Add a check that the document content is actually contained within the
`SVG ` table. Without this check a malformed font may claim arbitrary
memory as its document content.
* src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when
testing 'documentRecord' extents.
(find_doc): Rename `stream` to `document_records` for clarity.
(tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity.
Test that the document content is contained within the table.
Ensure minimum length of document before testing for gzip format.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812
* src/base/ftbitmap.c (FT_Bitmap_Copy): Flip the copy if its pitch
is trully opposite, zero is not a positive value.
(FT_Bitmap_Convert): Set negative pitch as needed, accept negative
alignment values.
Reusing target bitmaps for copying and converting is permitted. It is,
however, pointless to preserve their content before overwriting. Free-
malloc might be faster than realloc.
* src/base/ftbitmap.c (FT_Bitmap_Copy, FT_Bitmap_Convert): Free
an old buffer and create a new one.
* src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to
be 1, then the table size has to be at least the size of the v1 header.
Also, for peeking the number of base glyphs and entries in the layer list,
ensure that the table is sufficiently long.
Fixes#1179. Original patch by Sergey Temnikov.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Reject retrieving master when
'fvar' values locally do not match with sanitized values from initialization
at `sfnt_init_face` time.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1360295
Fixes#1178.
* src/sfnt/ttcolr.c (get_deltas_for_var_index_base): Set outer index to
0 and inner index to the delta index when retrieving deltas if the
`COLR` table has no delta set index map.
Fixes#1172.
* src/sfnt/sfobjs.c (sfnt_load_face): Tag font as Multiple Masters font if
`fvar` is present; do not require other tables to be present.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Allow for a missing 'gvar' table
when setting variation coordinates. However, if a 'gvar' table is actually
present, do perform a sanity check and fail on malformedness.
(TT_Get_MM_Var): Don't assume 'fvar' needs 'gvar' or 'CFF2 tables in all
cases, which is an overly tight check.
This follows similar code in `cff_slot_done`.
* src/base/ftobjs.c (ft_glyphslot_done), src/type1/t1objs.c
(T1_GlyphSlot_Done): Check `internal` pointer.
The Type1 problems was reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50057.
Any array index must be strictly less then the array size. Therefore,
we must reject indexes that are equal to the array size. Alternatively,
we should move the bounds check before the index decrement but that
would be confusing.
In addition, it is ok to decrement zero (.notdef) and get UINT_MAX,
which is then automatically rejected in the bounds check.
* src/pfr/pfrobjs.c (pfr_face_get_kerning): Fix the bounds checking.
When resizing the loader's points and contours, resize them to at least 1.5
times their current size. The code currently only reserves as much space as
is currently required, leading to O(n^2) runtime when adding points one at a
time.
This change does not attempt to ever shrink the loader's point and contour
storage since this was not attempted previously either. The 1.5 multiple
was chosen as a trade-off between potentially unused space and the runtime.
* src/base/ftgloader.c (FT_GlyphLoader_CheckPoints): Implement it.
Fixes#1173.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW`,
`FT_COLR_PAINTFORMAT_INTERNAL_SKEW_CENTER`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER`.
(read_paint): Handle new enumeration values.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE` and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE_CENTER`.
(read_paint): Handle new enumeration values.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSLATE`.
(read_paint): Handle new enumeration value.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSFORM`.
(read_paint): Handle new enumeration value.
* src/sfnt/ttcolr.c (read_paint) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Read and
apply deltas to radial, linear, and sweep gradient coordinates such as 'p0',
'p1', 'p2', 'center', 'radii', and 'angles'.
* include/freetype/ftcolor.h (FT_ColorStopIterator): Add field
`read_variable` to indicate whether a variation index base should be read.
* src/sfnt/ttcolr.c: (FT_PaintFormat_Internal): New enumerations
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_LINEAR_GRADIENT`
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_RADIAL_GRADIENT`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SWEEP_GRADIENT`.
(read_color_line): New parameter `read_variable`; update callers.
(read_paint): Handle new enumerations.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal_): New enumeration
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`.
(get_deltas_for_var_index_base) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New
function to retrieve an array of delta values, which will be used for most
of 'COLR' v1 variation formats (in follow-up commits).
(read_paint): Add `face` parameter; update caller.
Handle `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`.
* src/sfnt/ttcolr.c: Include `ttobjs.h` temporarily.
(VARIABLE_COLRV1_ENABLED): New temporary macro to detect whether variable
COLRv1 is enabled.
(Colr): New fields `var_store` and `delta_set_idx_map`.
(tt_face_load_colr, tt_face_free_colr) [VARIABLE_COLRV1_ENABLED]: Load and
free variation store data using the functions from the Multiple Masters
service.
If `FT_GlyphLoader_CreateExtra` returns an error (and a couple of other
places), `FT_GlyphLoader_CheckPoints` would propagate the error immediately,
rather than cleaning up the partially set up `FT_GlyphLoader`. As a
consequence, a subsequent attempt to create a glyph could result in a crash.
* src/base/ftgloadr.c (FT_GlyphLoader_CheckPoints): Ensure all the error
conditions exits are consistent, eventually calling `FT_GlyphLoader_Reset`.
This avoids regressing Blink layout tests and makes `FT_MulAdd_Fix` delta
retrieval implementation consistent with the previous implementation, which
used `FT_fixedToInt` and included rounding.
* src/base/ftcalc.c (FT_MulAdd_Fix): Implement it.
Also fix remaining `temp` initialization compilation issue.
Fixes#1169.
* include/freetype/internal/ftmmtypes.h (FT_ItemVarDelta): Make type
explicitly 32-bit.
* include/freetype/internal/services/svmm.h
(FT_Var_Get_Item_Delta_Func): Change return type to `FT_ItemVarDelta`
* truetype/ttgxvar.h (tt_var_get_item_delta): Change return type to
`FT_ItemVarDelta`.
* truetype/ttgxvar.c (tt_var_get_item_delta): Store scalars and deltas
to intermediate array, perform computation using new method
`FT_MulAddFix`.
This function, based on the code of `FT_MulFix`, uses 64-bit precision
internally for intermediate computations.
* include/freetype/internal/ftcalc.h, base/ftcalc.c (FT_MulAddFix):
Implement it.
This formalizes that the phantom points appended in the outline
do not increase its point count, nor are they tagged or included
in any additional contours. Only their coordinates are stored.
They are counted in the glyph zone, however.
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Infer `n_points`
from the outline size plus four phantom points.
* src/truetype/ttgxvar.h (TT_Vary_Apply_Glyph_Deltas): Remove this
argument.
* src/truetype/ttgload.c (tt_prepare_zone): Add phantom four.
(TT_Process_Simple_Glyph, load_truetype_glyph): Update all callers.
This moves phantom point and advance variation adjustment next to
calculations. The logic stays the same, HVAR and VVAR take priority.
* src/truetype/ttgload.c (load_truetype_glyph): Move it from here...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): ... to here
and check for HVAR and VVAR presence outside the main loop.
`FT_READ_LONG`, `FT_GET_LONG`, and related macros did not return
negative values when `long` is more than 32 bits. `FT_Stream_ReadULong`
would read four bytes into the LSB of an `FT_ULong` and return that.
Since this can never set the MSb of the `FT_ULong` when `FT_ULong` is
more than 32 bits the cast to `FT_Long` never resulted in a negative
value.
Fix this by modifying `FT_Stream_Read*` to return a type of the same
size as the bytes it is reading and changing the `FT_READ_*` and
`FT_GET_*` macros to cast to the same type returned by `FT_Stream_Read*`
but with the correctly signed type (instead of casting to what is
assumed to be the type of `var` which will happen automatically anyway).
