In C it is undefined behavior to call a function through a function pointer
of a different type. This is now detected by the Control Flow Integrity
Sanitizer. All known issues have already been fixed. Prevent any
accidental re-introduction by removing function pointer casts when defining
services. The services will call the service functions through the function
pointers on the service. As a result the functions must have the same type
so there should be no need to cast. Removing the casts allows compilers to
warn about assignment to an incompatible function pointer type.
Ensure that all driver functions use the signature of the service or driver.
This avoids pointer mismatches, which are technically undefined behaviour.
Recent compilers are more picky in catching them as part of Control Flow
Integrity tests.
A variation font's PostScript name of a named instance is usually different
from the PostScript name of an unnamed instance. However, if a change
between a named instance and an unnamed instance with exactly the same
design axis values happened, it was possible that the PostScript name wasn't
correctly updated.
This commit reorganizes the code to handle this issue within the top-level
API functions, using a new service to trigger recomputation of the
PostScript name.
* include/freetype/internal/services/svmm.h (FT_Construct_PS_Name_Func): New
typedef.
(FT_Service_MultiMasters): New field `construct_ps_name`.
(FT_DEFINE_SERVICE_MULTIMASTERSREC): Updated.
* src/base/ftmm.c (FT_Set_Var_Design_Coordinates,
FT_Set_MM_Blend_Coordinates, FT_Set_Var_Blend_Coordinates): Call
`mm->construct_ps_name` to handle `postscript_name`.
(FT_Set_Named_Instance): Call `mm->construct_ps_name` to handle
`postscript_name`.
Use shortcut.
* src/cff/cffdrivr.c (cff_construct_ps_name): New function.
(cff_service_multi_masters): Updated.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Don't handle `postscript_name`.
(TT_Set_MM_Blend): Simplify.
(TT_Set_Named_Instance): Return -1 if axis values haven't changed.
Don't set `face_index`.
(tt_construct_ps_name): New function.
* src/truetype/ttgxvar.h: Updated.
* src/truetype/ttdriver.c (tt_service_gx_multi_masters): Updated.
* src/type1/t1driver.c (t1_service_multi_masters): Updated.
* src/type1/t1load.c (T1_Set_MM_Blend): Simplify.
According to the documentation, the functions `FT_Set_Named_Instance`,
`FT_Set_MM_Design_Coordinates`, `FT_Set_Var_Design_Coordinates`, and
`FT_Set_Var_Blend_Coordinates` can unset the `FT_FACE_FLAG_VARIATION` flag.
(The same is true for `FT_Set_MM_WeightVector` but this information was
accidentally omitted from the documentation.)
However, if a call of these functions didn't change the axis values this
could fail because internal shortcuts exited too early.
This commit reorganizes the code to handle `FT_FACE_FLAG_VARIATION` in the
top-level API functions, also taking care of the issue at hand.
* src/base/ftmm.c (FT_Set_MM_Design_Coordinates, FT_Set_MM_WeightVector,
FT_Set_Var_Design_Coordinates, FT_Set_MM_Blend_Coordinates,
FT_Set_Var_Blend_Coordinates): Handle `FT_FACE_FLAG_VARIATION`.
* src/truetype/ttgxvar.c (TT_Set_MM_Blend, TT_Set_Var_Design,
TT_Set_Named_Instance) Don't handle `FT_FACE_FLAG_VARIATION`.
* src/type1/t1load.c (T1_Set_MM_Blend, T1_Set_MM_WeightVector,
T1_Set_MM_Design): Ditto.
* src/cff/cffobjs.c (cff_face_init): Use `FT_Set_Named_Instance` instead of
low-level functions.
* src/truetype/ttobjs.c (tt_face_init): Ditto.
The design coordinates for MM fonts were not rounded. For example,
`FT_Get_Var_Design_Coordinates` returned values with fractional part.
* src/type1/t1load.c (mm_axis_unmap): Refactor with rounding.
* include/freetype/ftmm.h (FT_Var_Axis, FT_Set_Var_Design_Coordinates,
FT_Get_Var_Design_Coordinates): Reword documentation.
Otherwise we get zillions of clang 15 warnings.
* src/autofit/afcjk.c, src/autofit/afhints.c, src/autofit/aflatin.c,
src/base/ftobjs.c, src/base/ftoutln.c, src/cff/cffparse.c,
src/raster/ftraster.c, src/sfnt/pngshim.c, src/truetype/ttgload.c,
src/truetype/ttgxvar.c, src/truetype/ttobjs.c, src/type1/t1gload.c: Use
`double` cast in debugging and tracing macros.
The ascender and descender are optional in the AFM specifications.
They could be omitted or even set to zero, e.g., in the current release
of URW++ base 35 fonts.
This follows similar code in `cff_slot_done`.
* src/base/ftobjs.c (ft_glyphslot_done), src/type1/t1objs.c
(T1_GlyphSlot_Done): Check `internal` pointer.
The Type1 problems was reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50057.
This code originally just searched for `eexec`. This was later modified
to check that the `eexec` found is valid (not in a string or comment).
This was done by searching for `eexec` as before and then, for each
`eexec` found, searching from the beginning using the correct parsing to
see if the `eexec` was still found. If the private dictionary is large
and contains many copies of `eexec` which are not valid, the initial
part of the private dictionary is scanned once for each, potentially
leading to n^2 parsing time.
Instead of finding an initial `eexec` and then re-parsing to discover if
it is valid, drop the initial search for `eexec` and just parse to find
a valid `eexec`. This is strictly faster since the validation must
happen anyway and avoids restarting from the beginning each time an
`eexec` is found in the data.
* src/type1/t1parse.c (T1_Get_Private_Dict): avoid n^2 parsing
Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1328883
In a Multiple Master font, the Blend dictionary must contain valid
Private, FontInfo, and FontBBox. The current code will error if any of
these are present and invalid, but will not error and will provide
uninitialized data if the Blend dictionary exists but does not contain
one of these entries. This change reverts to the older behavior of
treating any missing entries as containing all zero data and not
returning an error.
In the future it may be best to keep track of when these are actually
initialized and error if they are not.
* src/type1/t1load.c (t1_allocate_blend): Zero initiailize.
Previously the `blend->weight_vector`, `blend->default_weight_vector`,
and `blend->design_pos` were set early to allocated but uninitialized
memory under the assumption that the memory would eventually be
initialized. However, it is possible that some of the required
keywords may not actually be present, leaving the memory uninitialized.
This is different from a present but invalid table, which would produce
an error.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261762
* src/type1/t1load.c (t1_allocate_blend): Remove early allocation and
initialization.
(parse_blend_design_positions, parse_weight_vector): Parse into local
and assign to blend if valid.
(T1_Open_Face): Check that if a blend exists that it has the weight
vector and design positions.
* include/freetype/internal/compiler-macros.h (FT_COMPARE_DEF):
Add new macro.
* src/base/ftrfork.c, src/bdf/bdflib.c, src/gxvalid/gxvcommn.c,
src/psaux/afmparse.c, src/psnames/psmodule.c, src/type1/t1afm.c,
src/sfnt/sfwoff.c, src/sfnt/sfwoff2.c: Update qsort callbacks.
Fixes#1026 when compiling FreeType with an unusual calling convention
while the C library qsort still expects cdecl.
This ensures good logging output, with all lines having a proper
prefix (if requested).
This is a continuation of a similar patch from 2020-12-02, which
missed some locations.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
These have not been used in a very, very long time, so better remove
them. A corresponding patch will be submitted to the
`freetype2-demos' repository.
* src/Jamfile, src/*/Jamfile, Jamrules: Delete.
Werner Lemberg