Instead of validating variation axes in every access, OpenType specs
suggest that peak = 0 be used to tag invalid ranges. This implements
just that once during loading.
* src/cff/cffload.c (cff_blend_build_vector): Move the range checks...
(cff_vstore_load): ... here.
* src/truetype/ttgxvar.c (tt_var_get_item_delta): Ditto...
(tt_var_load_item_variation_store): ... ditto.
This should achieve quicker results for common cases.
* src/cff/cffload.c (cff_blend_build_vector): Rearrange conditionals.
* src/truetype/ttgxvar.c (tt_var_get_item_delta): Ditto.
* include/freetype/internal/t1types.h: Host PS_DesignMap and PS_Blend.
* include/freetype/ftmm.h: Host and document TT_MAX_MM_XXX.
* include/freetype/t1tables.h: Remove them from here.
`T1_FIELD_ZERO` is used to zero initialize a `T1_FieldRec`.
`T1_FIELD_ZERO` is currently initilizing `T1_FieldRec::location` with a
`T1_FieldType` and `T1_FieldRec::type` with a `T1_FieldLocation`. This
was detected with `-Wenum-conversion`.
* include/freetype/internal/psaux.h (T1_FIELD_ZERO): correct order of
initalizers
In 32 bit builds `FT_ULong` is 32 bits and can silently overflow when a
large number is read into one and then it is summed or multiplied with
another number. Checks for range overflow must be written so that they
themselves do not overflow. Also ensure that the table_size is always the
first part of the range check and consistently use `<` or `<=`.
* src/sfnt/ttcolr.c (tt_face_load_colr): Avoid overflow.
(find_base_glyph_v1_record): Remove old work-around.
Bug: https://issues.chromium.org/issues/41495455
Bug: https://issues.chromium.org/issues/40945818
FT_SqrtFixed (95b0fe2a6d) is faster and does not overflow.
* src/sdf/ftsdfcommin.h (square_root): Replace with a macro.
* src/sdf/ftsdfcommin.c (square_root): Remove function.
The upper limit of 4095 is implied by the SFNT header format
where the multiplication by 16 would overflow without it.
* src/sfnt/sfwoff.c (woff_open_font): Updated.
* src/sfnt/sfwoff2.c (woff2_open_font): Ditto.
The existing code already disallows zero table woff2 overall, but still
allows for individual CollectionFontEntry to create font instances with
zero tables. Such fonts are not useful so error early.
This also fixes an MSAN discovered issue where if a CollectionFontEntry
numTables is zero then the sfnt_header was not fully initialized.
* src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always
initalize sfnt_header
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384
Resetting of the size nodes can crash, if a parent face purge happens
simultaneously and destroys the node. It is safer to create a new node.
Fixes#1270, reopened with a separate issue.
* src/cache/ftcbasic.c (FTC_BasicAttrRec): Match type of `load_flags`
to its main purpose in `FT_Load_Glyph`.
(FTC_ImageCache_Lookup{,Scaler},FTC_SBitCache_Lookup{,Scaler}): Updated.
Manipulate the cache after a face is requested or a size is looked up
successfully. Fixes#1270.
* src/cache/ftcmanag.c (ftc_size_node_init, ftc_size_node_reset,
ftc_face_node_init): Check for errors before accepting a change.
* src/cache/ftcmru.c (FTC_MruList_New): Do nothing if reset fails.
With horizontal bisections, the smallest section is a whole single
scanline. Almost horizontal lines or other complex scanlines can
easily overflow the rendering pool. Switching to vertical bisections
splits the scanlines and should rule out the overflows. Fixes#1269.
* src/smooth/ftgrays.c (gray_convert_glyph): Bisect vertically.
Alexei Podtelezhnikov