There exist a few cases like with the `OFF3` variants where there isn't
generally a type with the correct size. `FT_PEEK_OFF3` works around this
loading the bytes into the three most significant bits and then doing a
signed shift down. `FT_NEXT_OFF3` also already worked correctly by
casting this signed value to another signed type. `FT_Stream_GetUOffset`
works correctly but one must be careful not to attempt to cast the
returned value to a signed type. Fortunately there is only
`FT_GET_UOFF3` and no `FT_GET_OFF3`.
All of these cases are handled correctly when reading values through
`FT_Stream_ReadFields` since it generically computes the signed value
through an `FT_Int32`. This change is essentially doing the same for
these macros.
* include/freetype/internal/ftstream.h (FT_NEXT_*, FT_GET_*, FT_READ*):
Update macros and return types to use fixed size types for fixed size
values.
* src/base/ftstream.c (FT_StreamGet*, FT_StreamRead*): Dito.
Issue: #1161
This code originally just searched for `eexec`. This was later modified
to check that the `eexec` found is valid (not in a string or comment).
This was done by searching for `eexec` as before and then, for each
`eexec` found, searching from the beginning using the correct parsing to
see if the `eexec` was still found. If the private dictionary is large
and contains many copies of `eexec` which are not valid, the initial
part of the private dictionary is scanned once for each, potentially
leading to n^2 parsing time.
Instead of finding an initial `eexec` and then re-parsing to discover if
it is valid, drop the initial search for `eexec` and just parse to find
a valid `eexec`. This is strictly faster since the validation must
happen anyway and avoids restarting from the beginning each time an
`eexec` is found in the data.
* src/type1/t1parse.c (T1_Get_Private_Dict): avoid n^2 parsing
Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1328883
* src/truetype/ttgload.c (TT_Process_Simple_Glyph, load_truetype_glyph):
Move the advance adjustment from here...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): ... to here and
simplify arguments.
* src/truetype/ttgxvar.h (TT_Vary_Apply_Glyph_Deltas): Update prototype
with fewer arguments.
When `inflate` returns `Z_NEED_DICT` this is currently not reported as
an error and callers may assume that the decompression succeeded when it
did not. In particular, a compressed table in a woff file may not
actually be decompressed and written as expected, leaving the backing
memory for the expanded table uninitialized.
* src/gzlip/ftgzip.c (FT_Gzip_Uncompress): treat `Z_NEED_DICT` as
indicating invalid data since there is no means to provide a dictionary.
Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1335712
Fixes#1164 by using a volatile variable around `setjmp`. It is hard to
say how this fixes crashes related to certain link-time optimizations.
This does not decrease the rendering performance.
* src/smooth/ftgrays.c (gray_convert_glyph_inner): Use volatile `error`.
* include/freetype/freetype.h (FT_GlyphSlotRec_): update doc
* src/cff/cffgload.c (cff_slot_load): do it
* src/truetype/ttgload.c (TT_Load_Glyph): do it
Fixes: #1156
This issue was discovered with an SVG based font with some documents
compressed and other uncompressed. After loading the first compressed
document the ownership flag on the glyph slot was set to true but never
set to false. As a result after loading a compressed document a glyph
from an uncompressed document would load fine, but when this glyph slot
was cleared it would try to free its document resulting in a wild free.
* src/base/ftobjs.c (ft_glyphslot_clear): clear correct flags
Fixes: #1162
* include/freetype/internal/ftmmtypes.h (FT_ItemVarDelta): Define type
to be used for delta arrays, upgrade to FT_long.
* src/truetype/ttgxvar.c: Adhere to long_words bit and read either
Short/Byte pairs or Long/Short pairs, as defined by spec. For better
readability, define macro for repetitive read code.
* truetype/ttgxvar.c (tt_hvadvance_adjust, tt_apply_mvar,
tt_var_get_item_delta): Remove special 0xFFFF handling in favor of less
redundant handling inside the tt_var_get_item_delta function, as it is
equivalent to returning a 0 delta. Avoids code-duplication checking for
special value 0xFFFF.
This is a preparation for handling `DeltaSetIdxMap` and `VarStore` as a
FreeType service.
* src/truetype/ttgxvar.c (ft_var_done_delta_set_index_map): New function.
(tt_done_blend): Use it.
This was introduced in OpenType 1.8.4.
* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping,
tt_hvadvance_adjust, ft_var_load_mvar, tt_apply_mvar): Handle special
inner/outer index values.
(ft_var_load_item_variation_store): Add test.
Fixes#1154.
==========================
Tag sources with `VER-2-12-1'.
* docs/VERSION.TXT: Add entry for version 2.12.1.
* docs/CHANGES, docs/release: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.12.0/2.12.1/, s/2120/2121/.
* include/freetype/freetype.h (FREETYPE_PATCH): Set to 1.
* builds/unix/configure.raw (version_info): Set to 24:3:18.
* CMakeLists.txt (VERSION_PATCH): Set to 1.
* src/sdf/ftsdfrend.c (ft_sdf_render, ft_bsdf_render): Return `FT_Err_Ok` if
width or height is zero, since some glyphs do not generate visible bitmaps.
Fixes#1150.
Fixes#1148 by moving the flag initialization back, partly reverting
7809007a and fd03dcc1. Initializing these flags elsewhere skips 'cvt'.
* src/truetype/ttinterp.c (TT_RunIns): Initialize the IUP flag here...
(TT_Run_Context): ... instead of here.
==========================
Tag sources with `VER-2-12-0'.
* docs/VERSION.TXT: Add entry for version 2.12.0.
* docs/CHANGES, docs/release: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.11.1/2.12.0/, s/2111/2120/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 12.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 24:2:18.
* CMakeLists.txt (VERSION_MINOR): Set to 12.
(VERSION_PATCH): Set to 0.
* builds/toplevel.mk (do-dist): Generate `ChangeLog` entries for all commits
since version 2.11.0 (when we stopped creating this file manually).
This is another bit to handle 'sbix' tables as described in the OpenType
specification.
* include/freetype/ftparams.h (FT_PARAM_TAG_IGNORE_SBIX): New macro.
* src/sfnt/sfobjc.c (is_apple_sbix): Rename to...
(has_sbix): ... this.
Check for more sbit tables.
Handle `FT_PARAM_TAG_IGNORE_SBIX` to eventually control `has_sbix`.
Only call sbit table loader if an sbit table is present.
* src/sfnt/ttsbit.c (tt_face_load_sbix_image): Correct calculation of
'metrics->horiBearingY'.
Set vertical metrics.
* src/sfnt/sfobjs.c (sfnt_load_face): Adjust setting of `FT_FACE_FLAG_SBIX`.
Handle metrics of fonts with 'sbix' table.
* src/truetype/ttgload.c (TT_Load_Glyph): For 'sbix' embedded bitmaps, apply
bbox offset and bearing values of the corresponding glyph in the 'glyf'
table if it exists and has a contour.
* src/truetype/ttobjs.c (tt_face_init): Handle font with 'sbix' table.
Fixes issue #998.
Fonts with 'sbix' tables need special handling by the application.
* include/freetype/freetype.h (FT_FACE_FLAG_SBIX, FT_HAS_SBIX): New macros.
* src/sfnt/sfobjs.c (sfnt_load_face): Set `FT_FACE_FLAG_SBIX` if 'sbix'
table is present.
In the woff2 spec it has been proposed to allow the OVERLAP_SIMPLE flag
to be retained through the woff2 format [0].
[0] https://www.w3.org/TR/WOFF2/#glyf_table_format
* src/sfnt/sfwoff2.h (GLYF_OVERLAP_SIMPLE): add glyf flag.
