The t1cid driver catches 3 types of errors in
the charstrings retrieval;
A) The invalid FD number, there are 2 subtypes;
A-1) FD number is the maximum number fitting to FDBytes.
A-2) FD number is greater than num_dicts.
B) Declared length is overrunning.
C) Declared length is invalid (its end is before its head).
Considering that some widely distributed fonts
(e.g., "CJKV" book by O'Reilly) have A-1 errors
in the unimplemented glyphs, the trace level for
A-1 is calmed to level 1.
The errors A-2, B, and C would be irregular;
their trace levels are kept at level 0, but
the updated trace messages include the CID number.
The `MetricsVariations` `FT_Size_Reset_Func` is defined to take an
`FT_Size`. Because `tt_size_reset_height` is to be used as such a
function, it must also take an `FT_Size` instead of a `TT_Size`. Even
though the pointers passed will be the same at runtime, calling a
function through a pointer of a different type from the original
function pointer type is undefined behavior. This may be caught at
runtime by Control Flow Integrity with something like clang's
`cfi-icall`.
Issue: https://crbug.com/1433651
* src/truetype/ttobjs.h (tt_size_reset_height): take `FT_Size`
* src/truetype/ttobjs.c (tt_size_reset_height): take `FT_Size` and
update documentation
This is a generalization of commit
```
commit e6699596af
Author: Werner Lemberg <wl@gnu.org>
Date: Thu Feb 2 11:38:04 2017 +0100
[truetype] Fix MVAR post-action handling.
```
It is also possible for plain `CFF ` style fonts to contain an `fvar` and
`MVAR` table and use `cff_metrics_adjust`. `tt_size_reset` should only be
called with `TT_Size` and never with `CFF_Size`.
Allow the "metrics-variations" service to specify the correct function (if
any) to reset `FT_Size`s after adjusting metrics.
* src/truetype/ttobjs.c (tt_size_reset): Split off some functionality
into...
(tt_size_reset_height): ... this new function.
* src/truetype/ttdriver.c (tt_service_metrics_variations): Add
`size_reset`.
(tt_size_select, tt_size_request): Updated.
* src/truetype/ttobjs.h: Updated.
* include/freetype/internal/services/svmetric.h (MetricsVariations): Add
`size_reset`.
(FT_DEFINE_SERVICE_METRICSVARIATIONSREC): Updated.
* include/freetype/internal/tttypes.h (TT_FaceRec_): Rename `var` to
`tt_var` and add `face_var`.
* src/cff/cffdrivr.c (cff_service_metrics_variations): Add `size_reset`.
(cff_hadvance_adjust, cff_metrics_adjust): Updated.
* src/cff/cffobjs.c (cff_face_init): Use `face_var`.
* src/sfnt/sfobjs.c (sfnt_init_face): Initialize `face_var`.
* src/sfnt/ttmtx.c (tt_face_get_metrics): Use `tt_var`.
* src/truetype/ttgxvar.c (tt_size_reset_iterator): Renamed to...
(ft_size_reset_iterator): ... this new function.
Call `size_reset`.
(tt_apply_mvar): Pass `size_reset` to `ft_size_reset_iterator`.
Fixes#1211
This is mostly cosmetic because FT_UInt and FT_UInt32 are likely identical.
* src/sfnt/ttcmap.c, src/cff/cffcmap.c, src/psaux/t1cmap.c,
src/psnames/psmodule.c, include/freetype/internal/service/svpcsmap.h,
src/pfr/pfrcmap.c, src/winfonts/winfnt.c (*_char_next): return FT_UInt.
This moves the charcode overflow checks upstream and turns some
while-loops into the do-while ones to avoid the uninitialized warnings.
This should slightly reduce the number of checks and jumps.
* src/sfnt/ttcmap.c (tt_cmap{4,12,13}_next,
tt_cmap{4.12.13}_char_map_linear): Remove the charcode overflow check.
(tt_cmap{4,12,13}_char_map_binary): Ditto and use do-while.
(tt_cmap{12,13}_char_next): Add the overflow check.
The deprecated POST version 2.5 can be handled using the data
structures of version 2.0. The goal is to reduce the footprint.
* include/freetype/internal/tttypes.h (TT_Post_Names): Absorb and...
(TT_Post_20, TT_Post_25): ... remove these structures.
src/sfnt/ttpost.c (load_post_names, tt_face_get_ps_name,
tt_face_free_ps_names, load_format_20): Updated accordingly.
(load_format_25): ditto and convert offsets to glyph indices.
* src/sfnt/ttpost.c (load_format_20): Decrease casts.
(load_format_25): Check the table length and impose a theoretical
glyph number limit usable with 8-bit offset. Decrease casts.
(load_post_names): Pass the mapping data length without 2 bytes.
* src/sfnt/ttpost.c (load_format_20): Co-allocate the string data and
their pointers, which makes it easier to handle and free them.
(tt_face_free_ps_names): Updated.
* include/freetype/internal/tttypes.h (TT_Post_20): Update type.
* src/cff/cffparse.c (cff_parser_run): Allocate the charstring buffers
and the list nodes together so that they can be freed at once.
(finalize_t2_strings): Removed as no longer needed.
(cff_parser_done): Updated.
The old stream limit checks, before 6986ddac1e, were good but
pointless for the crafted t2_strings. Checking limits there is
not necessary as they are created to hold all data. By using two
conditions, we can detect the actual crossing of the stream boundary
as appropriate for the stream pointer only. The t2_strings parsing
will not be triggering these checks.
* src/cff/cffparse.c (cff_parser_within_limits): Removed.
(cff_parse_real, cff_parse_integer): Redesign the stream limit check.
(cff_parse_num, do fixed, cff_parse_fixed_dynamic): Update callers.
* src/truetype/ttgload.c (TT_Process_Composite_Glyph,
TT_Load_Simple_Glyph): Clean up old instructions regardless of
new ones, postpone setting `control_len` and `control_data` until...
(TT_Load_Glyph): ... the exit from this function.
The number of instructions is now taken from the executed context.
Technically, this means that `control_len` and `control_data`
values are no longer _used_ internally but only expose them.
Based on ideas from Jouk Jansen <joukj@hrem.nano.tudelft.nl>.
* src/tools/vms_shorten_symbol.c: New file, taken from
https://sourceforge.net/p/vms-ports/vmsshortsym/ci/default/tree/vms_shorten_symbol.c
with some minor edits to allow compilation with C++ and being included in
another source code file.
* src/tools/apinames.c: Include `vms_shorten_symbol.c`.
(PROGRAM_VERSION): Set to '0.5'.
(names_dump) [OUTPUT_VMS_OPT]: Call `vms_shorten_symbol` to get unique function
identifiers not longer than 31 characters.
* src/cff/cffparse.c (finalize_t2_strings): Fix NULL-dereferencing
in the out-of-memory situation, use `FT_FREE`.
(cff_parser_run): Use FreeType memory allocation macros and avoid
uninitialized pointers.
Technically, `strtol` can only be used with C strings terminated with
`\0`. CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded. AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.
To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.
* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.
Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329