Commit Graph

5522 Commits

Author SHA1 Message Date
Ben Wagner 188019eb70 [base] Return error if requested driver is not found.
In `open_face_from_buffer` it is possible that a driver is requested but
FreeType was built without the requested module.  Return an error in this
case to indicate that the request could not be satisfied, rather than trying
all existing driver modules.

* src/base/ftobjs.c (open_face_from_buffer): Return `FT_Err_Missing_Module`
if a driver is specified but not found.
2023-01-18 08:37:51 +01:00
Dominik Röttsches a297feab0e [sfnt] Avoid nullptr dereference in reading malformed 'COLR' v1 table.
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044.

* src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is
too small, don't deallocate delta set index map structures.
2023-01-18 08:22:53 +01:00
Werner Lemberg f80be4e959 * src/tools/update-copyright: Allow execution from other repositories.
We use this for `freetype-demos`.
2023-01-17 19:03:45 +01:00
Werner Lemberg 65f8523706 Update all copyright notices. 2023-01-17 09:18:25 +01:00
Werner Lemberg 6c1bd0f2b2 * src/tools/no-copyright: Updated. 2023-01-17 09:15:36 +01:00
Ben Wagner 29f83d1dd5 [base] 'close' callback may not use `stream->memory`.
The documentation for `FT_StreamRec::memory` states that it 'shouldn't be
touched by stream implementations'.  This is true even for internal
implementations of the 'close' callback, since it is not guaranteed that
`memory` will even be set when the 'close' callback occurs.

* src/base/ftobjs.c (new_memory_stream): stash current `memory` in
`stream->descriptor`.
(memory_stream_close): Use it.
2023-01-17 08:59:25 +01:00
Ben Wagner 0d4f887c79 [base] Always close user-provided stream.
The `FT_Open_Face` documentation states

> If `FT_OPEN_STREAM` is set in `args->flags`, the stream in `args->stream`
> is automatically closed before this function returns any error (including
> `FT_Err_Invalid_Argument`).

However, if the user provides a stream in `args.stream` with
`FT_OPEN_STREAM` set and a `close` function, but then for some reason passes
NULL for `aface` and a non-negative `face_index`, the error
`Invalid_Argument` is returned but the `close` callback will not be called
on the user-provided stream.  This may cause resource leaks if the caller is
depending on the `close` callback to free resources.

The difficulty is that a user may fill out a `FT_StreamRec` and pass its
address as `args.stream`, but the stream isn't really 'live' until
`FT_Stream_New` is called on it (and `memory` is set).  In particular, it
cannot really be cleaned up properly in `ft_open_face_internal` until the
stream pointer has been copied into the `stream` local variable.

* src/base/ftobj.c (ft_open_face_internal): Ensure that user-provided
`args.stream.close` is called even with early errors.
2023-01-17 08:54:11 +01:00
Ben Wagner 13983b058e [base] Fix leak of internal stream marked external.
`open_face_from_buffer` allocates a new `FT_Stream` to pass to
`ft_open_face_internal`.  Because this is an `FT_OPEN_STREAM`,
`ft_open_face_internal` will mark this as an 'external stream', which the
caller must free.  However, `open_face_from_buffer` cannot directly free it
because the stream must last as long as the face.  There is currently an
attempt at this by clearing the 'external stream' bit after
`open_face_from_buffer` returns successfully.  However, this is too late as
the original stream may have already been closed and the stream on the face
may not be the same stream as originally passed.

It is tempting to use `FT_OPEN_MEMORY` and let `ft_open_face_internal`
create the stream internally.  However, with this method there is no means
to pass through a 'close' function to the created stream to free the
underlying data, which must be owned by the stream.

A possibility is to check on success if the stream of the face is the same
as the original stream.  If it is then unset the external flag.  If not,
then free the original stream.  Unfortunately, while no current
implementation does so, it is possible that the face still has the original
stream somewhere other than as the `FT_FaceRec::stream`.  The stream needs
to remain available for the life of the face or until it is closed,
whichever comes earlier.

The approach taken here is to let the stream own itself.  When the stream is
closed it will free itself.

