Commit Graph

251 Commits

Author SHA1 Message Date
Werner Lemberg bacc48e616 Whitespace. 2023-01-28 17:04:11 +01:00
Behdad Esfahbod bea675cde6 [ttgxvar] Fix crash in COLRv1.
This is a stopgap until issue #1202 is properly fixed.

* src/truetype/ttxgvar.c (tt_var_get_item_delta): Check `normalizedcoords`.
2023-01-27 06:53:46 +01:00
Werner Lemberg 65f8523706 Update all copyright notices. 2023-01-17 09:18:25 +01:00
Ben Wagner 262b47ac5a [truetype] Keep variation store consistent.
`tt_var_load_item_variation_store` fills out a `GX_ItemVarStore`.  While it
may return an error, the item store must be left in a consistent state so
that any use or destruction of the item store can properly use or free the
data in it.  Before this change the counts from the font data were read
directly into the item store before the actual allocation of the arrays to
which they referred.  There exist many opportunities between the time the
counts are read and the arrays are allocated to return early due to invalid
data.  When this happened the item store claimed to have entires it actually
did not, leading to crashes later when it was used.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54449

* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Read the counts
into local variables and store them in the item store only after the related
arrays are actually created on the item store.
2023-01-06 07:11:41 +01:00
Werner Lemberg e6fda039ad * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
2022-11-14 19:18:19 +01:00
Dominik Röttsches ba4bd5b994 Add `TT_CONFIG_OPTION_NO_BORING_EXPANSION` configuration macro.
This gives users a possibility to deactivate new features not (yet) in the
OpenType standard.

* include/freetype/config/ftoption.h, devel/ftoption.h
(TT_CONFIG_OPTION_NO_BORING_EXPANSION): New macro.

* src/truetype/ttgxvar.c (ft_var_load_avar): Use it to disable 'avar'
version 2.0 support.
2022-11-12 17:11:36 +01:00
Behdad Esfahbod e97cb9e8da [truetype] Improve bounds checks for `ItemVariationStore`.
* src/truetype/ttgxvar.c (tt_hvadvance_adjust): Move bounds check ...
(tt_var_get_item_delta): ...  to this function, because it is safer.  For
example, the 'avar' table 2.0 codepath was not performing a bounds check at
all.
2022-11-12 16:45:44 +01:00
Behdad Esfahbod 9be958ca39 [truetype] In `ItemVariationStore`, value 0xFFFF for `dataCount` is valid.
It corresponds to outer indices of 0 to 0xFFFE.

* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Remove invalid
code.
2022-11-12 16:41:20 +01:00
Ben Wagner 9154707f6b [truetype] Check avar_segment before access
* src/truetype/ttgxvar.c (tt_done_blend): check `avar_segment` before
accessing to free its `correspondence`.

Reported as:

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53062
2022-11-09 19:15:26 +00:00
Ben Wagner d38407f79e [truetype] Restore behavior of ft_var_load_hvvar
* src/truetype/ttgcvar.c (ft_var_load_hvvar): restore previous behavior

In a previous change [0] the behavior of `ft_var_load_hvvar` was changed
to not load the item variation store if it was at offset 0, but not
return an error when this happened. This broke any users, like
`tt_hvadvance_adjust`, that rely on successful completion of
`ft_var_load_hvvar` to imply that returned table's `itemStore` had been
initialized. This lead such users to dereference NULL.

This change appears to have been unintentional and unrelated to the
actual avar2 changes. As a result, fix these NULL dereferences by
restoring the code to always attempt to initialize the `itemStore`.

[0] ae4eb996 "[truetype] Add support for `avar` table 2.0 format."

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53061
2022-11-09 19:02:22 +00:00
Behdad Esfahbod ae4eb996ab [truetype] Add support for `avar` table 2.0 format.
See

  https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md

for the specification.

Currently, this is implemented only in most recent OS versions on Apple
platforms and in the HarfBuzz library, but it is expected to be added to the
OpenType standard soon.

* src/truetype/ttgxvar.h (GX_AVarTableRec): New structure.
(GX_BlendRec): Use it to replace `avar_segment` with `avar_table`.

