Werner Lemberg
59ae73fe16
[cid] Better check of `SubrCount' dictionary entry ( #46272 ).
...
* src/cid/cidload.c (cid_face_open): Add more sanity tests for
`fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
2015-10-22 09:26:00 +02:00
Werner Lemberg
e484d36b2b
[base] Pacify compiler ( #46266 ).
...
* src/base/ftoutln.c (FT_Outline_EmboldenXY): Initialize `in' and
`anchor'.
2015-10-21 20:48:27 +02:00
Werner Lemberg
87fefc594e
[type42] Fix heap buffer overflow ( #46269 ).
...
* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
bounds checking.
2015-10-21 20:29:12 +02:00
Dave Arnold
3cfd51233c
[cff] Fix limit in assert for max hints.
...
* src/cff/cf2interp.c (cf2_hintmask_setAll): Allow mask equal to the
limit (96 bits).
2015-10-21 14:07:25 +02:00
Dave Arnold
748e368173
[cff] Remove an assert ( #46107 ).
...
* src/cff/cf2hints.c (cf2_hintmap_insertHint): Ignore paired edges
in wrong order.
2015-10-21 13:58:43 +02:00
Werner Lemberg
e6593389cf
[sfnt] Avoid unnecessarily large allocation for WOFFs ( #46257 ).
...
* src/sfnt/sfobjs.c (woff_open_font): Use WOFF's `totalSfntSize'
only after thorough checks.
Add tracing messages.
2015-10-21 08:04:29 +02:00
Werner Lemberg
649ca5562d
[type42] Better check invalid `sfnts' array data ( #46255 ).
...
* src/type42/t42parse.c (t42_parse_sfnts): Table lengths must be
checked individually against available data size.
2015-10-21 07:01:45 +02:00
Werner Lemberg
3eccc3a3f8
[cid] Add a bunch of safety checks.
...
* src/cid/cidload.c (parse_fd_array): Check `num_dicts' against
stream size.
(cid_read_subrs): Check largest offset against stream size.
(cid_parse_dict): Move safety check to ...
(cid_face_open): ... this function.
Also test length of binary data and values of `SDBytes',
`SubrMapOffset', `SubrCount', `CIDMapOffset', and `CIDCount'.
2015-10-20 22:31:57 +02:00
Werner Lemberg
d47d372c96
[cid] Avoid segfault with malformed input ( #46250 ).
...
* src/cid/cidload.c (cid_read_subrs): Return a proper error code for
unsorted offsets.
2015-10-20 12:24:36 +02:00
StudioEtrange
5cf83a5335
* CMakeLists.txt: Enable shared library builds on MinGW ( #46233 ).
2015-10-20 07:19:44 +02:00
Werner Lemberg
3c582060b2
* src/type1/t1afm.c (T1_Read_Metrics): Fix memory leak ( #46229 ).
2015-10-20 06:57:28 +02:00
Bungeman
ba8a528b19
[cid] Better handle invalid glyph stream offsets ( #46221 ).
...
* src/cid/cidgload.c (cid_load_glyph): Check minimum size of glyph
length.
2015-10-19 23:27:06 +02:00
Werner Lemberg
24cee3a8a3
[psaux] Fix tracing of negative numbers.
...
Due to incorrect casting negative numbers were shown as very large
(positive) integers on 64bit systems.
* src/psaux/t1decode.c (t1_decoder_parse_charstrings) <op_none>:
Use division instead of shift.
2015-10-19 23:00:28 +02:00
Werner Lemberg
14213b5409
[truetype] Improve TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES ( #46223 ).
...
* devel/ftoption.h, include/freetype/config/ftoption.h: Surround it
with #ifndef ... #endif, as suggested in the tracker issue.
2015-10-18 18:15:04 +02:00
Werner Lemberg
dcfc4d9c21
[truetype] Better protection against malformed `fpgm' ( #46223 ).
...
* src/truetype/ttobjs.c (tt_size_init_bytecode): Don't execute a
malformed `fpgm' table more than once.
2015-10-18 16:47:06 +02:00
Werner Lemberg
7643b5839b
* src/cid/cidgload.c (cid_load_glyph): Fix memory leak.
...
Reported by Kostya Serebryany <kcc@google.com>.
2015-10-17 15:51:29 +02:00
Werner Lemberg
b185747dd6
[bdf] Prevent memory leak ( #46217 ).
...
* src/bdf/bdflib.c (_bdf_parse_glyphs) <STARTCHAR>: Check
_BDF_GLYPH_BITS.
2015-10-17 14:21:41 +02:00
Werner Lemberg
e1ca18d449
[bdf] Use stream size to adjust number of glyphs.