* src/base/ftobjs.c (memory_stream_close): Free `stream`.
(open_face_from_buffer): Simplify error handling, since
`ft_open_face_internal` always closes `args.stream` on any error.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54930
2023-01-17 08:48:33 +01:00
Werner Lemberg 6a179ff7d5 sr/*.c: Various minor fixes.
* src/autofit/ft-hb.c (_hb_ft_reference_table): Call `FT_UNUSED` after
variable declarations.

* src/gxvalid/gxvjust.c (gxv_just_widthDeltaClusters_validate): Eliminate
unused variable.

* src/gzip/ftgzip.c: Don't call GCC '-Wstrict-prototypes' pragma for C++
compiler.

* src/sfnt/ttcolr.c (ENSURE_READ_BYTES): Remove final semicolon to avoid
compiler warning.

* src/sfnt/ttsvg.c (tt_face_load_svg_doc): Fix signedness warning.
2023-01-16 16:38:56 +01:00
Dominik Röttsches 2692b3215b [sfnt] Remove temporary runtime flag for variable 'COLR' v1.
Fixes #1187.

* src/sfnt/ttcolr.c (top level, read_paint, tt_face_load_colr,
tt_face_free_colr, get_deltas_for_var_index_base,
tt_face_get_color_glyph_clipbox, tt_face_get_colorline_stops): Remove macro
definition `VARIABLE_COLRV1_ENABLED` and its usage.

* src/truetype/ttdriver.c (tt_property_set): Remove parsing of
'TEMPORARY-enable-variable-colrv1' property name.

* src/truetype/ttobjs.h (TT_DriverRec): Remove `enable_variable_colrv1`
flag.
2023-01-16 14:02:36 +01:00
Werner Lemberg b1c90733ee * src/autofit/ft-hb.c (_hb_ft_reference_table): Minor integration fixes. 2023-01-07 07:41:31 +01:00
Ben Wagner 3481b15443 [truetype] Reset cvt and storage in context load.
Currently the cvt and storage are saved and restored in `TT_RunIns`.
However, this is too granular as the cvt and storage area should be set to
the original cvt and storage area only when setting up the hinting context.
This allows for the cvt and storage area to be modified while parsing
multiple glyphs, as is the case with composite glyphs.

* src/truetype/ttinterp.h (TT_ExecContextRec): Remove `origCvt` and
`origStorage`.

* src/truetype/ttinterp.c (TT_RunIns): Don't save and restore the cvt and
storage area.
(Modify_CVT_Check, Ins_WS): Switch from "if in glyph and using original data
do copy on write" to "if in glyph and not using glyph specific data do copy
on write".
2023-01-07 07:28:04 +01:00
Matthias Clasen ebe7e9128c [autofit] Don't depend on 'hb-ft'.
The circular dependency is still there, but at least we no longer depend on
the HarfBuzz API that is only present if HarfBuzz has been built with
FreeType support, making the bootstrapping a bit easier.

* src/autofit/ft-hb.c, src/autofit/ft-hb.h: New files, providing
`_hb_ft_font_create`, which is more or less a verbatim copy of the
corresponding HarfBuzz code from file `hb-ft.cc`.

* src/autofit/afglobal.c (af_face_globals_new): Use it.
* src/autofit/afshaper.h: Don't include `hb-ft.h` but `ft-hb.h`.
* src/autofit/autofit.c: Include `ft-hb.c`.

* LICENSE.TXT: Updated.
2023-01-06 12:54:17 +01:00
Ben Wagner 262b47ac5a [truetype] Keep variation store consistent.
`tt_var_load_item_variation_store` fills out a `GX_ItemVarStore`.  While it
may return an error, the item store must be left in a consistent state so
that any use or destruction of the item store can properly use or free the
data in it.  Before this change the counts from the font data were read
directly into the item store before the actual allocation of the arrays to
which they referred.  There exist many opportunities between the time the
counts are read and the arrays are allocated to return early due to invalid
data.  When this happened the item store claimed to have entires it actually
did not, leading to crashes later when it was used.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54449

* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Read the counts
into local variables and store them in the item store only after the related
arrays are actually created on the item store.
2023-01-06 07:11:41 +01:00
Ben Wagner 15afb55458 [base] Report used stream's external status.
In `open_face` the initial stream is set on the face, along with the
information about if FreeType is the owner of the stream object itself.  The
loaders may in the course of their work replace this stream with a new
stream (as is the case for 'woff' and 'woff2'), which may have a different
ownership than the initial stream object (likely the original stream object
is owned by the user and is external, while the new stream object is created
internally to FreeType and is internal).  When the stream is replaced, the
face's flags are updated with the new ownership status.