* src/truetype/ttgxvar.c (ft_var_load_avar): Load new table version.
(ft_var_to_normalized, tt_done_blend): Extend for new format.
(ft_var_load_hvvar, ft_var_to_design): Updated.
2022-11-04 19:44:36 +01:00
Werner Lemberg c943d408e0 Minor formatting. 2022-10-18 11:41:00 +02:00
mlugg 905270925d [truetype] Fix undefined pointer arithmetic.
* src/truetype/ttgxvar.c (tt_var_get_item_delta, ft_var_load_mvar): Use
`FT_OFFSET`.
2022-09-29 20:44:41 +02:00
Dominik Röttsches 8e68439a6f [truetype] Reject 'fvar' loading when `num_instances` is too small.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Reject retrieving master when
'fvar' values locally do not match with sanitized values from initialization
at `sfnt_init_face` time.

Reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=1360295
2022-09-06 17:18:17 +02:00
Dominik Röttsches a1017e2655 [sfnt] Don't require 'gvar' table to support variation fonts.
Fixes #1172.

* src/sfnt/sfobjs.c (sfnt_load_face): Tag font as Multiple Masters font if
`fvar` is present; do not require other tables to be present.

* src/truetype/ttgxvar.c (tt_set_mm_blend): Allow for a missing 'gvar' table
when setting variation coordinates.  However, if a 'gvar' table is actually
present, do perform a sanity check and fail on malformedness.
(TT_Get_MM_Var): Don't assume 'fvar' needs 'gvar' or 'CFF2 tables in all
cases, which is an overly tight check.
2022-09-05 10:36:22 +02:00
Werner Lemberg de27955c2a Minor formatting. 2022-07-01 06:33:50 +02:00
Dominik Röttsches dece953516 [truetype] Perform variation store delta computation with 64-bit precision.
* include/freetype/internal/ftmmtypes.h (FT_ItemVarDelta): Make type
explicitly 32-bit.
* include/freetype/internal/services/svmm.h
(FT_Var_Get_Item_Delta_Func): Change return type to `FT_ItemVarDelta`
* truetype/ttgxvar.h (tt_var_get_item_delta): Change return type to
`FT_ItemVarDelta`.
* truetype/ttgxvar.c (tt_var_get_item_delta): Store scalars and deltas
to intermediate array, perform computation using new method
`FT_MulAddFix`.
2022-06-29 20:27:11 +02:00
Alexei Podtelezhnikov 47103b2f19 [truetype] Clean up phantom point accounting.
This formalizes that the phantom points appended in the outline
do not increase its point count, nor are they tagged or included
in any additional contours.  Only their coordinates are stored.
They are counted in the glyph zone, however.

* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Infer `n_points`
from the outline size plus four phantom points.
* src/truetype/ttgxvar.h (TT_Vary_Apply_Glyph_Deltas): Remove this
argument.
* src/truetype/ttgload.c (tt_prepare_zone): Add phantom four.
(TT_Process_Simple_Glyph, load_truetype_glyph): Update all callers.
2022-06-18 23:09:17 -04:00
Alexei Podtelezhnikov 705f416184 [truetype/GX] Clean up phantom point adjustment.
This moves phantom point and advance variation adjustment next to
calculations. The logic stays the same, HVAR and VVAR take priority.

* src/truetype/ttgload.c (load_truetype_glyph): Move it from here...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): ... to here
and check for HVAR and VVAR presence outside the main loop.
2022-06-18 23:02:26 -04:00
Alexei Podtelezhnikov d9b8a69e9a [truetype/GX] Fix an old typo.
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Vertical
advance is measured along y-coordinate.
2022-06-16 22:13:25 -04:00
Alexei Podtelezhnikov d6fc8c6ba0 [truetype/GX] Clean up advance adjustment.
* src/truetype/ttgload.c (TT_Process_Simple_Glyph, load_truetype_glyph):
Move the advance adjustment from here...
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): ... to here and
simplify arguments.
* src/truetype/ttgxvar.h (TT_Vary_Apply_Glyph_Deltas): Update prototype
with fewer arguments.
2022-06-15 18:28:50 -04:00
Dominik Röttsches 7838c78f53 [truetype] Support reading 32bit/16bit VarStore deltas
* include/freetype/internal/ftmmtypes.h (FT_ItemVarDelta): Define type
to be used for delta arrays, upgrade to FT_long.
* src/truetype/ttgxvar.c: Adhere to long_words bit and read either
Short/Byte pairs or Long/Short pairs, as defined by spec. For better
readability, define macro for repetitive read code.
2022-05-23 16:18:28 +03:00
Dominik Röttsches 9aa99f2262 [truetype] Handle 0xFFFF special value inside delta retrieval function
* truetype/ttgxvar.c (tt_hvadvance_adjust, tt_apply_mvar,
tt_var_get_item_delta): Remove special 0xFFFF handling in favor of less
redundant handling inside the tt_var_get_item_delta function, as it is
equivalent to returning a 0 delta. Avoids code-duplication checking for
special value 0xFFFF.
2022-05-20 17:20:08 +03:00
Dominik Röttsches a4c4566b6d [truetype, snft] Add service methods for `DeltaSetIdxMap` and `VarStore`.
This will be needed for 'COLR' v1 variation support.