...
* src/bdf/bdflib.c (ACMSG17): New message macro.
(_bdf_parse_t): Add member `size'.
(bdf_load_font): Set `size'.
(_bdf_parse_glyphs): Adjust `cnt' if necessary.
2015-10-17 11:51:27 +02:00
Werner Lemberg
0af21dcf13
* src/cid/cidload.c (cid_parse_dict): Check `[FG]DBytes' size.
2015-10-17 09:29:52 +02:00
Werner Lemberg
0ba98da472
* src/cid/cidgload.c (cid_glyph_load): Check file offsets ( #46222 ).
2015-10-17 09:11:02 +02:00
Werner Lemberg
8edfcbed53
[psaux] Fix heap buffer overflow ( #46221 ).
...
* src/psaux/t1decode.c (t1_decoder_parse_charstring) <operator 12>:
Fix limit check.
2015-10-17 08:11:16 +02:00
Werner Lemberg
a5ecfb4ce6
* src/cid/cidload.c (cid_parse_dict): Handle invalid input ( #46220 ).
2015-10-17 06:15:55 +02:00
Kostya Serebryany
266976b163
add src/tools/ftfuzzer/README
2015-10-15 22:15:53 -07:00
Bungeman
65d8980491
[bdf] Fix memory leak ( #46213 ).
...
* src/bdf/bdflib.c (bdf_load_font): Always go to label `Fail' in
case of error.
2015-10-15 23:50:16 +02:00
Werner Lemberg
24a1fcdfce
[truetype] Add TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES ( #46208 ).
...
* devel/ftoption.h, include/freetype/config/ftoption.h
(TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES): New configuration macro.
* src/truetype/ttinterp.c (MAX_RUNNABLE_OPCODES): Removed.
(TT_RunIns): Updated.
2015-10-15 21:50:15 +02:00
Werner Lemberg
837ad9d411
* src/truetype/ttinterp.c (TT_RunIns): Fix bytecode stack tracing.
...
The used indices were off by 1.
2015-10-15 21:15:45 +02:00
Werner Lemberg
8b76eaf092
* src/tools/ftfuzzer/ftfuzzer.cc: Handle fixed sizes ( #46211 ).
2015-10-15 18:28:43 +02:00
Werner Lemberg
e03214e166
[base] Compute MD5 checksums only if explicitly requested.
...
This improves profiling accuracy.
* src/base/ftobjs.c (FT_Render_Glyph_Internal): Implement it.
2015-10-15 16:58:13 +02:00
Werner Lemberg
2a20c92c4b
[base] Use `FT_' namespace for MD5 functions ( #42366 ).
...
* src/base/ftobjs.c (MD5_*): Define as `FT_MD5_*'.
Undefine HAVE_OPENSSL.
2015-10-14 15:23:15 +02:00
Werner Lemberg
8539915d18
[type1] Correctly handle missing MM axis names ( #46202 ).
...
* src/type1/t1load.c (T1_Get_MM_Var): Implement it.
2015-10-13 20:43:19 +02:00
Werner Lemberg
58b61b6e05
[pcf] Quickly exit if font index < 0.
...
Similar to other font formats, this commit makes the parser no
longer check the whole PCF file but only the header and the TOC if
we just want to get the number of available faces (and a proper
recognition of the font format).
* src/pcf/pcfdrivr.c (PCF_Face_Init): Updated.
Exit quickly if face_index < 0.
* src/pcfread.c (pcf_load_font): Add `face_index' argument.
Exit quickly if face_index < 0.
* src/pcf/pcf.h: Updated.
2015-10-13 18:26:18 +02:00
Werner Lemberg
bdb56bba86
[ftfuzzer] Handle TTCs and MM/GX variations.
...
This patch also contains various other improvements.
* src/tools/ftfuzzer/ftfuzzer.cc: Add preprocessor guard to reject
pre-C++11 compilers.
(FT_Global): New class. Use it to provide a global constructor and
destructor for the `FT_Library' object.
(setIntermediateAxis): New function to select an (arbitrary)
instance.
(LLVMFuzzerTestOneInput): Loop over all faces and named instances.
Also call `FT_Set_Char_Size'.
2015-10-13 11:51:13 +02:00
Werner Lemberg
43a96eb26f
[truetype] Refine some GX sanity tests.
...
Use the `gvar' table size instead of the remaining bytes in the
stream.
* src/truetype/ttgxvar.h (GX_BlendRec): New field `gvar_size'.
* src/truetype/ttgxvar.c (ft_var_load_gvar): Set `gvar_size'.
(ft_var_readpackedpoints, ft_var_readpackeddeltas: New argument
`size'.
