Add a check that the document content is actually contained within the
`SVG ` table. Without this check a malformed font may claim arbitrary
memory as its document content.
* src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when
testing 'documentRecord' extents.
(find_doc): Rename `stream` to `document_records` for clarity.
(tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity.
Test that the document content is contained within the table.
Ensure minimum length of document before testing for gzip format.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812
* src/base/ftbitmap.c (FT_Bitmap_Copy): Flip the copy if its pitch
is trully opposite, zero is not a positive value.
(FT_Bitmap_Convert): Set negative pitch as needed, accept negative
alignment values.
Reusing target bitmaps for copying and converting is permitted. It is,
however, pointless to preserve their content before overwriting. Free-
malloc might be faster than realloc.
* src/base/ftbitmap.c (FT_Bitmap_Copy, FT_Bitmap_Convert): Free
an old buffer and create a new one.
* src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to
be 1, then the table size has to be at least the size of the v1 header.
Also, for peeking the number of base glyphs and entries in the layer list,
ensure that the table is sufficiently long.
Fixes#1179. Original patch by Sergey Temnikov.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Reject retrieving master when
'fvar' values locally do not match with sanitized values from initialization
at `sfnt_init_face` time.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1360295
Fixes#1178.
* src/sfnt/ttcolr.c (get_deltas_for_var_index_base): Set outer index to
0 and inner index to the delta index when retrieving deltas if the
`COLR` table has no delta set index map.
Fixes#1172.
* src/sfnt/sfobjs.c (sfnt_load_face): Tag font as Multiple Masters font if
`fvar` is present; do not require other tables to be present.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Allow for a missing 'gvar' table
when setting variation coordinates. However, if a 'gvar' table is actually
present, do perform a sanity check and fail on malformedness.
(TT_Get_MM_Var): Don't assume 'fvar' needs 'gvar' or 'CFF2 tables in all
cases, which is an overly tight check.
This option uncomments FreeType configuration macro
`FT_CONFIG_OPTION_ERROR_STRINGS` to make function `FT_Error_String` return
meaningful error strings.
This option is off by default.
This follows similar code in `cff_slot_done`.
* src/base/ftobjs.c (ft_glyphslot_done), src/type1/t1objs.c
(T1_GlyphSlot_Done): Check `internal` pointer.
The Type1 problems was reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50057.
Any array index must be strictly less then the array size. Therefore,
we must reject indexes that are equal to the array size. Alternatively,
we should move the bounds check before the index decrement but that
would be confusing.
In addition, it is ok to decrement zero (.notdef) and get UINT_MAX,
which is then automatically rejected in the bounds check.
* src/pfr/pfrobjs.c (pfr_face_get_kerning): Fix the bounds checking.
When resizing the loader's points and contours, resize them to at least 1.5
times their current size. The code currently only reserves as much space as
is currently required, leading to O(n^2) runtime when adding points one at a
time.
This change does not attempt to ever shrink the loader's point and contour
storage since this was not attempted previously either. The 1.5 multiple
was chosen as a trade-off between potentially unused space and the runtime.
* src/base/ftgloader.c (FT_GlyphLoader_CheckPoints): Implement it.
Fixes#1173.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW`,
`FT_COLR_PAINTFORMAT_INTERNAL_SKEW_CENTER`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER`.
(read_paint): Handle new enumeration values.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE` and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE_CENTER`.
(read_paint): Handle new enumeration values.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSLATE`.
(read_paint): Handle new enumeration value.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSFORM`.
(read_paint): Handle new enumeration value.
* src/sfnt/ttcolr.c (read_paint) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Read and
apply deltas to radial, linear, and sweep gradient coordinates such as 'p0',
'p1', 'p2', 'center', 'radii', and 'angles'.
* include/freetype/ftcolor.h (FT_ColorStopIterator): Add field
`read_variable` to indicate whether a variation index base should be read.
* src/sfnt/ttcolr.c: (FT_PaintFormat_Internal): New enumerations
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_LINEAR_GRADIENT`
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_RADIAL_GRADIENT`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SWEEP_GRADIENT`.
(read_color_line): New parameter `read_variable`; update callers.
(read_paint): Handle new enumerations.
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal_): New enumeration
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`.
(get_deltas_for_var_index_base) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New
function to retrieve an array of delta values, which will be used for most
of 'COLR' v1 variation formats (in follow-up commits).
(read_paint): Add `face` parameter; update caller.
Handle `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`.
The existing documentation comments on `FT_Stream_IoFunc` hinted at the dual
seek/read behavior required for custom stream implementations to work, but
it didn't explicitly explain it. Without looking at the internals of
FreeType, it was easy for someone to assume their implementation should
handle both seek and read operations all the time. If this is done, you get
a variety of errors, but mostly just `Unknown_File_Format` (error code
0x02).
mlugg