* src/truetype/ttgxvar.h (GX_ItemVarData, GX_AxisCoords, GX_VarRegion,
GX_VarItemStore, GX_DeltaSetIdxMap): Move structures to...
* include/freetype/internal/ftmmtypes.h: ... this new file.

* include/freetype/internal/service/svmm.h (MultiMasters): Include
`ftmmtypes.h`.
(FT_Var_Load_Delta_Set_Idx_Map_Func, FT_Var_Load_Item_Var_Store_Func,
FT_Var_Get_Item_Delta_Func, FT_Var_Done_Item_Var_Store_Func,
FT_Var_Done_Delta_Set_Idx_Map_Func): New function typedefs.
(MultiMasters): Add them.
(FT_DEFINE_SERVICE_MULTIMASTERSREC): Updated.

* src/cff/cffdrivr.c (cff_load_item_variation_store,
cff_load_delta_set_index_mapping, cff_get_item_delta,
cff_done_item_variation_store, cff_done_delta_set_index_map): New wrapper
methods calling into mm service.
(cff_service_multi_masters): Updated.

* src/truetype/ttgxvar.c (ft_var_load_item_variation_store,
ft_var_load_delta_set_index_mapping, ft_var_get_item_delta,
ft_var_done_item_variation_store, ft_var_done_delta_set_index_map): Renamed
to ...
(tt_var_load_item_variation_store, tt_var_load_delta_set_index_mapping,
tt_var_get_item_delta, tt_var_done_item_variation_store,
tt_var_done_delta_set_index_map): ... this for consistency.
Mark them as non-static.
* src/truetype/ttgxvar.h: Add corresponding prototypes.

* src/truetype/ttdriver.c (tt_service_gx_multi_masters): Updated.

* src/type1/t1driver.c (t1_service_multi_masters): Updated.
2022-05-19 07:14:05 +02:00
Dominik Röttsches 5f19f49c81 [truetype] Move deallocation of `DeltaSetIdxMap` into own function.
This is a preparation for handling `DeltaSetIdxMap` and `VarStore` as a
FreeType service.

* src/truetype/ttgxvar.c (ft_var_done_delta_set_index_map): New function.
(tt_done_blend): Use it.
2022-05-19 06:09:17 +02:00
Werner Lemberg 5d49473f85 [truetype] Handle inner/outer index values 0xFFFF/0xFFFF.
This was introduced in OpenType 1.8.4.

* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping,
tt_hvadvance_adjust, ft_var_load_mvar, tt_apply_mvar): Handle special
inner/outer index values.
(ft_var_load_item_variation_store): Add test.

Fixes #1154.
2022-05-11 18:15:02 +02:00
Alexei Podtelezhnikov bee8886408 Clean-up - do not doubt FT_FREE.
* src/base/ftobjs.c (memory_stream_close): Do not reassign zero
after `FT_FREE`.
* src/sfnt/sfwoff.c (sfnt_stream_close): Ditto.
* src/sfnt/sfwoff2.c (stream_close): Ditto.
* src/psaux/psobjs.c (ps_parser_load_field): Ditto.
* src/truetype/ttgxvar.c (ft_var_load_avar, tt_set_mm_blend,
tt_set_mm_blend): Ditto.
2022-01-30 21:55:21 -05:00
Alexei Podtelezhnikov b34741c1cc Minor clean-ups.
* src/base/ftrfork.c (raccess_make_file_name): Do not set error.
* src/sfnt/sfdriver.c (get_win_string, get_apple_string): Ditto.
* src/cff/cffobjs.c (cff_strcpy): Do not confuse about error.
* src/psaux/psobjs.c (ps_table_done): Ditto.
* src/truetype/ttgxvar.c (ft_var_readpacked*, ft_var_load_avar): Ditto.
2022-01-27 22:55:34 -05:00
Werner Lemberg d0cfb4e1b2 Update all copyright notices. 2022-01-11 10:54:10 +01:00
Ben Wagner afb4ca0151 [truetype] Reset localpoints when varying cvt.
When iterating over the cvt tuples and reading in the points it is necessary
to set all of `localpoints`, `points`, and `point_count` in all cases.  The
existing code did not reset `localpoints` to `NULL` when there were no
private point numbers.  If the previous tuple did have private point numbers
and set `localpoints` to `ALL_POINTS` this would not be cleared and the
wrong branch would be taken later, leading to possible heap buffer overflow.