* src/sfnt/sfwoff2.c (reconstruct_glyf): parse optionFlags and
overlapSimpleBitmap[]. (store_points): set OVERLAP_SIMPLE on first point's
flag if the overlap bit is set.
* src/sdf/ftsdf.c (sdf_generate_bounding_box): Always check for a corner if
two distances (for different curves) are very close.
(sdf_conic_to): Check whether the conic curve can be treated as a line
(which happens if the control point coincides with any end point).
* src/sdf/ftsdf.c (split_sdf_cubic, split_sdf_shape): Add checks to figure
out the deviation of Bezier curves and stop splitting if the curve is flat
enough.
* src/sdf/ftsdfcommon.h (ONE_PIXEL): New macro.
The `SVG_DOCUMENT_LIST_MINIMUM_SIZE` macro is non trivial and not
protected by parentheses. As a result, the expression
`table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE` expands to
`table_size - 2U + SVG_DOCUMENT_RECORD_SIZE` instead of the expected
`table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)`. This causes an incorrect
bounds check which may lead to reading past the end of the `SVG ` table.
* src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in
parentheses.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179
It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is
NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with
`blend->num_designs` set to 2, and the user supplied `idx` to be large (for
example 0xFFFFFFFE). Since these are all `FT_UInt32` the existing bounds
check overflows in a well defined manner, allowing for an invalid call to
`memcpy`.
In addition, it is possible to call OtherSubr 19 with
`decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying
that `blend->weight_vector` and `decoder->buildchar` are NULL). This passes
the bounds check (it is logically always fine to copy nothing starting at
index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed
by `memcpy`. Calling `memcpy` with either the `src` or `dst` NULL is
undefined behavior (even if `count` is zero).
* src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that
`blend->num_designs` can be copied to `decoder->buildchar[idx]`.
Also avoid passing NULL to `ft_memcpy`.
Bug: https://crbug.com/1299259
Before the change, the hinting engine frequently confused horizontal
stem and serif hints making some stems too thin and some serifs too
thick. The value was tuned using serif fonts from the URW+ base 35
collection.
* src/pshinter/pshalgo.c [PSH_STRONG_THRESHOLD_MAXIMUM]: s/30/12/.
Since Type42 fonts don't have a 'Private' dictionary, the return value
should be `FT_Err_Invalid_Argument`.
* src/type42/t42drivr.c (t42_ps_get_font_private): Removed.
(t42_service_ps_info): Updated.
In PS hinter, memory allocations persist until the module is done.
Therefore, we have to clear reused masks.
* src/pshinter/pshrec.c (ps_mask_table_alloc): Clear reused mask.
We forgot to update the number of bits when merging a larger mask
into a smaller one. This fix might have rendering effects.
* src/pshinter/pshrec.c (ps_mask_table_merge): Inherit the number
of bits from a larger mask. There is no need to zero unused bits,
already zeroed during allocation.
(ps_mask_clear_bit): Removed.
(ps_mask_ensure): Minor.
* src/pshinter/pshrec.c (ps_hint_table_ensure): Remove redundant size
check; avoid array zeroing because it is fully initialized when used.
(ps_hint_table_alloc): Fix off-by-one comparison and remove another
zeroing of the array elements.
The old impleemntation was not using `FT_REALLOC`, buing too careful
with the offset rebasing. It shoudl be safe to rely on the base
movements.
* src/psaux/psobjs.c (reallocate_t1_table, shift_elements): Combine
into...
(ps_table_realloc): ... this function based on `FT_REALLOC`.
(ps_table_done): Simplified.
(ps_table_add): Updated.
* src/base/ftrfork.c (raccess_make_file_name): Do not set error.
* src/sfnt/sfdriver.c (get_win_string, get_apple_string): Ditto.
* src/cff/cffobjs.c (cff_strcpy): Do not confuse about error.
* src/psaux/psobjs.c (ps_table_done): Ditto.
* src/truetype/ttgxvar.c (ft_var_readpacked*, ft_var_load_avar): Ditto.
Function `map_fixed_to_sdf` expects spread to be absolute
and not squared.
* src/sdf/ftbsdf.c (finalize_sdf): Pass absolute spread
while `map_fixed_to_sdf`.
* src/sdf/ftsdf.c (sdf_generate_bounding_box): Ditto.
* src/sfnt/ttsvg.c (SVG_TABLE_HEADER_SIZE, SVG_DOCUMENT_RECORD_SIZE,
SVG_DOCUMENT_LIST_MINIMUM_SIZE, SVG_MINIMUM_SIZE): New macros.
(tt_face_load_svg): Check offsets.
Check table and record sizes.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43918
* include/freetype/config/ftheader.h (FT_OTSVG_H): New macro.
* include/freetype/freetype.h (FT_FACE_FLAG_SVG, FT_HAS_SVG): New macros.
(FT_LOAD_SVG_ONLY): New internal macro.
* include/freetype/ftimage.h (FT_Glyph_Format): New enumeration value
`FT_GLYPH_FORMAT_SVG`.
* include/freetype/internal/ftobjs.h (FT_GLYPH_OWN_GZIP_SVG): New macro.
* include/freetype/internal/fttrace.h: Add `ttsvg` for `ttsvg.c`.
* include/freetype/internal/sfnt.h(load_svg, free_svg, load_svg_doc): New
functions.
* include/freetype/internal/tttypes.h (TT_FaceRec): Add `svg` for
the SVG table.
* include/freetype/otsvg.h (FT_SVG_DocumentRec): New structure to hold the
SVG document and other necessary information of an OT-SVG glyph in a glyph
slot.
* include/freetype/tttags.h (TTAG_SVG): New macro.
* src/base/ftobjs.c: Include `otsvg.h`.
(ft_glyphslot_init): Allocate `FT_SVG_DocumentRec` in `slot->other`
if the SVG table exists.
(ft_glyphslot_clear): Free it upon clean-up if it is a GZIP compressed
glyph.
(ft_glyphslot_done): Free the document data if it is a GZIP compressed
glyph.
(FT_Load_Glyph): Don't auto-hint SVG documents.
* src/cache/ftcbasic.c (ftc_basic_family_load_glyph): Add support for
FT_GLYPH_FORMAT_SVG.
* src/sfnt/rules.mk (SFNT_DRV_SRC): Add `ttsvg.c`.
* src/sfnt/sfdriver.c: Include `ttsvg.h`.
(sfnt_interface): Add `tt_face_load_svg`, `tt_face_free_svg` and
`tt_face_load_svg_doc`.
* src/sfnt/sfnt.c: Include `ttsvg.c`.
* src/sfnt/sfobjs.c (sfnt_load_face, sfnt_done_face): Add code to load and
free data of the the SVG table.
* src/sfnt/ttsvg.c: New file, implementing `tt_face_load_svg`,
`tt_face_free_svg` and `tt_face_load_svg_doc`.
* src/sfnt/ttsvg.h: Declarations of the SVG functions in
`ttsvg.c`.
It might be surprising that FreeType does not have default ppem and
the size has to be set explicitly or face undefined behavior with
undefined variables and errors. This offers an alternative to
missing or zero scale by simply setting FT_LOAD_NO_SCALE. Defined
behavior is bettr than undefined one.
This is alternative to !132 and discussed in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43708
* src/base/ftobjs.c (FT_Load_Glyph): Deal with zero scale.
* include/freetype/freetype.h: Document it.
The `normal_top.count` may be 0, implying no `normal_top.zones` exist.
The code must not access these (non-existent) `normal_top.zones`.
