET_LONG`, and related macros did not return
negative values when `long` is more than 32 bits. `FT_Stream_ReadULong`
would read four bytes into the LSB of an `FT_ULong` and return that.
Since this can never set the MSb of the `FT_ULong` when `FT_ULong` is
more than 32 bits the cast to `FT_Long` never resulted in a negative
value.
Fix this by modifying `FT_Stream_Read*` to return a type of the same
size as the bytes it is reading and changing the `FT_READ_*` and
`FT_GET_*` macros to cast to the same type returned by `FT_Stream_Read*`
but with the correctly signed type (instead of casting to what is
assumed to be the type of `var` which will happen automatically anyway).
There exist a few cases like with the `OFF3` variants where there isn't
generally a type with the correct size. `FT_PEEK_OFF3` works around this
loading the bytes into the three most significant bits and then doing a
signed shift down. `FT_NEXT_OFF3` also already worked correctly by
casting this signed value to another signed type. `FT_Stream_GetUOffset`
works correctly but one must be careful not to attempt to cast the
returned value to a signed type. Fortunately there is only
`FT_GET_UOFF3` and no `FT_GET_OFF3`.
All of these cases are handled correctly when reading values through
`FT_Stream_ReadFields` since it generically computes the signed value
through an `FT_Int32`. This change is essentially doing the same for
these macros.
* include/freetype/internal/ftstream.h (FT_NEXT_*, FT_GET_*, FT_READ*):
Update macros and return types to use fixed size types for fixed size
values.
* src/base/ftstream.c (FT_StreamGet*, FT_StreamRead*): Dito.
Issue: #1161
This code originally just searched for `eexec`. This was later modified
to check that the `eexec` found is valid (not in a string or comment).
This was done by searching for `eexec` as before and then, for each
`eexec` found, searching from the beginning using the correct parsing to
see if the `eexec` was still found. If the private dictionary is large
and contains many copies of `eexec` which are not valid, the initial
part of the private dictionary is scanned once for each, potentially
leading to n^2 parsing time.
Instead of finding an initial `eexec` and then re-parsing to discover if
it is valid, drop the initial search for `eexec` and just parse to find
a valid `eexec`. This is strictly faster since the validation must
happen anyway and avoids restarting from the beginning each time an
`eexec` is found in the data.
* src/type1/t1parse.c (T1_Get_Private_Dict): avoid n^2 parsing
Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1328883
* src/truetype/ttgload.c (TT_Process_Simple_Glyph, load_truetype_glyph):
Move the advance adjustment from here...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): ... to here and
simplify arguments.
* src/truetype/ttgxvar.h (TT_Vary_Apply_Glyph_Deltas): Update prototype
with fewer arguments.
When `inflate` returns `Z_NEED_DICT` this is currently not reported as
an error and callers may assume that the decompression succeeded when it
did not. In particular, a compressed table in a woff file may not
actually be decompressed and written as expected, leaving the backing
memory for the expanded table uninitialized.
* src/gzlip/ftgzip.c (FT_Gzip_Uncompress): treat `Z_NEED_DICT` as
indicating invalid data since there is no means to provide a dictionary.
Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1335712
Fixes#1164 by using a volatile variable around `setjmp`. It is hard to
say how this fixes crashes related to certain link-time optimizations.
This does not decrease the rendering performance.
* src/smooth/ftgrays.c (gray_convert_glyph_inner): Use volatile `error`.
* include/freetype/freetype.h (FT_GlyphSlotRec_): update doc
* src/cff/cffgload.c (cff_slot_load): do it
* src/truetype/ttgload.c (TT_Load_Glyph): do it
Fixes: #1156
This issue was discovered with an SVG based font with some documents
compressed and other uncompressed. After loading the first compressed
document the ownership flag on the glyph slot was set to true but never
set to false. As a result after loading a compressed document a glyph
from an uncompressed document would load fine, but when this glyph slot
was cleared it would try to free its document resulting in a wild free.
* src/base/ftobjs.c (ft_glyphslot_clear): clear correct flags
Fixes: #1162
* include/freetype/internal/ftmmtypes.h (FT_ItemVarDelta): Define type
to be used for delta arrays, upgrade to FT_long.
* src/truetype/ttgxvar.c: Adhere to long_words bit and read either
Short/Byte pairs or Long/Short pairs, as defined by spec. For better
readability, define macro for repetitive read code.