* src/truetype/ttgxvar.c (tt_face_vary_cvt): Reset `localpoints` to `NULL`
when it isn't valid.

Fixes: https://crbug.com/1284742
2022-01-06 19:13:00 +01:00
Werner Lemberg e4f7673e46 [truetype] Updates for the forthcoming OpenType 1.9 standard (2/2).
* src/truetype/ttgxvar.c (ft_var_load_item_variation_store):
s/shortDeltaCount/wordDeltaCount/ (as done in the specification, too).
Recognize new format and reject it for now.
2021-11-16 20:13:58 +00:00
Werner Lemberg 93e6b3e8e9 [truetype] Updates for the forthcoming OpenType 1.9 standard (1/2).
This is in preparation for implementing `DeltaSetIndexMap` format 1, which
is used by `COLR` v1 tables, and which allows 32bit indices.

  https://docs.microsoft.com/en-us/typography/opentype/otspec190/delta/otvarcommonformats_delta.html

* src/truetype/ttgxvar.h (GX_DeltaSetIdxMapRec): Change type of `mapCount`
to `FT_ULong`.

* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping): Add argument
for passing the table size; update caller.
Implement new format.
2021-11-16 20:13:58 +00:00
Alexei Podtelezhnikov c5cd2a3db4 * src/truetype/ttgxvar.c (ft_var_to_normalized): Edge optimization. 2021-11-10 08:46:26 -05:00
Alexei Podtelezhnikov cb9e7b7aac [truetype] Avoid some memory zeroing in variations.
* src/truetype/ttgxvar.c (ft_var_readpackeddeltas, ft_var_load_avar,
ft_var_load_item_variation_store, ft_var_load_gvar): Use FT_QNEW_ARRAY
if memory immediately initialized or discarded otherwise.
2021-11-06 22:59:31 -04:00
Jany Belluz fc55291b1c [truetype] Fix handling of packed deltas in Variation Fonts.
* src/truetype/ttgxvar (ft_var_readpackeddeltas): Don't expect the number of
bytes used to encode the deltas to be higher than the number of encoded
values.  The specification allows a very compact encoding; for example, a
list of 200 zeros can be encoded with just a couple of bytes.

We now count the consumed bytes to make sure to not read more than expected.
2021-11-05 13:53:45 +01:00
Jany Belluz 9ed5332fe6 [truetype] Fix CVAR handling of tuples for all points.
* src/truetype/ttgxvar (tt_face_vary_cvt): Function
`ft_var_readpackedpoints`, when it returns `ALL_POINTS`, also sets
`point_count` to value 0.  However, the CVAR code was incorrectly expecting
that `point_count` would be set to match the length of the CVT table.
2021-11-04 12:09:01 +01:00
Jany Belluz 23d1d8ada8 * src/truetype/ttgxvar.c: Fix typos in macros that guard CVAR code. 2021-11-04 12:07:47 +01:00
Werner Lemberg d1c2000504 [truetype] Fix compilation if !TT_CONFIG_OPTION_BYTECODE_INTERPRETER.
* src/truetype/ttgxvar.c (tt_cvt_ready_iterator): Compile function
conditionally.
(tt_face_vary_cvt) [!TT_CONFIG_OPTION_BYTECODE_INTERPRETER]: Add code.

Fixes #1091.
2021-08-28 07:36:08 +02:00
Ben Wagner d3dc2da9b2 * src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.
It is undefined behavior to pass `NULL` to `memcpy`.  `coords' is
passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
explictly call `tt_set_mm_blend` with `coords` as `NULL`.  In
addition, `TT_Set_MM_Blend` has a similar possible issue.
2021-07-01 07:02:04 +02:00
Werner Lemberg 2149b51f25 Handle various VC++ compiler warnings.
Fixes #1039.