* src/pshinter/pshalgo.c (ps_hints_apply): Do not assume that
`normal_top.zones[0]` is initialized. Test `normal_top.count`
before using `normal_top.zones[0]`. Do not rescale if there are no
`zones`.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43675
According to the bzip documentation it is undefined what will happen if
`BZ2_bzDecompress` is called on a `bz_stream` it has previously returned an
error against. If `BZ2_bzDecompress` returns anything other than `BZ_OK`
the only valid next action is `BZ2_bzDecompressEnd`.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43564
* src/bzip2/ftbzip2.c (FT_BZip2FileRec_): Add `reset` to track the need to
reset the stream.
(ft_bzip2_file_init): Initialize `reset` to 0.
(ft_bzip2_file_reset): Set `reset` to 0 after resetting.
(ft_bzip2_file_fill_output): Set `reset` to 1 when `BZ2_bzDecompress`
returns anything other than `BZ_OK`.
This reverts commit d276bcb7f0.
The original commit did avoid the use of uninitialized memory. However,
it appears that the original commit is no longer required. The
underlying issue was resolved by a change in freetype2-testing "Build
bzip2 correctly." [0]. Prior to [0] bzip2 was built without msan, so
bzip2 writes were not tracked or considered initialized. Clearing
`buffer` in the original commit allowed msan to see the `buffer` content
initialized once in FreeType code, but msan saw no writes into buffer
from bzip2. With bzip2 now built with msan, the bzip2 writes are
properly instrumented and msan sees the bzip2 writes into the buffer. As
a result the original commit can be safely reverted to allow for better
detection of other uninitialized data scenarios.
* src/bzip2/ftbzip2.c (FT_Stream_OpenBzip2): Revert to using `FT_QNEW`.
[0] 3c052a837a
Currently `T42_Open_Face` eagerly allocates 12 bytes for the ttf header
data which it expects `t42_parse_sfnts` to fill out from /sfnts data.
However, there is no guarantee that `t42_parse_sfnts` will actually be
called while parsing the type42 data as the /sfnts array may be missing
or very short. This is also confusing behavior as it means
`T42_Open_Face` is tightly coupled to the implementation of the very
distant `t42_parse_sfnts` code which requires at least 12 bytes to
already be reserved in `face->ttf_data`.
`t42_parse_sfnts` itself eagerly updates `face->ttf_size` to track how
much space is reserved for ttf data instead of traking how much data has
actually been written into `face->ttf_data`. It will also act strangely
in the presense of multiple /sfnts arrays.
* src/type42/t42objs.c (T42_Open_Face): ensure `ttf_data` is initialized
to NULL. Free `ttf_data` on error.
* src/type42/t42parse.c (t42_parse_sfnts): delay setting `ttf_size` and
set it to the actual number of bytes read. Ensure `ttf_data` is freed
if there are multiple /sfnts arrays or there are any errors.
While using zlib in 'solo' mode (via the `Z_SOLO` macro), we actually
include some standard header files, making the typedef fail on systems where
the native `ptrdiff_t` type differs.
Fixes#1124.
* src/zlib/zutil.h: Comment out definition; it doesn't work on Windows.
* src/zlib/patches/freetype-zlib.diff: Updated.
We now first apply zlib's `zlib2ansi` script, then FreeType's patch file.
* src/gzip/README.freetype: Updated.
* patches/0001-zlib-Fix-zlib-sources-to-compile-for-FreeType.patch: Renamed
to...
* patches/freetype-zlib.diff: This.
Clean up description, then regenerate it as follows:
- Copy unmodified files from `zlib` repository.
- Run `zlib2ansi` script.
- Run `git diff -R > patches/freetype-zlib.diff.new`.
- Insert patch description of old diff file, then replace old diff with
new diff file.
This can be tested by building with the Unix development build
make setup devel
make
or by building the freetype-demos programs with
meson setup build -Dfreetype2:zlib=internal
meson compile -C out
and trying to run `ftview` with a `.pcf.gz` font file.
* src/gzip/ftgzip.c, src/gzip/rules.mk: Update for new zlib sources. Also
remove the temporary fix introduced in commit 6a431038 to work around the
fact that the internal sources were too old.
* src/gzip/README.freetype: New file describing the origin of the sources
and how they were modified.
* src/gzip/patches/*: Patch files applied to original sources.
* src/gzip/*: Updated zlib sources with the patch file(s) from
`src/gzip/patches/` applied, followed by a conversion with zlib's
`zlib2ansi` script.
* src/bzip2/ftbzip2.c (FT_Stream_OpenBzip2): Don't use `FT_QNEW` but
`FT_NEW` for setting up `zip` to avoid uninitialized memory access while
handling malformed PCF fonts later on.
Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42800
The 0-base index is equal to the number of previosly parsed entries.
It is an error to adjust it by one to get the number truncated by
a stream error. This is probably inconsequential because valid
entries are correctly accounted for.
* src/sfnt/ttload.c (check_table_dir): Do not adjust the truncated
number of tables.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
When iterating over the cvt tuples and reading in the points it is necessary
to set all of `localpoints`, `points`, and `point_count` in all cases. The
existing code did not reset `localpoints` to `NULL` when there were no
private point numbers. If the previous tuple did have private point numbers
and set `localpoints` to `ALL_POINTS` this would not be cleared and the
wrong branch would be taken later, leading to possible heap buffer overflow.
* src/truetype/ttgxvar.c (tt_face_vary_cvt): Reset `localpoints` to `NULL`
when it isn't valid.
Fixes: https://crbug.com/1284742
* src/base/ftobjs.c (FT_Get_Paint): Operator has equivalent nested operands.
* src/bdf/bdflib.c (_bdf_add_property): Value stored to `fp` is never read.
* src/sdf/ftbsdf.c (bsdf_init_distance_map): Value stored to `pixel` is
never read.
* src/sdf/ftsdf.c (split_sdf_shape): Value stored to `error` is never read.
* src/truetype/ttobjs.h (TT_SizeRec): Add `widthp` for the hdmx
widths.
* src/truetype/ttobjs.c (tt_size_reset): Initialize `widthp` even
though it might never be used by the interpreter.
* src/truetype/ttgload.c (tt_loader_init): Avoid repeated searches
in the hdmx table.
This fixes fall-out from 7809007a5b, where the composite
accents were no longer hinted.
* src/truetype/ttgload.c (ttloader_init): Move the IUP-called flag
initialization from here...
* src/truetype/ttinterp.c (TT_Run_Context): ... to here.
The `hdmx` table is supposed to be sorted by ppem size, which
enables binary search. We also drop the check for the sufficient
length of the record because it is now enforced when the table
is loaded.
* include/freetype/internal/tttypes.h (TT_FaceRec): Store the `hdmx`
record pointers sorted by ppem instead of ppem's themselves.
* src/truetype/ttpload.c (tt_face_load_hdmx): Prudently sort records.
(tt_face_get_device_metrics): Implement binary search to retrieve
advances.
This simply shortcuts the glyph loading if FT_LOAD_ADVANCE_ONLY
is specified by FT_Get_Advances and the `hdmx` data are located.
Particularly, the classic v35 interpreter or "verified" ClearType
fonts might see 100x speed up in retrieving the hdmx cache.
* src/truetype/ttgload.c (TT_Load_Glyph): Insert the shortcut.
The `hdmx` matching can be done before the glyph is loaded.
* include/freetype/internal/tttypes.h (TT_LoaderRec): Add a field.
* src/truetype/ttgload.c (compute_glyph_metrics): Relocate the `hdmx`
code from here...
(tt_loader_init): ... to here, before the glyph is loaded.
`TT_RunIns` is too busy to deal with subpixel flags. It is better
to set them in `tt_loader_init`, which is executed before each
glyph program.
* src/truetype/ttinterp.c (TT_RunIns): Move the flag setting from
here...