* truetype/ttgxvar.c (tt_hvadvance_adjust, tt_apply_mvar,
tt_var_get_item_delta): Remove special 0xFFFF handling in favor of less
redundant handling inside the tt_var_get_item_delta function, as it is
equivalent to returning a 0 delta. Avoids code-duplication checking for
special value 0xFFFF.
This is a preparation for handling `DeltaSetIdxMap` and `VarStore` as a
FreeType service.
* src/truetype/ttgxvar.c (ft_var_done_delta_set_index_map): New function.
(tt_done_blend): Use it.
This was introduced in OpenType 1.8.4.
* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping,
tt_hvadvance_adjust, ft_var_load_mvar, tt_apply_mvar): Handle special
inner/outer index values.
(ft_var_load_item_variation_store): Add test.
Fixes#1154.
==========================
Tag sources with `VER-2-12-1'.
* docs/VERSION.TXT: Add entry for version 2.12.1.
* docs/CHANGES, docs/release: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.12.0/2.12.1/, s/2120/2121/.
* include/freetype/freetype.h (FREETYPE_PATCH): Set to 1.
* builds/unix/configure.raw (version_info): Set to 24:3:18.
* CMakeLists.txt (VERSION_PATCH): Set to 1.
* src/sdf/ftsdfrend.c (ft_sdf_render, ft_bsdf_render): Return `FT_Err_Ok` if
width or height is zero, since some glyphs do not generate visible bitmaps.
Fixes#1150.
Fixes#1148 by moving the flag initialization back, partly reverting
7809007a and fd03dcc1. Initializing these flags elsewhere skips 'cvt'.
* src/truetype/ttinterp.c (TT_RunIns): Initialize the IUP flag here...
(TT_Run_Context): ... instead of here.
==========================
Tag sources with `VER-2-12-0'.
* docs/VERSION.TXT: Add entry for version 2.12.0.
* docs/CHANGES, docs/release: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.11.1/2.12.0/, s/2111/2120/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 12.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 24:2:18.
* CMakeLists.txt (VERSION_MINOR): Set to 12.
(VERSION_PATCH): Set to 0.
* builds/toplevel.mk (do-dist): Generate `ChangeLog` entries for all commits
since version 2.11.0 (when we stopped creating this file manually).
This is another bit to handle 'sbix' tables as described in the OpenType
specification.
* include/freetype/ftparams.h (FT_PARAM_TAG_IGNORE_SBIX): New macro.
* src/sfnt/sfobjc.c (is_apple_sbix): Rename to...
(has_sbix): ... this.
Check for more sbit tables.
Handle `FT_PARAM_TAG_IGNORE_SBIX` to eventually control `has_sbix`.
Only call sbit table loader if an sbit table is present.
* src/sfnt/ttsbit.c (tt_face_load_sbix_image): Correct calculation of
'metrics->horiBearingY'.
Set vertical metrics.
* src/sfnt/sfobjs.c (sfnt_load_face): Adjust setting of `FT_FACE_FLAG_SBIX`.
Handle metrics of fonts with 'sbix' table.
* src/truetype/ttgload.c (TT_Load_Glyph): For 'sbix' embedded bitmaps, apply
bbox offset and bearing values of the corresponding glyph in the 'glyf'
table if it exists and has a contour.
* src/truetype/ttobjs.c (tt_face_init): Handle font with 'sbix' table.
Fixes issue #998.
Fonts with 'sbix' tables need special handling by the application.
* include/freetype/freetype.h (FT_FACE_FLAG_SBIX, FT_HAS_SBIX): New macros.
* src/sfnt/sfobjs.c (sfnt_load_face): Set `FT_FACE_FLAG_SBIX` if 'sbix'
table is present.
In the woff2 spec it has been proposed to allow the OVERLAP_SIMPLE flag
to be retained through the woff2 format [0].
[0] https://www.w3.org/TR/WOFF2/#glyf_table_format
* src/sfnt/sfwoff2.h (GLYF_OVERLAP_SIMPLE): add glyf flag.
* src/sfnt/sfwoff2.c (reconstruct_glyf): parse optionFlags and
overlapSimpleBitmap[]. (store_points): set OVERLAP_SIMPLE on first point's
flag if the overlap bit is set.
Werner Lemberg