* src/base/ftstroke.c (ft_stroker_inside, ft_stroker_outside):
Initialize `sigma`.

* src/sdf/ftsdf.c (sdf_generate_with_overlaps): Exit immediately if
function arguments are invalid.
* src/sdf/ftsdfrend.c (sdf_property_set) <"overlaps">: Fix cast.

* src/sfnt/sfwoff2.c (woff2_decompress)
[!FT_CONFIG_OPTION_USE_BROTLI]: Use `FT_UNUSED`.

* src/truetype/ttgxvar.c (TT_Get_MM_Var): Initialize `fvar_head`.
2021-03-13 19:08:09 +01:00
Werner Lemberg d924a66a5c * src/*: Don't use more than one '\n' in `FT_TRACE` and `FT_ERROR`.
This ensures good logging output, with all lines having a proper
prefix (if requested).

This is a continuation of a similar patch from 2020-12-02, which
missed some locations.
2021-02-04 07:46:46 +01:00
Werner Lemberg b6e8a71266 Update all copyright notices. 2021-01-17 07:18:48 +01:00
Werner Lemberg 272ae5ee2a * src/*: More fixes for using a '\n' in `FT_TRACE` and `FT_ERROR`. 2020-12-07 10:29:24 +01:00
Werner Lemberg a6adb25626 * src/*: Don't use more than one '\n' in `FT_TRACE` and `FT_ERROR`.
This ensures good logging output, with all lines having a proper
prefix (if requested).
2020-12-05 09:43:45 +01:00
Werner Lemberg 804e625def [truetype] Minor update to forthcoming OpenType 1.8.4 standard.
* src/truetype/ttgxvar.c (ft_var_load_item_variation_store): Limit
size of `regionCount`.
2020-10-28 13:34:52 +01:00
Werner Lemberg 8cfc41ae95 Fix `-Wformat' compiler warnings.
Problem reported by Priyesh kumar <priyeshkkumar@gmail.com>

* src/base/ftoutln.c (FT_Outline_Decompose): Fix number of arguments
to tracing macro.

* src/bdf/bdfdrivr.c (bdf_cmap_char_next, bdf_get_bdf_property):
Ditto.

* src/cache/ftcbasic.c (ftc_basic_family_get_count): Ditto.
Reformulate message.

* src/pcf/pcfdrivr.c (pcf_get_bdf_property): Ditto.

* src/sfnt/sfwoff2.c (woff2_open_font): Ditto.
Trace table offset, too.

* src/truetype/ttgxvar.c (ft_var_apply_tuple): Ditto.
2020-07-25 12:23:22 +02:00
David Turner e13391333f Make macros for header file names optional.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.

*/*: Replace

   #include FOO_H

with

   #include <freetype/foo.h>

or something similar.  Also update the documentation.
2020-06-08 13:31:55 +02:00
Ben Wagner 11975fe9f6 Fix state of `FT_Face' for buggy `gvar' tables (#57923).
By resetting the blend as implemented with this commit fonts with
invalid `gvar' tables may keep calling into `ft_var_load_gvar' from
`tt_set_mm_blend' and failing, but the font was invalid anyway and
we want to keep seeing the failure in `tt_set_mm_blend'.

* src/truetype/ttgxvar.c (ft_var_load_gvar): Calculate length of
offset array once.
Allocate arrays after `FT_FRAME_ENTER' (extra check before
allocating and avoid needing to free array later if error entering
frame).
Always call `FT_FRAME_EXIT'.
Consistently set counts immediately after array initialized.
Reset the blend (particularly `blend->glyphoffsets') on failure.
2020-02-29 20:29:14 +01:00
Ben Wagner 216e077600 [truetype] Add better checks for loading `gvar' table (#57905).
* src/truetype/ttgxvar.c (ft_var_load_gvar): Delay settings of any
`blend->xxxcount' values until the corresponding data has been
checked.
Also do some sanitizing to avoid a too early exit.

(TT_Vary_Apply_Glyph_Deltas): Improve tracing message.
2020-02-28 07:43:00 +01:00
Werner Lemberg e5038be704 Update all copyright notices. 2020-01-19 17:05:19 +01:00