Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1505216
* src/sfnt/ttcolr.c (find_base_glyph_v1_record): Guard access of the search
pointer during binary search. The pointer needs to be checked as we go as
the test that compares number of v1 glyphs with table size at the time of
loading the table is not sufficient on its own.
A scenario is possible in which the `BaseGlyphRecord` list extends into
non-`BaseGlyphRecord` parts of the 'COLR' v1 table (but passed the size
comparison check). Then, at those locations, invalid glyph ID values are
read and may provoke an invalid read due to reassigning min and max values
during the binary search.
The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long`
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.
On the other hand `table_size` has already been tested to be at least
`COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it.
* src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size`
instead of adding 4 to font data offsets in bounds checks
Fixes: https://crbug.com/1469348
In WOFF the `totalSfntSize` must be correct, however in WOFF2 this value
is now just a hint and a conforming implementation must not reject
otherwise valid data if the `totalSfntSize` turns out not to be exact.
* src/sfnt/sfwoff2.c (woff2_open_font): remove check that uncompressed
woff2 data would fit in the sfnt size guess.
Fixes: #1235
In C it is undefined behavior to call a function through a function pointer
of a different type. This is now detected by the Control Flow Integrity
Sanitizer. All known issues have already been fixed. Prevent any
accidental re-introduction by removing function pointer casts when defining
services. The services will call the service functions through the function
pointers on the service. As a result the functions must have the same type
so there should be no need to cast. Removing the casts allows compilers to
warn about assignment to an incompatible function pointer type.
Ensure that all driver functions use the signature of the service or driver.
This avoids pointer mismatches, which are technically undefined behaviour.
Recent compilers are more picky in catching them as part of Control Flow
Integrity tests.
* src/sfnt/sfdriver.c (sfnt_load_table): New wrapper function.
(sfnt_service_sfnt_table): Use it.
* include/freetype/internal/tttypes.h (TT_FaceRec): New field
`non_var_style_name`.
* src/sfnt/sfobjs.c (sfnt_load_face): Initialize `non_var_style_name`.
(sfnt_done_face): Free `non_var_style_name`.
* src/truetype/ttgxvar.c (TT_Set_Named_Instance): Restore non-VF style name
if switching back to non-VF mode.
This is a generalization of commit
```
commit e6699596af
Author: Werner Lemberg <wl@gnu.org>
Date: Thu Feb 2 11:38:04 2017 +0100
[truetype] Fix MVAR post-action handling.
```
It is also possible for plain `CFF ` style fonts to contain an `fvar` and
`MVAR` table and use `cff_metrics_adjust`. `tt_size_reset` should only be
called with `TT_Size` and never with `CFF_Size`.
Allow the "metrics-variations" service to specify the correct function (if
any) to reset `FT_Size`s after adjusting metrics.
* src/truetype/ttobjs.c (tt_size_reset): Split off some functionality
into...
(tt_size_reset_height): ... this new function.
* src/truetype/ttdriver.c (tt_service_metrics_variations): Add
`size_reset`.
(tt_size_select, tt_size_request): Updated.
* src/truetype/ttobjs.h: Updated.
* include/freetype/internal/services/svmetric.h (MetricsVariations): Add
`size_reset`.
(FT_DEFINE_SERVICE_METRICSVARIATIONSREC): Updated.
* include/freetype/internal/tttypes.h (TT_FaceRec_): Rename `var` to
`tt_var` and add `face_var`.
* src/cff/cffdrivr.c (cff_service_metrics_variations): Add `size_reset`.
(cff_hadvance_adjust, cff_metrics_adjust): Updated.
* src/cff/cffobjs.c (cff_face_init): Use `face_var`.
* src/sfnt/sfobjs.c (sfnt_init_face): Initialize `face_var`.
* src/sfnt/ttmtx.c (tt_face_get_metrics): Use `tt_var`.
* src/truetype/ttgxvar.c (tt_size_reset_iterator): Renamed to...
(ft_size_reset_iterator): ... this new function.
Call `size_reset`.
(tt_apply_mvar): Pass `size_reset` to `ft_size_reset_iterator`.
Fixes#1211
This is mostly cosmetic because FT_UInt and FT_UInt32 are likely identical.
* src/sfnt/ttcmap.c, src/cff/cffcmap.c, src/psaux/t1cmap.c,
src/psnames/psmodule.c, include/freetype/internal/service/svpcsmap.h,
src/pfr/pfrcmap.c, src/winfonts/winfnt.c (*_char_next): return FT_UInt.
This moves the charcode overflow checks upstream and turns some
while-loops into the do-while ones to avoid the uninitialized warnings.
This should slightly reduce the number of checks and jumps.
* src/sfnt/ttcmap.c (tt_cmap{4,12,13}_next,
tt_cmap{4.12.13}_char_map_linear): Remove the charcode overflow check.
(tt_cmap{4,12,13}_char_map_binary): Ditto and use do-while.
(tt_cmap{12,13}_char_next): Add the overflow check.
The deprecated POST version 2.5 can be handled using the data
structures of version 2.0. The goal is to reduce the footprint.
* include/freetype/internal/tttypes.h (TT_Post_Names): Absorb and...
(TT_Post_20, TT_Post_25): ... remove these structures.
src/sfnt/ttpost.c (load_post_names, tt_face_get_ps_name,
tt_face_free_ps_names, load_format_20): Updated accordingly.
(load_format_25): ditto and convert offsets to glyph indices.
* src/sfnt/ttpost.c (load_format_20): Decrease casts.
(load_format_25): Check the table length and impose a theoretical
glyph number limit usable with 8-bit offset. Decrease casts.
(load_post_names): Pass the mapping data length without 2 bytes.
* src/sfnt/ttpost.c (load_format_20): Co-allocate the string data and
their pointers, which makes it easier to handle and free them.
(tt_face_free_ps_names): Updated.
* include/freetype/internal/tttypes.h (TT_Post_20): Update type.
Modern compilers get more insistent on that...
* include/freetype/internal/compiler-macros.h (FALL_THROUGH): Define.
* src/*: Use it instead of `/* fall through */` comments.
Fixes https://bugs.chromium.org/p/skia/issues/detail?id=14021
* src/sfnt/ttcolr.c (VAR_IDX_BASE_SIZE): New macro.
(tt_face_get_colorline_stops): Fix off-by-one bounds check calculation, take
`VarColorStop` into account, and hopefully make it easier to read.
* src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for...
... another use of `ENSURE_READ_BYTES`.
Update callers.
(tt_face_get_paint_layers): Ensure that the 4-byte paint table
offset can be read.
This is a follow-up to !124 and issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
* src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro.
(read_paint): Use it – after the start pointer `p` has been checked for
whether it allows reading the format byte, each successive paint table field
read need to be bounds-checked before reading further values.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
Add a check that the document content is actually contained within the
`SVG ` table. Without this check a malformed font may claim arbitrary
memory as its document content.
* src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when
testing 'documentRecord' extents.
(find_doc): Rename `stream` to `document_records` for clarity.
(tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity.
Test that the document content is contained within the table.
Ensure minimum length of document before testing for gzip format.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812