Add argument to return the actual number of bytes that were decoded.
The actual number of bytes decoded can be quite variable depending
on the number of ignored 'whitespace' bytes or early termination
with `>`.
(cid_face_open): Updated to use this calculated value. This avoids
trusting `parser->binary_length` is always be correct and reading
uninitialized bits if fewer are actually decoded.
First reported as
https://crbug.com/1203240
To reduce memory allocations, we read an entire Pascal-string buffer
and convert it to a C-string buffer. We also reject tables with
Postscript glyph names exceeding 63 bytes.
* src/sfnt/ttpost.c (load_format20): Implement it.
(load_post_names): Check the minimal POST table size.
(load_format25, tt_face_free_ps_names): Updated accordingly.
* src/sfnt/sfdriver.c (get_win_string, get_apple_string,
sfnt_get_var_ps_name): Do not zero out the buffer.
* src/sfnt/sfobjs.c (sfnt_init_face): Ditto.
* src/sfnt/sfwoff.c (woff_open_font): Ditto.
* src/sfnt/sfwoff2.c (woff2_open_font): Ditto.
* src/pcf/pcfread.c (pcf_interpret_style): Do not zero out the buffer.
* src/bdf/bdfdrivr.c (bdf_interpret_style): Ditto.
* src/winfonts/winfnt.c (FNT_Face_Init, FNT_Load_Glyph): Ditto.
* src/base/ftobjs.c (open_face_PS_from_sfnt_stream,
Mac_Read_sfnt_Resource): Do not zero out the buffer.
* src/base/ftmac.c (FT_New_Face_From_SFNT, read_lwfn): Ditto.
* src/base/ftrfork.c (raccess_make_file_name,
raccess_guess_darwin_hfsplus, raccess_guess_darwin_newvfs): Ditto.
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): Do not output
layer pointer to iterator if it is outside the 'COLR' table.
(read_paint): Do not attempt to read layers that are outside the
table.
* src/base/ftobjs.c (ft_glyphslot_clear): This function is intended
to reset all the values of a glyph slot. However, it was not
resetting the values of the advances and `glyph_index`. Reset the
advances and `glyph_index` to zero.
In commit 531d463aed
[truetype] Allocate TT_ExecContext in TT_Size instead of TT_Driver.
the `TT_ExecContext` was moved from being on the driver to being on the size
to make it easier to use FreeType in a multi-threaded environment. However,
the documentation for `TT_New_Context` was not updated and still reflects
the old behavior and parameter list.
This change updates `TT_New_Context` documentation to reflect the current
parameters and usage.
`FDEF` instructions are specified as allowed only in 'prep' or
'fpgm'. FreeType has attempted to prevent their use in the glyph
program, but they were still allowed in glyph programs if defined in
a function defined in 'prep' or 'fpgm' and called from the glyph
program.
Similarly, `IDEF` instructions are specified not to be able to
modify any existing instruction. FreeType has attempted to prevent
their use in the glyph program, but they can still be used like
`FDEF`.
This change stores the initial bytecode range type and disallows the
use of `FDEF` and `IDEF` while running the glyph program.
Most other state is copied from the `TT_Size` into the execution
context. However, it is possible for a glyph program to use `WS` to
write to the storage area or `WCVTP`, `WCVTF`, and `DELTAC[123]` to
write to the control value table.
Allowing any change to the global state from the glyph program is
problematic as the outlines of any given glyph may change based on
the order the glyphs are loaded or even how many times they are
loaded. There exist fonts that write to the storage area or the
control value table in the glyph program, so their use should not be
an error.
Possible solutions to using these in the glyph program are
* ignore the writes;
* value-level copy on write, discard modified values when finished;
* array-level copy on write, discard the copy when finished;
* array-level copy up-front.
Ignoring the writes may break otherwise good uses. A full copy
up-front was implemented, but was quite heavy as even well behaved
fonts required a full copy and the memory management that goes along
with it. Value-level copy on write could use less memory but
requires a great deal more record keeping and complexity. This
change implements array-level copy on write. If any attempt is made
to write to the control value table or the storage area when the
initial bytecode range was in a glyph program, the relevant array
will be copied to a designated storage area and the copy used for
the rest of the glyph program's execution.
* src/truetype/ttinterp.h (TT_ExecContextRec): New fields
`iniRange`, `glyfCvtSize`, `glyfCvt`, `origCvt`, `glyfStoreSize`,
`glyfStorage`, and `origStorage`.
* src/truetype/ttinterp.c (Modify_CVT_Check): New function to handle
`exc->glyfCvt`.
(Write_CVT, Write_CVT_Stretched, Move_CVT, Move_CVT_Stretched): Use
it.
(Ins_WS): Handle `exc->glyfStorage`.
(Ins_FDEF, Ins_IDEF): Updated.
(TT_RunIns): Updated.
(TT_Done_Context): Free 'glyf' CVT working and storage area.
(TT_Load_Context): Fix/add casts.
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Fix cast.
* src/sfnt/ttcolr.c (get_child_table_pointer): New function to fetch
child table pointer early for all paint formats that compute a child
table pointer.
(read_color_line, read_paint): Updated.
(tt_face_get_colorline_stops): Check `colr->table`.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1182552
Memory is allocated and the pointer assigned to `rows` inside a
'setjmp' scope. This memory must be freed outside the 'setjmp'
scope after a 'longjmp'. Since `rows` is a local and modified
inside the 'setjmp' scope it must be marked volatile or it will have
an indeterminate value after the 'longjmp'.
* src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak of `rows`.
Ben Wagner