This commit (mainly for 32bit CPUs) is the first of a series of
similar commits to handle known integer overflows. Basically, all
of them are harmless, since they affect rendering of glyphs only,
not posing security threats. It is expected that fuzzying will show
up more overflows, to be fixed in due course.
The idea is to mark places where overflows can occur, using macros
that simply cast to unsigned integers, because overflow arithmetic
is well defined in this case. Doing so suppresses run-time errors
of sanitizers without adding computational overhead.
* include/freetype/internal/ftcalc.h (OVERFLOW_ADD_INT,
OVERFLOW_SUB_INT, OVERFLOW_MUL_INT, OVERFLOW_ADD_LONG,
OVERFLOW_SUB_LONG, OVERFLOW_MUL_LONG): New macros.
* src/base/ftcalc.c (FT_RoundFix, FT_CeilFix, FT_Matrix_Multiply,
FT_Matrix_Multiply_Scaled, FT_Vector_Transform_Scaled,
ft_corner_orientation): Use new macros.
* src/base/ftoutln.c (FT_Outline_Get_Orientation): Use new macros.
The goal is to avoid integer overflows in the rendering algorithms.
The limit is chosen arbitrarily at some 2^18 pixels, which should be
enough for modern devices including printers.
* src/base/ftoutln.c (FT_Outline_Render): Check CBox and reject
enormous outlines.
* src/base/ftrfork.c (FT_Raccess_Get_HeaderInfo): Only accept
positive values from header.
Check overflow.
* src/base/ftoutln.c (SCALED): Correctly handle left-shift of
negative values.
* src/bdf/bdf.h (_bdf_glyph_modified, _bdf_set_glyph_modified,
_bdf_clear_glyph_modified): Use unsigned long constant.
* src/bdf/bdfdrivr.c (BDF_Size_Select, BDF_Glyph_Load): Don't
left-shift values that can be negative.
* src/pcf/pcfdrivr.c (PCF_Size_Select, PCF_Glyph_Load): Don't
left-shift values that can be negative.
* src/raster/ftraster.c (SCALED): Correctly handle left-shift of
negative values.
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Don't left-shift
values that can be negative.
* src/truetype/ttgload.c (TT_Load_Composite_Glyph,
compute_glyph_metrics, load_sbit_image): Don't left-shift values
that can be negative.
Instead of keeping `library->renderers' in a MRU order, just leave
it as-is. The MRU machinery wasn't thread-safe.
With this patch, rasterizing glyphs from different faces from
different threads doesn't fail choosing rasterizer
(FT_Err_Cannot_Render_Glyph).
Easiest to see that crash was to add a `printf' (or otherwise let
thread yield in FT_Throw with debugging enabled).
* src/base/ftobjs.c (FT_Render_Glyph_Internal), src/base/ftoutln.c
(FT_Outline_Render): Don't call `FT_Set_Renderer'.
`API functions' are functions tagged with `FT_EXPORT_DEF'.
Besides trivial fixes, the following changes are included, too.
* src/base/ftbdf.c (FT_Get_BDF_Charset_ID, FT_Get_BDF_Property): Set
error code if no service is available.
* src/base/ftinit.c (FT_Done_FreeType): Change return value for
invalid `library' parameter to `Invalid_Library_Handle'.
* src/base/ftobjs.c (FT_New_Size): Change return value for invalid
`asize' parameter to `Invalid_Argument'.
* src/base/ftoutln.c (FT_Outline_Copy): Change return value for
invalid `source' and `target' parameters to `Invalid_Outline'.
(FT_Outline_Done_Internal): Change return value for invalid
`outline' parameter to `Invalid_Outline'.
The functions in this patch *do* return non-trivial errors that must
be taken care of.
* src/autofit/afloader.c (af_loader_load_g), src/base/ftobjs.c
(FT_Render_Glyph_Internal), src/base/ftoutln.c (FT_Outline_Render),
src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_endchar>,
src/psaux/psobjs.c (ps_parser_load_field_table), src/psaux/t1decode
(t1_decoder_parse_charstrings) <op_endchar>, src/truetype/ttgload.c
(load_truetype_glyph <subglyph loop>, tt_loader_init,
TT_Load_Glyph), src/truetype/ttgxvar.c (TT_Set_MM_Blend),
src/truetype/ttobjs.c (tt_size_run_fpgm, tt_size_run_prep): Do it.
The call was (from the top-level of the FreeType tree):
cppcheck --force \
--enable=all \
-I /usr/include \
-I /usr/local/include \
-I /usr/lib/gcc/i586-suse-linux/4.7/include \
-I include \
-I include/freetype \
-I include/freetype/config \
-I include/freetype/internal \
-DFT2_BUILD_LIBRARY \
. &> cppcheck.log
using cppcheck git commit f7e93f99.
Note that cppcheck still can't handle `#include FOO' (with `FOO' a
macro).
*/* Improve variable scopes.
*/* Remove redundant initializations which get overwritten.
* src/gxvalid/*: Comment out redundant code or guard it with
FT_DEBUG_LEVEL_TRACE.
This is essentially a mechanical conversion, adding inclusion of
`FT_INTERNAL_DEBUG_H' where necessary, and providing the macros for
stand-alone compiling modes of the rasterizer modules.
To convert the remaining occurrences of FT_Err_XXX and friends it is
necessary to rewrite the code. Note, however, that it doesn't harm
if some cases are not handled since FT_THROW is a no-op.
Problem reported by Robin Watts <robin.watts@artifex.com>.
* src/base/ftoutln.c (FT_Outline_New_Internal): Ensure that
`numContours' and `numPoints' fit into FT_Outline's `n_points' and
`n_contours', respectively.
* src/base/ftoutln.c (FT_Outline_EmboldenXY): Replace sequential
calls to FT_MulFix and FT_DivFix with FT_MulDiv.
Mention that bisectors are used to figure out the shift direction.
* include/freetype/ftoutln.h (FT_Outline_EmboldenXY): Define it.
* src/base/ftoutln.c (FT_Outline_EmboldenXY): Implement it, using a
simplified embolding algorithm.
(FT_Outline_Embolden): Make it a special case of
`FT_Outline_EmboldenXY'
==========================
Tag sources with `VER-2-3-12'.
* docs/CHANGES: Updated.
* docs/VERSION.DLL: Update documentation and bump version number to
2.3.12.
* README, Jamfile (RefDoc),
builds/win32/vc2005/freetype.vcproj, builds/win32/vc2005/index.html,
builds/win32/vc2008/freetype.vcproj, builds/win32/vc2008/index.html,
builds/win32/visualc/freetype.dsp,
builds/win32/visualc/freetype.vcproj,
builds/win32/visualc/index.html, builds/win32/visualce/freetype.dsp,
builds/win32/visualce/freetype.vcproj,
builds/win32/visualce/index.html,
builds/wince/vc2005-ce/freetype.vcproj,
builds/wince/vc2005-ce/index.html,
builds/wince/vc2008-ce/freetype.vcproj,
builds/wince/vc2008-ce/index.html: s/2.3.11/2.3.12/, s/2311/2312/.
* include/freetype/freetype.h (FREETYPE_PATCH): Set to 12.
* builds/unix/configure.raw (version_info): Set to 10:0:4.