The 0-base index is equal to the number of previosly parsed entries.
It is an error to adjust it by one to get the number truncated by
a stream error. This is probably inconsequential because valid
entries are correctly accounted for.
* src/sfnt/ttload.c (check_table_dir): Do not adjust the truncated
number of tables.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
Previously, the gasp.numRanges was set and gasp.gaspRanges was
allocated and assigned before a possible early exit if the frame could
not be entered. It is also possible that the gaspRanges allocation
could fail but the numRanges still be set to non-zero. In such cases
an error would be returned, but the face would have a gasp in an
inconsistent state which may still be accessed.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261450
* src/sfnt/ttload.c (tt_face_load_gasp): Delay setting gasp.numRanges
and gasp.gaspRanges until after the ranges are initialized.
Previously, the table->names and table->langTags fields were created
pointing to uninitialized memory and an early exit could happen if the
frame could not be entered. The caller would then be unable to properly
dispose of the memory as the string fields had not been initialized.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261343
* src/sfnt/ttload.c (tt_face_load_name): delay setting table->langTags
and table->names until after the memory they will point to is fully
initialized.
FT_QNEW_ARRAY and FT_QRENEW_ARRAY were using the non-Q
FT_MEM_NEW_ARRAY and FT_MEM_RENEW_ARRAY. Change these to use the Q
versions. Also fix the one issue discovered in tt_face_load_name
where table->names is created with FT_QNEW_ARRAY but the extra
string member is not initialized to NULL.
* include/freetype/internal/ftmemory.h (FT_Q(RE)NEW_ARRAY):
Use FT_MEM_Q(RE)NEW_ARRAY as needed.
* src/sfnt/ttload.c (tt_face_load_name): Initialize `entry->string`.
Fixes timeout (#1055) analyzed by Ben Wagner, reported as
https://crbug.com/1194092
* src/sfnt/ttload.c (tt_face_load_post): Check POST format.
* src/sfnt/sfobjs.c (sfnt_load_face): Synthesize the missing unicode
charmap only if the glyph names exist.
* src/psnames/psmodule.c (ps_unicode_value): Short cut ".notdef" and
".null".
This ensures good logging output, with all lines having a proper
prefix (if requested).
This is a continuation of a similar patch from 2020-12-02, which
missed some locations.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
* src/base/ftoutln.c (FT_Outline_Transform): Bail on empty points.
* src/cff/cffload.c (cff_subfont_load): Use `FT_OFFSET'.
* src/psaux/psft.c (cf2_decoder_parse_substrings): Early out if
`charstring_base' or `charstring_len' are null.
* src/sfnt/ttload.c (tt_face_load_name): Use `FT_OFFSET'.
It's been more than 2^31 seconds since 1904.
* include/freetype/tttables.h (TT_Header): Change field types.
* src/sfnt/ttload.c (tt_face_load_generic_header): Updated.
This monster commit was created by applying Nikhil's scripts
`docconverter.py' and `markify.py' to all C header and source files,
followed up by minor manual clean-up.
No change in functionality, of course.
I used commit f7419907bc6044b9b7057f9789866426c804ba82 from
https://github.com/nikramakrishnan/freetype-docs.git.
* include/freetype/internal/tttypes.h (TT_LangTagRec): New
structure.
(TT_NameTableRec): Add fields `numLangTagRecords' and `langTags'.
* src/sfnt/ttload.c (tt_face_load_name): Add support for language
tags.
Reduce array size of name strings in case of invalid entries.
(tt_face_free_name): Updated.
* docs/CHANGES: Updated.
Since 2016-05-16 we detect infinite recursion directly.
* src/sfnt/ttload.c (tt_face_load_maxp): Don't adjust
`maxComponentDepth'.
* src/truetype/ttgload.c (load_truetype_glyph): Don't abort if
`maxComponentDepth' is not valid. Instead, simply adjust its value
and emit a tracing message.
This patch fixes weaknesses in function `tt_face_load_font_dir'.
- It incorrectly assumed that valid tables are always at the
beginning. As a consequence, some valid tables after invalid
entries (which are ignored) were never seen.
- Duplicate table entries (this is, having the same tag) were not
rejected.
- The number of valid tables was sometimes too large, leading to
access of invalid tables.
* src/sfnt/ttload.c (check_table_dir): Add argument to return number
of valid tables.
Add another tracing message.
(tt_face_load_font_dir): Only allocate table array for valid
entries as returned by `check_table_dir'.
Reject duplicate tables and adjust number of valid tables
accordingly.
We now follow the `official' announcement from Microsoft (on the
OpenType mailing list, which unfortunately hasn't a public archive).
* include/freetype/tttables.h (TT_OS2):
s/usLowerPointSize/usLowerOpticalPointSize/,
s/usUpperPointSize/usUpperOpticalPointSize/.
* src/sfnt/ttload.c (tt_face_load_os2): Update, and set correct
default values.
See
http://typedrawers.com/discussion/470/new-microsoft-size-specific-design-selection-mechanism
for the announcement.
* include/freetype/tttables.h (TT_OS2): Add fields
`usLowerPointSize' and `usUpperPointSize'. Since FreeType returns
this structure only as a pointer through `FT_Get_Sfnt_Table', there
shouldn't be any ABI problems.
* src/sfnt/ttload.c (tt_face_load_os2): Implement it.
* docs/CHANGES: Updated.
Other font engines seem to ignore it also. Problem reported by
Hin-Tak Leung <htl10@users.sourceforge.net>.
* src/sfnt/ttload.c (check_table_dir): Don't abort but warn only if
we have an invalid magic number.
Werner Lemberg