However, `open_face` cannot itself free this stream as its caller
`ft_open_face_internal` is responsible for this.  In addition, in the case
of an error `open_face` cannot return an actual face with the new stream and
its ownership status to the caller.  As a result, it must pass this
information back to the caller as a sort of "failed face" so that the caller
can clean up.

`open_face` was already passing back the new stream but was not passing back
the stream ownership information.  As a result the stream may not have been
free'd when needed.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54700

* src/base/ftobjs.c (open_face): Pass back the ownership information as
well.
(ft_open_face_internal): Updated.
2023-01-05 22:05:02 +01:00
Dominik Röttsches 63f371367a [sfnt] Fix color stop bounds check calculation at table end.
Fixes https://bugs.chromium.org/p/skia/issues/detail?id=14021

* src/sfnt/ttcolr.c (VAR_IDX_BASE_SIZE): New macro.
(tt_face_get_colorline_stops): Fix off-by-one bounds check calculation, take
`VarColorStop` into account, and hopefully make it easier to read.
2023-01-05 09:35:32 +01:00
Alexei Podtelezhnikov 81a456b28f * src/base/ftobjs.c (FT_Request_Metrics): Avoid division by zero.
The division-by-zero might happen in broken fonts (see #1194).
Instead of returning a huge number from FT_DivFix and failing
to scale later, we now bail immediately.
2023-01-04 22:41:34 -05:00
Alexei Podtelezhnikov 0bcb664de8 [psaux] Delay the upem validity assertion.
Fixes #1194.

* src/psaux/psft.c (cf2_getUnitsPerEm): Remove the upem assert.
(cf2_checkTransform): Assert the upem validity after checking the scale.
2022-12-20 16:38:39 +00:00
David Vanderson ace97a02a4 [gzip] Make static compilation not leak global symbols.
* src/gzip/ftgzip.c (HAVE_HIDDEN): Do not define; it is no longer needed
because everything is static.
(HAVE_MEMCPY): Define.
(zcalloc, zcfree): Remove no longer needed definitions (because `Z_SOLO` is
active).

* src/gzip/patches/freetype-zlib.diff: Regenerated.

Fixes #1146.

Co-authored-by: Werner Lemberg <wl@gnu.org>
2022-12-14 10:44:03 +01:00
Werner Lemberg bc3aa767a7 * src/gzip/ftzconf.h: Updated to zlib 1.2.13.
I forgot to copy that file.
2022-12-14 10:32:53 +01:00
Werner Lemberg 26e9028f10 [sdf, sfnt] Handle minor compiler warnings.
* src/sdf/ftsdf.c (get_min_distance_conic): Initialize `nearest_point`.

* src/sfnt/ttsvg.c (find_doc): Initialize `mid_doc`.

Fixes #1195.
2022-12-13 09:53:26 +01:00
Luca Bacci aca4ec5907 * src/base/ftdbgmem.c (ft_mem_source_compare): Add FT_COMPARE_DEF.
Closes !230.
2022-11-22 22:34:41 -05:00
Alexei Podtelezhnikov 1c44de209c * src/autofit/afloader.c (af_loader_load_glyph): Remove `size` check.
This is done by `FT_Load_Glyph`.
2022-11-20 22:37:08 -05:00
Alexei Podtelezhnikov 4e6906cc5d Comments added. 2022-11-18 14:03:19 +00:00
Johan Matsson 0f43a0e7eb * src/autofit/afloader.c (af_loader_load_glyph): Fix dereference.
This must happen after the NULL check.