* src/truetype/ttgload.c (tt_loader_init): ... to here.
* src/truetype/ttinterp.c (Ins_INSTCTRL): Limit its global effects
to the CVT program and local effects to the glyph program.
This also fixes an Infinality buglet. The `ignore_x_mode` should be
locally unset by the glyph program.
In _bdf_readstream if the data contained no newline then the buffer
would continue to grow and uninitialized data read until either the
uninitialized data contained a newline or the buffer reached its
maxiumum size. The assumption was that the line was always too long and
the buffer had been filled, however this case can also happen when there
is not enough data to fill the buffer.
Correct this by properly setting the cursor to the end of the available
data, which may be different from the end of the buffer. This may still
result in one extra allocation, but only on malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Correctly update cursor. Remove
unread set of `avail`.
Bug: https://lists.nongnu.org/archive/html/freetype-devel/2021-12/msg00001.html
==========================
Tag sources with `VER-2-11-1'.
* docs/VERSION.TXT: Add entry for version 2.11.1.
* docs/CHANGES, docs/release: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html, builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html,
docs/freetype-config.1: s/2.11.0/2.11.1/, s/2110/2111/.
* include/freetype/freetype.h (FREETYPE_PATCH): Set to 1.
* builds/unix/configure.raw (version_info): Set to 24:1:18.
* CMakeLists.txt (VERSION_PATCH): Set to 1.
* builds/toplevel.mk (version_tag, CHANGELOG_SCRIPT): New variables.
(do-dist): Generate `ChangeLog` file with all commits since last release.
The `hdmx` table is optional and can be safely rejected without
an error if it does not follow specifications. The record size
must be equal to the number of glyphs + 2 + 32-bit padding.
* src/truetype/ttpload.c (tt_face_load_hdmx): Thoroughly check
the record size and improve tracing.
We really have to use double casts to avoid issues with C's and C++'s
signedness propagation rules in implicit casts.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41178https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41182
* include/freetype/config/public-macros.h (FT_STATIC_CAST,
FT_REINTERPRET_CAST): Modify macro to take two arguments.
Update all callers.
(FT_STATIC_BYTE_CAST): New macro.
* include/freetype/freetype.h (FT_ENC_TAG): Use `FT_STATIC_BYTE_CAST`.
* include/freetype/ftimage.h (FT_IMAGE_TAG): Ditto.
* include/freetype/fttypes.h (FT_MAKE_TAG): Ditto.
Use `FT_Tag` for casting.
* src/ftraster/ftmisc.h (FT_MAKE_TAG): Removed, no longer needed.
(FT_STATIC_BYTE_CAST): New macro.
* src/smooth/ftgrays.c (FT_STATIC_CAST): Replace with...
(FT_STATIC_BYTE_CAST): ... this.
Many FreeType clients use C++. However `g++ -Wold-style-cast` warns for
macros with C-style casts even for system header files; this also affects
directories included with `-isystem`. While this could be seen as a problem
with g++, the problem is more a philosophical one: Over the time, C and C++
diverged more and more, and some features of C are no longer the 'right'
solution in C++.
* include/freetype/config/public-macros.h (FT_STATIC_CAST,
FT_REINTERPRET_CAST): New macros.
* include/freetype/freetype.h (FT_ENC_TAG, FT_LOAD_TARGET_,
FT_LOAD_TARGET_MODE): Use `FT_STATIC_CAST`.
Correctly handle negative 'signed char' input.
* include/freetype/ftimage.h (FT_IMAGE_TAG): Ditto.
* include/freetype/fttypes.h (FT_MAKE_TAG, FT_BOOL): Ditto.
* include/freetype/ftmodapi.h (FT_FACE_DRIVER_NAME): Use
`FT_REINTERPRET_CAST`.
* src/smooth/ftgrays.c (FT_STATIC_CAST)[STANDALONE_]: New macro.
[!STANDALONE]: Include `FT_CONFIG_CONFIG_H`.
Fixes#1116.
* src/truetype/ttgxvar.c (ft_var_load_item_variation_store):
s/shortDeltaCount/wordDeltaCount/ (as done in the specification, too).
Recognize new format and reject it for now.
This is in preparation for implementing `DeltaSetIndexMap` format 1, which
is used by `COLR` v1 tables, and which allows 32bit indices.
https://docs.microsoft.com/en-us/typography/opentype/otspec190/delta/otvarcommonformats_delta.html
* src/truetype/ttgxvar.h (GX_DeltaSetIdxMapRec): Change type of `mapCount`
to `FT_ULong`.
* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping): Add argument
for passing the table size; update caller.
Implement new format.
Based on a patch from metarutaiga (MR !106). The gist of this commit is
that it doesn't make sense to support WOFF without compression (which would
be only possible in WOFF 1.0 anyway).
* src/sfnt/sfobjs.c (sfnt_open_font): Guard WOFF code with
`FT_CONFIG_OPTION_USE_ZLIB` block.
Guard WOFF2 code with `FT_CONFIG_OPTION_USE_BROTLI` block.
* src/sfnt/sfwoff.c, src/sfnt/sfwoff.h: Guard files with
`FT_CONFIG_OPTION_USE_ZLIB` blocks, not parts of the code.
* src/sfnt/sfwoff2.c, src/sfnt/sfwoff2.h, src/sfnt/woff2tags.c,
src/sfnt/woff2tags.h: Guard files with `FT_CONFIG_OPTION_USE_BROTLI` blocks,
not parts of the code.
Fixes#1111.
Based on a patch from metarutaiga (MR !106).
* src/truetype/ttobjs.c (tt_skip_pdffont_random_tag,
tt_check_trickyness_family, tt_synth_sfnt_checksum, tt_get_sfnt_checksum,
tt_check_trickyness_sfnt_ids, tt_check_trickyness): Put functions into a
`TT_USE_BYTECODE_INTERPRETER` block.
(tt_face_init): Put trickyness checks into a `TT_USE_BYTECODE_INTERPRETER`
block.
Fixes#1111.
DLG_STATIC is intended to disable Windows DLL linking attributes.
It does not hurt to define it explicitly when we wrap DLG code.
This fixes tons of LNK4286 and C4273 warnings from MSVC if we
forget to define DLG_STATIC as a compiler option.
* builds/windows/vc2010/freetype.vcxproj: Remove DLG_STATIC option.
* src/dlg/dlgwrap.c [FT_DEBUG_LOGGING]: Define DLG_STATIC.
* include/freetype/internal/ftdebug.h [FT_DEBUG_LOGGING]: Ditto.
The DLG wrapper needs to know if FT_DEBUG_LOGGING is defined in
`ftoption.h`. It does not need entire FreeType.
* src/dlg/dlgwrap.c: Include FT_CONFIG_OPTIONS_H directly.
* src/truetype/ttgxvar.c (ft_var_readpackeddeltas, ft_var_load_avar,
ft_var_load_item_variation_store, ft_var_load_gvar): Use FT_QNEW_ARRAY
if memory immediately initialized or discarded otherwise.
* src/truetype/ttgxvar (ft_var_readpackeddeltas): Don't expect the number of
bytes used to encode the deltas to be higher than the number of encoded
values. The specification allows a very compact encoding; for example, a
list of 200 zeros can be encoded with just a couple of bytes.
We now count the consumed bytes to make sure to not read more than expected.
* src/truetype/ttgxvar (tt_face_vary_cvt): Function
`ft_var_readpackedpoints`, when it returns `ALL_POINTS`, also sets
`point_count` to value 0. However, the CVAR code was incorrectly expecting
that `point_count` would be set to match the length of the CVT table.
