* src/truetype/ttgcvar.c (ft_var_load_hvvar): restore previous behavior
In a previous change [0] the behavior of `ft_var_load_hvvar` was changed
to not load the item variation store if it was at offset 0, but not
return an error when this happened. This broke any users, like
`tt_hvadvance_adjust`, that rely on successful completion of
`ft_var_load_hvvar` to imply that returned table's `itemStore` had been
initialized. This lead such users to dereference NULL.
This change appears to have been unintentional and unrelated to the
actual avar2 changes. As a result, fix these NULL dereferences by
restoring the code to always attempt to initialize the `itemStore`.
[0] ae4eb996 "[truetype] Add support for `avar` table 2.0 format."
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53061
Fix "make multi" by MR !223
* include/freetype/internal/services/svmm.h: include ftmm.h to define FT_Get_MM_Func.
* src/truetype/ttgxvar.h: include ftmmtypes.h to use GX_AVarTable properly.
* src/base/ftmac.c: include ftdebug.h to use FT_THROW() properly.
The binary searches within charmaps can be accelerated because they
often contain dense continuous blocks of character codes. Within such
blocks, you can predict matches based on misses. This method has been
deployed in `bdf` since 0f122fef34; we only refactor it there. We now
use it in `pfr` and `psnames`, which speeds up the unicode charmap
access by about 50% in PFR and Type 1 fonts.
* src/bdf/bdfdrivr.c (bdf_cmap_char_{index,next}): Refactor.
* src/pfr/pfrcmap.c (pfr_cmap_char_{index,next}): Predict `mid` based
on the mismatch distance.
* src/psnames/psmodule.c (ps_unicodes_char_{index,next}): Ditto.
See
https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md
for the specification.
Currently, this is implemented only in most recent OS versions on Apple
platforms and in the HarfBuzz library, but it is expected to be added to the
OpenType standard soon.
* src/truetype/ttgxvar.h (GX_AVarTableRec): New structure.
(GX_BlendRec): Use it to replace `avar_segment` with `avar_table`.
* src/truetype/ttgxvar.c (ft_var_load_avar): Load new table version.
(ft_var_to_normalized, tt_done_blend): Extend for new format.
(ft_var_load_hvvar, ft_var_to_design): Updated.
Use pre-calculated scaling factors. Also, the advance widths used
to be rounded, which was incorrect.
* src/cff/cffgload.c (cff_slot_load): Use `x_scale` and `y_scale`.
* src/truetype/ttgload.c (TT_Load_Glyph): Ditto.
* src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for...
... another use of `ENSURE_READ_BYTES`.
Update callers.
(tt_face_get_paint_layers): Ensure that the 4-byte paint table
offset can be read.
This is a follow-up to !124 and issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
* src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro.
(read_paint): Use it – after the start pointer `p` has been checked for
whether it allows reading the format byte, each successive paint table field
read need to be bounds-checked before reading further values.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
This ancient option stayed completely undocumented. Given that the 'cff'
driver requires the 'psnames' module, it makes no sense today to have this
macro.
* src/cff/cffdrivr.c (cff_services), src/cff/cffobjs.c (cff_face_init):
Remove corresponding conditional code.
There is no need to validate the original charmap in `FT_Set_Charmap`.
It can be reset directly.
* src/autofit/afglobal.c (af_face_globals_compute_style_coverage):
Use direct assignment.
* src/autofit/af{latin,cjk,indic}.c (af_latin_metrics_init): Ditto.
Set charmap aggressively without all validations of `FT_Set_Charmap`
because we take it from the available array and only temporarily.
Even CMap Format 14 will gracefully return 0.
Add a check that the document content is actually contained within the
`SVG ` table. Without this check a malformed font may claim arbitrary
memory as its document content.
* src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when
testing 'documentRecord' extents.
(find_doc): Rename `stream` to `document_records` for clarity.
(tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity.
Test that the document content is contained within the table.
Ensure minimum length of document before testing for gzip format.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812
* src/base/ftbitmap.c (FT_Bitmap_Copy): Flip the copy if its pitch
is trully opposite, zero is not a positive value.
(FT_Bitmap_Convert): Set negative pitch as needed, accept negative
alignment values.
Reusing target bitmaps for copying and converting is permitted. It is,
however, pointless to preserve their content before overwriting. Free-
malloc might be faster than realloc.
* src/base/ftbitmap.c (FT_Bitmap_Copy, FT_Bitmap_Convert): Free
an old buffer and create a new one.
* src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to
be 1, then the table size has to be at least the size of the v1 header.
Also, for peeking the number of base glyphs and entries in the layer list,
ensure that the table is sufficiently long.
Fixes#1179. Original patch by Sergey Temnikov.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Reject retrieving master when
'fvar' values locally do not match with sanitized values from initialization
at `sfnt_init_face` time.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1360295
Fixes#1178.
* src/sfnt/ttcolr.c (get_deltas_for_var_index_base): Set outer index to
0 and inner index to the delta index when retrieving deltas if the
`COLR` table has no delta set index map.
Fixes#1172.
* src/sfnt/sfobjs.c (sfnt_load_face): Tag font as Multiple Masters font if
`fvar` is present; do not require other tables to be present.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Allow for a missing 'gvar' table
when setting variation coordinates. However, if a 'gvar' table is actually
present, do perform a sanity check and fail on malformedness.
(TT_Get_MM_Var): Don't assume 'fvar' needs 'gvar' or 'CFF2 tables in all
cases, which is an overly tight check.
This option uncomments FreeType configuration macro
`FT_CONFIG_OPTION_ERROR_STRINGS` to make function `FT_Error_String` return
meaningful error strings.
This option is off by default.
This follows similar code in `cff_slot_done`.
* src/base/ftobjs.c (ft_glyphslot_done), src/type1/t1objs.c
(T1_GlyphSlot_Done): Check `internal` pointer.
The Type1 problems was reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50057.
Ben Wagner