Taken from

  https://github.com/freetype/freetype/pull/2
2022-11-16 07:54:39 +01:00
Alexei Podtelezhnikov 47e61d02e6 * src/pcf/pcfutil.c ({Two,Four}ByteSwap): Use builtins or shifts.
We trust glibc which uses shifts or builtins to swap bytes.  This
must be more efficient.
2022-11-14 22:53:14 -05:00
Werner Lemberg e6fda039ad * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
2022-11-14 19:18:19 +01:00
Dominik Röttsches ba4bd5b994 Add `TT_CONFIG_OPTION_NO_BORING_EXPANSION` configuration macro.
This gives users a possibility to deactivate new features not (yet) in the
OpenType standard.

* include/freetype/config/ftoption.h, devel/ftoption.h
(TT_CONFIG_OPTION_NO_BORING_EXPANSION): New macro.

* src/truetype/ttgxvar.c (ft_var_load_avar): Use it to disable 'avar'
version 2.0 support.
2022-11-12 17:11:36 +01:00
Behdad Esfahbod e97cb9e8da [truetype] Improve bounds checks for `ItemVariationStore`.
* src/truetype/ttgxvar.c (tt_hvadvance_adjust): Move bounds check ...
(tt_var_get_item_delta): ...  to this function, because it is safer.  For
example, the 'avar' table 2.0 codepath was not performing a bounds check at
all.
2022-11-12 16:45:44 +01:00
Behdad Esfahbod 9be958ca39 [truetype] In `ItemVariationStore`, value 0xFFFF for `dataCount` is valid.
It corresponds to outer indices of 0 to 0xFFFE.

* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Remove invalid
code.
2022-11-12 16:41:20 +01:00
Alexei Podtelezhnikov 109179c70e [pcf] Improve CMap efficiency and readability.
* src/pcf/pcfdrivr.c (pcf_cmap_char_{index,next}): Check and walk
the encoding array indexes.
2022-11-10 23:25:48 -05:00
Ben Wagner 9154707f6b [truetype] Check avar_segment before access
* src/truetype/ttgxvar.c (tt_done_blend): check `avar_segment` before
accessing to free its `correspondence`.

Reported as:

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53062
2022-11-09 19:15:26 +00:00
Ben Wagner d38407f79e [truetype] Restore behavior of ft_var_load_hvvar
* src/truetype/ttgcvar.c (ft_var_load_hvvar): restore previous behavior

In a previous change [0] the behavior of `ft_var_load_hvvar` was changed
to not load the item variation store if it was at offset 0, but not
return an error when this happened. This broke any users, like
`tt_hvadvance_adjust`, that rely on successful completion of
`ft_var_load_hvvar` to imply that returned table's `itemStore` had been
initialized. This lead such users to dereference NULL.

This change appears to have been unintentional and unrelated to the
actual avar2 changes. As a result, fix these NULL dereferences by
restoring the code to always attempt to initialize the `itemStore`.

[0] ae4eb996 "[truetype] Add support for `avar` table 2.0 format."

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53061
2022-11-09 19:02:22 +00:00
suzuki toshiya 32cfab4be7 [build] fix for make multi
Fix "make multi" by MR !223

* include/freetype/internal/services/svmm.h: include ftmm.h to define FT_Get_MM_Func.
* src/truetype/ttgxvar.h: include ftmmtypes.h to use GX_AVarTable properly.
* src/base/ftmac.c: include ftdebug.h to use FT_THROW() properly.
2022-11-08 14:23:37 +09:00
Alexei Podtelezhnikov e00afdb35b * src/pfr/pfrsbit.c (pfr_lookup_bitmap_data): Accelerate the search.
This is mostly for consistency because PFR fonts with bitmap strikes
do not seem to exist.
2022-11-07 21:36:32 -05:00
Alexei Podtelezhnikov 6139f2b647 [bdf, pfr, psnames] Accelarate charmap searches.
The binary searches within charmaps can be accelerated because they
often contain dense continuous blocks of character codes. Within such
blocks, you can predict matches based on misses.  This method has been
deployed in `bdf` since 0f122fef34; we only refactor it there.  We now
use it in `pfr` and `psnames`, which speeds up the unicode charmap
access by about 50% in PFR and Type 1 fonts.

* src/bdf/bdfdrivr.c (bdf_cmap_char_{index,next}): Refactor.
* src/pfr/pfrcmap.c (pfr_cmap_char_{index,next}): Predict `mid` based
on the mismatch distance.
* src/psnames/psmodule.c (ps_unicodes_char_{index,next}): Ditto.
2022-11-06 13:12:47 -05:00
Behdad Esfahbod ae4eb996ab [truetype] Add support for `avar` table 2.0 format.
See

  https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md

for the specification.