In a Multiple Master font, the Blend dictionary must contain valid
Private, FontInfo, and FontBBox. The current code will error if any of
these are present and invalid, but will not error and will provide
uninitialized data if the Blend dictionary exists but does not contain
one of these entries. This change reverts to the older behavior of
treating any missing entries as containing all zero data and not
returning an error.
In the future it may be best to keep track of when these are actually
initialized and error if they are not.
* src/type1/t1load.c (t1_allocate_blend): Zero initiailize.
Previously the `blend->weight_vector`, `blend->default_weight_vector`,
and `blend->design_pos` were set early to allocated but uninitialized
memory under the assumption that the memory would eventually be
initialized. However, it is possible that some of the required
keywords may not actually be present, leaving the memory uninitialized.
This is different from a present but invalid table, which would produce
an error.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261762
* src/type1/t1load.c (t1_allocate_blend): Remove early allocation and
initialization.
(parse_blend_design_positions, parse_weight_vector): Parse into local
and assign to blend if valid.
(T1_Open_Face): Check that if a blend exists that it has the weight
vector and design positions.
The vstore->regionCount and vstore->dataCount were read directly
from the data. However, vstore->varRegionList and vstore->varData
would still contain uninitialized entries with uninitialized
pointers in the event of an error, leading to issues when attempting
to clean up.
Reportd as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40104
* src/cff/cffload.c (cff_vstore_load): Read the region and data counts
into locals and update the vstore counts immediately after each entry
becomes free-able.
Previously, the gasp.numRanges was set and gasp.gaspRanges was
allocated and assigned before a possible early exit if the frame could
not be entered. It is also possible that the gaspRanges allocation
could fail but the numRanges still be set to non-zero. In such cases
an error would be returned, but the face would have a gasp in an
inconsistent state which may still be accessed.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261450
* src/sfnt/ttload.c (tt_face_load_gasp): Delay setting gasp.numRanges
and gasp.gaspRanges until after the ranges are initialized.
Previously, the table->names and table->langTags fields were created
pointing to uninitialized memory and an early exit could happen if the
frame could not be entered. The caller would then be unable to properly
dispose of the memory as the string fields had not been initialized.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261343
* src/sfnt/ttload.c (tt_face_load_name): delay setting table->langTags
and table->names until after the memory they will point to is fully
initialized.
This is mainly for better diagnostics of malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Stop font format testing if the first
input line is too long or doesn't end with `\r` or `\n`.
* src/cid/cidparse.c (cid_parser_new): Don't handle too short input as an
error but as an unknown format.
* src/pfr/pfrobjs.c (pfr_face_init): Ditto.
* src/winfonts/winfnt.c (fnt_font_load, fnt_face_get_dll_font): Ditto.
Fallout reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40027
* src/bdf/bdflib.c (_bdf_add_property): Cosmetic NULL.
(bdf_create_property): Limit allocations to customary signed
FT_Long and NULL-initialize unused storage.
(bdf_free_font): Do not free unused storage.
FT_QNEW_ARRAY and FT_QRENEW_ARRAY were using the non-Q
FT_MEM_NEW_ARRAY and FT_MEM_RENEW_ARRAY. Change these to use the Q
versions. Also fix the one issue discovered in tt_face_load_name
where table->names is created with FT_QNEW_ARRAY but the extra
string member is not initialized to NULL.
* include/freetype/internal/ftmemory.h (FT_Q(RE)NEW_ARRAY):
Use FT_MEM_Q(RE)NEW_ARRAY as needed.
* src/sfnt/ttload.c (tt_face_load_name): Initialize `entry->string`.
When a different hinting mode from the current is selected, the `prep` table
must be re-executed with the new mode. After this happens the context must
be re-loaded in preparation for the glyph program to be run.
Fixes#1104.
* truetype/ttgload.c (tt_loader_init): Add call to `TT_Load_Context`.
It is easier to check directions using flags than integer values.
* src/pshinter/pshalgo.h (PSH_Dir): Redefine directions.
(PSH_PointRec): Use them as an enum type.
* src/pshinter/pshalgo.c (psh_compute_dir): Modify return type.
(psh_glyph_init, psh_hint_table_find_strong_points,
psh_glyph_find_blue_points): Update users.
BDF comments are neither actually collected nor retrieved. There is
no need to be fancy with delimiters.
* src/bdf/bdflib.c (_add_bdf_comment): Delimit comments with zeros...
(bdf_load_font): ...and do not null-terminate comments additionally.
(_bdf_parse_glyphs): Check if comments are kept, which they are not.
(_bdf_parse_start): Minor clean up.
* src/pcf/pcfread.c (pcf_load_font): Do not call `FT_MulDiv` for a
small job.
* src/bdf/bdfdrivr.c (BDF_Face_Init): Ditto.
* src/bdf/bdflib.c (_bdf_parse_glyphs): Fix a comment.
With Windows memory management tracking heap, it is important to use
it during the stream opening fallback. In Unix, the argument is
unused, but it is better to set it correctly.
* src/base/ftobjs.c (FT_Stream_New): Set memory before calling
`FT_Stream_Open`.
* builds/windows/ftsystem.c, builds/unix/ftsystem.c (FT_Stream_Open,
ft_close_stream_by_free): Call `ft_alloc` and `ft_free` with proper
memory argumment.
Loops with unsigned decrement can be reliably stopped when the counter
wraps around after reaching zero.
* src/cff/cffload.c (cff_charset_compute_cids): Use unsigned counter.
* src/pshinter/pshalgo.c (psh_hint_table_activate_mask): Ditto.
* src/pshinter/pshrec.c (ps_mask_table_merge): Ditto.
* src/base/ftdbgmem.c (FT_DumpMemory): Check for active debugger.
(ft_mem_table_destroy): Move `FT_DumpMemory` call from here...
(ft_mem_debug_done): ... to here.
These changes are neccessary to properly recover `memory->user` that
holds the Windows heap handle now.
* src/base/ftdbgmem.c (ft_mem_debug_init): Handle all table allocations,
initializations, and sizing instead of...
(ft_mem_table_new): ... this function removed.
(ft_mem_debug_done): Better check for the active debugger and free the
debugger table here instead of...
(ft_mem_table_destroy): ... here.
* src/base/ftstream.c (FT_Stream_ReadUShort, FT_Stream_ReadUOffset,
FT_Stream_ReadULong and their LE variants): Remove unnecessary
initialization and slightly refactor.
(FT_Stream_GetByte, FT_Stream_ReadByte): Rename to return unsigned
value and align with sister functions.
* include/freetype/internal/ftstream.h (FT_Stream_GetByte,
FT_Stream_ReadByte): Update prototypes and caller macros.
* src/smooth/ftgrays.c (FT_UDIVPREP, FT_UDIV): Reduce shift.
Smaller shifts that keep the division operands of FT_UDIVPREP within
32 bits result in slightly faster divisions, which is noticeable in
the overall performance. The loss of precision is tolerable until the
divisors (the components dx and dy) approach 32 - PIXEL_BITS. With
PIXEL_BITS = 8, this corresponds to 65,000 pixels or the bitmap size
that we refuse to render anyway.
Using `ftbench -p -s60 -t5 -bc timesi.ttf`,
Before: 8.52 us/op
After: 8.32 us/op
MSVC does not set `__SSE2__`. Instead one must check whether `_M_IX86_FP` is
defined and greater than or equal to 2.
* src/smooth/ftgrays.c (FT_SSE2): New macro.
Use it where appropriate.
* src/truetype/ttobjs.c (tt_check_trickyness_family): For the case
that the beginning part of a long tricky family name is already
registered as another tricky family name, no need to double-check
the longer one. Such long tricky family names are removed from
the `trick_names'.