(tt_face_vary_cvt, TT_Vary_Apply_Glyph_Deltas): Updated.
2015-10-13 11:18:55 +02:00
Werner Lemberg
052f6c5649
[truetype] Another GX sanity test.
...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Check
`tupleCount'.
Add tracing message.
2015-10-13 08:24:32 +02:00
Werner Lemberg
7ef0d8661a
[truetype] Fix memory leak for broken GX fonts ( #46188 ).
...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Fix scope of
deallocation.
2015-10-13 08:14:20 +02:00
Werner Lemberg
f96094eef0
[truetype] Fix commit from 2015-10-10.
...
* src/truetype/ttgxvar.c (ft_var_load_gvar): Add missing error
handling body to condition.
2015-10-13 07:13:56 +02:00
Werner Lemberg
b9880aa0f8
[unix] Make MKDIR_P actually work.
...
* builds/unix/configure.raw: Fix underquoting of `INSTALL' and
`MKDIR_P'.
Problem reported by Dan Liddell <lddll@yahoo.com>.
2015-10-12 10:13:26 +02:00
Werner Lemberg
4f7f6f6e47
[sfnt] Improve extraction of number of named instances.
...
* src/sfnt/sfobjs.c (sfnt_init_face)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Check number of instances against
`fvar' table size.
2015-10-11 07:55:25 +02:00
Werner Lemberg
a724dcf5c3
Split off ChangeLog.25.
2015-10-11 05:50:07 +02:00
Alexei Podtelezhnikov
c14ae9c5fd
* src/base/ftoutln.c (FT_Outline_Get_Orientation): Fix overflow ( #46149 ).
2015-10-10 22:28:26 -04:00
Werner Lemberg
8de39a7919
[sfnt] Fix infinite loops with broken cmaps ( #46167 ).
...
* src/sfnt/ttcmap.c (tt_cmap8_char_next, tt_cmap12_next): Take care
of border condidions (i.e., if the loops exit naturally).
2015-10-10 13:34:11 +02:00
Werner Lemberg
da34673e54
[truetype] More sanity tests for GX handling.
...
These tests should mainly help avoid unnecessarily large memory
allocations in case of malformed fonts.
* src/truetype/ttgxvar.c (ft_var_readpackedpoints,
ft_var_readpackeddeltas): Check number of points against stream
size.
(ft_var_load_avar): Check `pairCount' against table length.
(ft_var_load_gvar): Check `globalCoordCount' and `glyphCount'
against table length.
(tt_face_vary_cvt): Check `tupleCount' and `offsetToData'.
Fix trace.
(TT_Vary_Apply_Glyph_Deltas): Fix trace.
Free `sharedpoints' to avoid memory leak.
2015-10-10 10:21:27 +02:00
Werner Lemberg
c220d8b498
[truetype] Better protection against malformed GX data ( #46166 ).
...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Correctly
handle empty `localpoints' array.
2015-10-10 08:13:04 +02:00
Werner Lemberg
d353f6e012
* src/pcf/pcfread.c (pcf_read_TOC): Check stream size ( #46162 ).
2015-10-10 06:54:46 +02:00
Werner Lemberg
c12956e700
* src/gzip/ftgzip.c (FT_Stream_OpenGzip): Use real stream size.
2015-10-09 09:38:32 +02:00
Werner Lemberg
d98053c997
[pcf] Protect against invalid number of TOC entries ( #46159 ).
...
* src/pcf/pcfread.c (pcf_read_TOC): Check number of TOC entries
against size of data stream.
2015-10-08 23:17:41 +02:00
Werner Lemberg
06c2d3324e
[type42] Protect against invalid number of glyphs ( #46159 ).
...
* src/type42/t42parse.c (t42_parse_charstrings): Check number of
`CharStrings' dictionary entries against size of data stream.
2015-10-08 21:31:57 +02:00
Werner Lemberg
983b00ec86
[sfnt] Fix some signed overflows ( #46149 ).
...
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics)
<TT_SBIT_TABLE_TYPE_SBIX>: Use `FT_MulDiv'.
2015-10-08 18:44:45 +02:00
Werner Lemberg
121122416d
[type1] Protect against invalid number of subroutines ( #46150 ).
...
* src/type1/t1load.c (parse_subrs): Check number of
`Subrs' dictionary entries against size of data stream.
2015-10-08 08:55:15 +02:00
Kostya Serebryany
dde84f2539
[ftfuzzer] Add support for LLVM's LibFuzzer.
...
* src/tools/ftfuzzer/ftfuzzer.cc, src/tools/runinput.cc: New files.
2015-10-07 22:18:22 +02:00