Currently, this is implemented only in most recent OS versions on Apple
platforms and in the HarfBuzz library, but it is expected to be added to the
OpenType standard soon.

* src/truetype/ttgxvar.h (GX_AVarTableRec): New structure.
(GX_BlendRec): Use it to replace `avar_segment` with `avar_table`.

* src/truetype/ttgxvar.c (ft_var_load_avar): Load new table version.
(ft_var_to_normalized, tt_done_blend): Extend for new format.
(ft_var_load_hvvar, ft_var_to_design): Updated.
2022-11-04 19:44:36 +01:00
Werner Lemberg dea2e6358b Replace '1/64th' (and similar entries) with '1/64' in docs and comments. 2022-10-24 07:01:21 +02:00
Alexei Podtelezhnikov ffbbf3df3e * src/truetype/ttgload.c: Cosmetic changes. 2022-10-21 15:55:30 +00:00
Alexei Podtelezhnikov 1bfaca0635 [cff, truetype] Simplify SVG metrics scaling.
Use pre-calculated scaling factors. Also, the advance widths used
to be rounded, which was incorrect.

* src/cff/cffgload.c (cff_slot_load): Use `x_scale` and `y_scale`.
* src/truetype/ttgload.c (TT_Load_Glyph): Ditto.
2022-10-21 12:14:52 +00:00
Dominik Röttsches 0b62c1e43d [sfnt] Additional bounds checks for `COLR` v1 table handling.
* src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for...
... another use of `ENSURE_READ_BYTES`.
Update callers.
(tt_face_get_paint_layers): Ensure that the 4-byte paint table
offset can be read.

This is a follow-up to !124 and issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
2022-10-18 19:55:25 +02:00
Werner Lemberg af46fcc15a [gzip] Update sources to zlib 1.2.13. 2022-10-18 19:43:52 +02:00
Alexei Podtelezhnikov b8882a3ed6 * src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Simplify calculations. 2022-10-18 15:58:02 +00:00
Werner Lemberg c943d408e0 Minor formatting. 2022-10-18 11:41:00 +02:00
Dominik Röttsches 04272824e0 [sfnt] Guard individual `COLR` v1 paint field reads.
* src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro.
(read_paint): Use it – after the start pointer `p` has been checked for
whether it allows reading the format byte, each successive paint table field
read need to be bounds-checked before reading further values.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
2022-10-18 08:37:05 +02:00
Liu Kunpeng(柳鲲鹏) bb59c3c958 * src/base/ftsynth.c (FT_GlyphSlot_Slant): New API with custom slant.
* include/freetype/ftsynth.h (FT_GlyphSlot_Slant): Declare it.
2022-10-16 22:10:19 -04:00
Werner Lemberg 5182264a40 [cff] Remove `FT_CONFIG_OPTION_NO_GLYPH_NAMES`.
This ancient option stayed completely undocumented.  Given that the 'cff'
driver requires the 'psnames' module, it makes no sense today to have this
macro.

* src/cff/cffdrivr.c (cff_services), src/cff/cffobjs.c (cff_face_init):
Remove corresponding conditional code.
2022-10-10 12:41:49 +02:00
Werner Lemberg 141d979af7 Minor comment changes. 2022-10-10 12:25:51 +02:00
Alexei Podtelezhnikov 0417527d5b [autofit] Reset the face charmap directly.
There is no need to validate the original charmap in `FT_Set_Charmap`.
It can be reset directly.

* src/autofit/afglobal.c (af_face_globals_compute_style_coverage):
Use direct assignment.
* src/autofit/af{latin,cjk,indic}.c (af_latin_metrics_init): Ditto.
2022-10-03 19:23:26 -04:00
Alexei Podtelezhnikov 1b6dce84f9 * src/type1/t1afm.c (T1_Read_PFM): Set charmaps directly.
As with the previous commit, we can avoid the validation checks
of `FT_Set_Charmap` and set it directly when choosing from the
available list.
2022-10-03 19:18:48 -04:00