* src/truetype/ttobjs.c (tt_skip_pdffont_random_tag):
New function to skip the randomization tag in the names of the
fonts embedded in a PDF. It is used by tt_check_trickyness_family(),
to keep from mistaking "DLC" in the randomization tag as a
tricky font name. See discussion in:
https://lists.nongnu.org/archive/html/freetype-devel/2021-02/msg00002.html
For technical detail about the randomization tag, please find
PDF Reference 5.5.3 "Font Subsets". Thanks to Justyna Wawrzynska
for pointing out the issue caused by the randomization tag.
Thanks to Ting717 for providing sample PDF. Fixes#1087.
* src/truetype/ttobjs.c (tt_check_trickyness_sfnt_ids): Add
checksums for 2 tricky fonts `DFHei-Bd-WIN-HK-BF' and
`DFMing-Md-WIN-HK-BF'.
Put the null cell at the end of the pool and store it explicitly so that
we can use it as both the limit and the dumpster.
* src/smooth/ftgrays.c (gray_TWorker): Store the last `cell_null` and
remove unnecesary fields.
(NULL_CELL_PTR, CELL_IS_NULL): Remove in favor of explicit `cell_null`.
(gray_dump_cells, gray_set_cell, gray_sweep{,_direct}): Update callers.
(gray_convert_glyph_inner): Trace remaining cells (oh well).
(gray_convert_glyph): Set up `cell_null` and slightly improve the pool
management.
The optional 'COLR' v1 glyph-specific clip box helps upstream graphics
libraries allocate a sufficiently large bitmap for a glyph without having to
traverse the glyph graph for that. See
https://github.com/googlefonts/colr-gradients-spec/issues/251
for background on the introduction of this specification change.
* include/freetype/ftcolor.h (FT_ClipBox): New structure.
(FT_Get_Color_Glyph_ClipBox): New function declaration.
* include/freetype/internal/sfnt.h (TT_Get_Color_Glyph_ClipBox_Func):
New function type.
(SFNT_Interface, FT_DEFINE_SFNT_INTERFACE): Use it.
* src/base/ftobjs.c (FT_Get_Color_Glyph_ClipBox): New function to link API
with SFNT implementation.
* src/sfnt/sfdriver.c (sfnt_interface): Updated.
* src/sfnt/ttcolr.c (Colr): New field `clip_list`.
(tt_face_load_colr): Parse global clip list offset.
(tt_face_get_color_glyph_clipbox): New function to find the clip box for a
glyph id from the clip list array.
* src/sfnt/ttcolr.h: Updated.
* src/sdf/ftbsdf.c (first_pass, second_pass): Fix range during forward pass.
Otherwise the index goes out of range for the last column.
Fixes issue #1077.
Do not generate SDF from bitmap if the `FT_GLYPH_OWN_BITMAP` flag is not
set. In some cases the bitmap buffer is freed but still points to a valid
address; to handle those cases check the flag before accessing the memory.
* src/sdf/ftsdfrend.c (ft_bsdf_render): Handle the above case.
Also, return an error message if the bitmap's rows/pitch is invalid,
otherwise `slot->buffer` might be assigned to some invalid memory location.
(ft_sdf_render): Same as above.
Plus, move the outline back to original state after rasterization and not if
any error occurs.
Signed-off-by: Anuj Verma <anujv@iitbhilai.ac.in>
* src/sfnt/ttcolr.c (read_paint): PaintSweepGradient follows other
spec changes and now has the angles specified as F2DOT14, reflect
that in the implementation.
* include/freetype/ftcolor.h (FT_PaintSweepGradient): Update
documentation.
* src/sfnt/ttcolr.c (read_paint): Implement spec change where
affine transform matrix is now referenced by offset instead of
being placed inline in the PaintTransform table.
* src/sfnt/ttcolr.c (read_paint): Implement spec changes around
PaintSkew, PaintSkewAroundCenter. Update parsing to read shorter
values as changed in the spec.
* include/freetype/ftcolor.h (FT_PaintSkew): Update documentation.
* src/sfnt/ttcolr.c (read_paint): Implement spec change where
PaintRotate and PaintRotateAroundCenter were split for a more
compact format definition. Update parsing to read shorter values
as changed in the spec.
* include/freetype/ftcolor.h (FT_PaintRotate): Update documentation.
The header file `afwrtsys.h` has two distinct functions: to include the
required writing system headers and also to generate code for each writing
system. At each current use site only one or the other is used, with
various macro trickery selecting one or the other. Split this header into
`afws-decl.h` for the required writing system declarations and `afws-iter.h`
for iterating over the writing systems to generate code.
The motivation for this change is that the Visual C++ compiler treats the
standard include guard idiom like `#pragma once` 'if no non-comment code or
preprocessor directive comes before or after the standard form of the
idiom'. It appears to check this after macro expansion, so if
`WRITING_SYSTEM` expands to empty the bottom of `afwrtsys.h` is empty and
looks like the standard include guard idiom which is treated like `#pragma
once`, so subsequent inclusion of `afwrtsys.h` is elided.
Fixes#1075.
* src/autofit/afglobal.c (af_writing_system_classes), src/autofit/aftypes.h
(AF_WritingSystem), src/autofit/rules.mk (AUTOF_DRV_H): Updated.
* src/autofit/afwrtsys.h: Split into...
* src/autofit/afws-decl.h, src/autofit/afws-iter.h: New files.
==========================
Tag sources with `VER-2-11-0'.
* docs/VERSION.TXT: Add entry for version 2.11.0.
* docs/CHANGES: Updated.
* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
builds/windows/visualc/index.html,
builds/windows/visualce/index.html,
builds/wince/vc2005-ce/index.html,
builds/wince/vc2008-ce/index.html, docs/freetype-config.1:
s/2.10.4/2.11.0/, s/2104/2110/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 11.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 24:0:18.
* CMakeLists.txt (VERSION_MINOR): Set to 11.
(VERSION_PATCH): Set to 0.
* builds/toplevel.mk (dist): Ignore more git-related files.
The code assumed that if `__SSE2__` is defined, then 64-bit integer
types are available. This is not the case apparently for certain
multilib compiler targets like 'x86_32.x86' used by Gentoo.
This patch fixes the issue by disabling the special code path when
64-bit integer types are not available.
Fixes#1071.
* src/smooth/ftgrays.c (gray_render_conic): Move variable and
structure declarations to beginning of function. Inspite of C99
compliance we still do this for the sake of backward compatibility.
This also avoids a shadowing declaration of `count`.
(gray_convert_glyph_inner): Fix typo.
Guard inclusion of emmintrin.h with "#ifdef __SSE2__". The gcc version
of this header, xmmintrin.h, and mmintrin.h check that the appropriate
defines are set before defining anything (are internally guarded).
However the clang versions of these includes are not internally guarded.
As a result of this, externally guard the inclusion of these headers.
Benchmarking shows that this provides a very slighty performance
boost when rendering fonts with lots of quadratic bezier arcs,
compared to the recursive arc splitting, but only when SSE2 is
available, or on 64-bit CPUs.
On a 2017 Core i5-7300U CPU on Linux/x86_64:
./ftbench -p -s10 -t5 -cb .../DroidSansFallbackFull.ttf
Before: 4.033 us/op (best of 5 runs for all numbers)
After: 3.876 us/op
./ftbench -p -s60 -t5 -cb .../DroidSansFallbackFull.ttf
Before: 13.467 us/op
After: 13.385 us/op
This speeds up the smooth rasterizer by avoiding a
conditional branches in the hot path. Namely:
- Define a fixed "null cell" which will be pointed
to whenever the current cell is outside of the current
target region. This avoids a "ras.cell != NULL"
check in the FT_INTEGRATE() macro.
- Also use the null cell as a sentinel at the end of
all ycells[] linked-lists, by setting its x coordinate
to INT_MAX. This avoids a 'if (!cell)' check in
gray_set_cell() as well.
- Slightly change the worker struct fields to perform
a little less operations during rendering.
Example results (on a 2013 Corei5-3337U CPU)
out/ftbench -p -s10 -t5 -bc /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf
Before: 5.472 us/op
After: 5.275 us/op
out/ftbench -p -s60 -t5 -bc /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf
Before: 17.988 us/op
After: 17.389 us/op
This was already true (though undocumented) most of the time, but
not if `FT_NEW` inside `FT_Stream_New` failed or if the
`FT_OPEN_XXX` flags were bad.
Normally, `FT_Open_Face` calls `FT_Stream_New`, which returns the
user-supplied stream unchanged, and in case of any subsequent error
in `FT_Open_Face`, the stream is closed via `FT_Stream_Free`.
Up to now, however, `FT_Stream_New` allocates a new stream even if
it is already given one by the user. If this allocation fails, the
user-supplied stream is not returned to `FT_Open_Face` and never
closed. Moreover, the user cannot detect this situation: all they
see is that `FT_Open_Face` returns `FT_Err_Out_Of_Memory`, but that
can also happen after a different allocation fails within the main
body of `FT_Open_Face`, when the user's stream has already been
closed by `FT_Open_Face`. It is plausible that the user stream's
`close` method frees memory allocated for the stream object itself,
so the user cannot defensively free it upon `FT_Open_Face` failure
lest it ends up doubly freed. All in all, this ends up leaking the
memory/resources used by user's stream.
Furthermore, `FT_Stream_New` simply returns an error if the
`FT_OPEN_XXX` flags are unsupported, which can mean either an
invalid combination of flags or a perfectly innocent
`FT_OPEN_STREAM` on a FreeType build that lacks stream support.
With this patch, the user-supplied stream is closed even in these
cases, so the user can be sure that if `FT_Open_Face` failed, the
stream is definitely closed.
* src/base/ftobjs.c (FT_Stream_New): Don't allocate a buffer
unnecessarily.
Move error-handling code to make the control flow more obvious.
Close user-supplied stream if the flags are unsupported.
`FT_Stream_Open` always sets `pathname.pointer`, so remove the
redundant (re)assignment. None of the `FT_Stream_Open...` functions
uses `stream->memory`, so keep just one assignment at the end,
shared among all possible control flow paths.
('Unsupported flags' that may need a stream closure can be either an
invalid combination of multiple `FT_OPEN_XXX` mode flags or a clean
`FT_OPEN_STREAM` flag on a FreeType build that lacks stream
support.)
The three modes are mutually exclusive, and the documentation of the
`FT_OPEN_XXX` constants notes this. However, there was no check to
validate this in the code, and the documentation on `FT_Open_Args`
claimed that the corresponding bits were checked in a well-defined
order, implying it was valid (if useless) to specify more than one.
Ironically, this documented order did not agree with the actual
code, so it could not be relied upon; hopefully, nobody did this and
nobody will be hurt by the new validation.
Even if multiple mode bits were allowed, they could cause memory
leaks: if both `FT_OPEN_STREAM` and `stream` are set along with
either `FT_OPEN_MEMORY` or `FT_OPEN_PATHNAME`, then `FT_Stream_New`
allocated a new stream but `FT_Open_Face` marked it as an 'external'
stream, so the stream object was never released.
* src/base/ftobjs.c (FT_Stream_New): Reject incompatible
`FT_OPEN_XXX` flags.
Move the af_sort_xxx() functions from afangles.c to afhints.c
in order to get rid of the obsolete angle-related types,
macros and function definitions.
This feature was always experimental, and probably nevery worked
properly. This patch completely removes it from the source code,
except for a documentation block describing it for historical
purpose.
This code has always been experimental and was never compiled
anyway (FT_OPTION_AUTOFIT2 does not appear in ftoption.h or even
any of our build files).
It is undefined behavior to pass `NULL` to `memcpy`. `coords' is
passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
explictly call `tt_set_mm_blend` with `coords` as `NULL`. In
addition, `TT_Set_MM_Blend` has a similar possible issue.
'COLR' v1 fonts do not necessarily need to have a layer list; for
this reason, 'fontTools' recently started generating fonts in a way
that drops the layer list if there are no layers in it. This
results in the layer list offset becoming zero, which FreeType
treated as an invalid table. Fix that and handle the case for layer
list offset being 0. This slightly changes how we need to calculate
the starting offset for paints.
* src/sfnt/ttcolr.c (tt_face_load_colr): Handle case of layer list
offset being zero without outright rejecting table.
The second pass also fixes horizontal lines through the pixel centers.
* src/raster/ftraster.c (black_TWorker): Do not use `second_pass'.
(Render_Glyph): Skip the second pass only with the appropriate flag.
* src/raster/ftraster.c (black_TWorker): Move `band_stack' from here..
(Render_Single_Pass): ... to here and accept limit arguments.
(Render_Glyph): Updated.
* src/raster/ftraster.c (black_TWorker): Move `arcs' from here...
(Conic_To, Cubic_To): ... to here to tighten their scope.
(Bezier_Up, Bezier_Down): ... Take the current `arc' argument.
Paint tables can appear before the `base_glyphs_v1` offset if the
font is produced with the layer list before the base glyph list. In
this case paint tables can occur after the layer list but before the
base glyph list. Checks in the 'COLR' v1 code were rejecting fonts
with this layout. Improve these checks by calculating a minimum
offset after which paint tables can occur and use that in safety
checks.
* src/sfnt/ttcolr.c (Colr, tt_face_load_colr): Declare
`paint_start_v1` and calculate that as the minimum of the end of
layer list and base glyph list.
(get_child_table_pointer, read_paint, tt_face_get_paint_layers):
Use that in safety checks.
* src/raster/ftraster.c (black_TWorker): Replace the current line
offset with the pointer and drop the increment.
(Function_Sweep_Init): Take values as arguments instead of pointers.
(Vertical_Sweep_*, Horizontal_Sweep_Init, Draw_Sweep): Updated.
We can bisect a band until it is just a single scan line. This might
be slow and cause time-outs but if we need to impose limits it should
be elsewhere.
* src/raster/ftraster.c (Render_Single_Pass): Tweak sub-banding.
FT_Render_Glyph picked up FAILURE or 1 returned from the raster
function, which became a confusing error code. Instead, return
Raster_Overflow in the unlikely event that banding does not help or
another meaningful error.
* src/smooth/ftgrays.c (gray_convert_glyph_inner, gray_convert_glyph):
Use Raster_Overflow when the rendering pool is exhausted and return it
if banding does not help.
(gray_raster_render): Use Smooth_Err_Ok.
* src/raster/ftraster.c (Render_Single_Pass): Return Raster_Overflow
if banding does not help or another error code.
* include/freetype/ftcolor.h (FT_PaintTransformed, FT_PaintFormat,
FT_COLR_Paint): Do it to make it harmonize with other names such as
'PaintTranslate'.
* src/sfnt/ttcolr.c (read_paint, tt_face_get_paint): Ditto.
We need to inverse inheritance of FT_GlyphSlot_Internal so that we
have a chance to free the rendered bitmap from the parent slot.
* src/type42/t42objs.c (T42_GlyphSlot_Init): Remove the internal parts
of the child `ttslot' and replace it with the parent structure.
(T42_GlyphSlot_Done): Updated accordingly.
* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
problem can happen with invalid user input.
Test case is file
fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read
in the `freetype2-testing` repository.
Dominik Röttsches