Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<callothersubr>: Since there is not a single flex operator but a
series of subroutine calls, malformed fonts can call arbitrary other
operators after the start of a flex, possibly adding points. For
this reason we have to check the available number of points before
inserting a point.
* src/cff/cffload.c (FT_fdot14ToFixed): Fix casting.
(cff_blend_doBlend): Don't left-shift negative numbers.
Handle 5-byte numbers byte by byte to avoid alignment issues.
* src/cff/cffparse.c (cff_parse): Handle 5-byte numbers byte by byte
to avoid alignment issues.
* src/cid/cidload (cid_read_subrs): Do nothing if we don't have any
subrs.
* src/psaux/t1decode.c (t1_decode_parse_charstring): Fix tracing.
* src/tools/glnames.py (main): Put `DEFINE_PSTABLES' guard around
definition of `ft_get_adobe_glyph_index'.
* src/psnames/pstables.h: Regenerated.
* src/psnames/psmodule.c: Inlude `pstables.h' twice to get both
declaration and definition.
* src/truetype/ttgxvar.c (FT_fdot14ToFixed, FT_intToFixed): Fix
casting.
We now use a hash to map from subr indices to array elements holding
the subroutines, if necessary.
* include/freetype/internal/t1types.h: Include FT_INTERNAL_HASH_H.
(T1_FontRec): Add `subrs_hash' field.
* include/freetype/internal/psaux.h: Include FT_INTERNAL_HASH_H.
(T1_DecoderRec): Add `subrs_hash' field.
* src/type1/t1load.h (T1_LoaderRec): Add `subrs_hash' field.
* src/type1/t1driver.c: Include FT_INTERNAL_HASH_H.
(t1_ps_get_font_value) [PS_DICT_SUBR]: Look up hash if necessary.
* src/type1/t1load.c: Include FT_INTERNAL_HASH_H.
(parse_subrs): Use hash for subr indices that exceed the allocated
number of subr slots.
(t1_init_loader): Remove unnecessary code.
(t1_done_loader, T1_Open_Face): Updated.
* src/type1/t1gload.c (T1_Compute_Max_Advance, T1_Get_Advances,
T1_Load_Glyph): Updated.
* src/type1/t1objs.c (T1_Face_Done): Updated.
* src/psaux/t1decode.c: Include FT_INTERNAL_HASH_H.
(t1_decoder_parse_charstrings) [op_callsubr]: Look up hash if
necessary.
* src/cid/cidgload.c (cid_load_glyph): Updated.
Due to incorrect casting negative numbers were shown as very large
(positive) integers on 64bit systems.
* src/psaux/t1decode.c (t1_decoder_parse_charstrings) <op_none>:
Use division instead of shift.
* src/psaux/psobjs.c (ps_parser_skip_PS_token): If a token is
enclosed in balanced expressions, ensure that the cursor position
doesn't get larger than the current limit.
This is just very basic stuff and just a little bit tested on
GNU/Linux only. I won't delve into this since I'm not a Jam user.
* Jamfile: Call `HDRMACRO' for `ftserv.h' also.
(DEFINES): Replace with...
(CCFLAGS): ... this.
* src/Jamfile: Don't call `HDRMACRO' for `internal.h'; this is
already handled in the top-level Jamfile.
* src/autofit/Jamfile (DEFINES): Replace with...
(CCFLAGS): ... this.
(_sources): Add missing files.
* src/cache/Jamfile: Don't call `HDRMACRO' for `ftcache.h'; it no
longer contains macro header definitions.
* src/base/Jamfile, src/cff/Jamfile, src/sfnt/Jamfile,
src/truetype/Jamfile (_sources): Add missing files.
* include/internal/t1types.h (AFM_KernPairRec): Make indices
unsigned.
Update users.
(AFM_FontInfoRec): Make element counters unsigned.
Update users.
* src/psaux/afmparse.h (AFM_ValueRec): Add union member for unsigned
int.
* src/psaux/afmparse.c (afm_parse_track_kern, afm_parse_kern_pairs):
Reject negative values for number of kerning elements.
* src/type1/t1afm.c, src/tools/test_afm.c: Updated.
Assure that FreeType's internal include directories are found before
`CPPFLAGS' (which might be set by the user in the environment), and
`CPPFLAGS' before `CFLAGS'.
* builds/freetype.mk (FT_CFLAGS): Don't add `INCLUDE_FLAGS'.
(FT_COMPILE): Make this a special variable for compiling only the
files handled in `freetype.mk'.
(.c.$O): Removed, unused.
* src/*/rules.mk (*_COMPILE): Fix order of include directories.
The functions in this patch *do* return non-trivial errors that must
be taken care of.
* src/autofit/afloader.c (af_loader_load_g), src/base/ftobjs.c
(FT_Render_Glyph_Internal), src/base/ftoutln.c (FT_Outline_Render),
src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_endchar>,
src/psaux/psobjs.c (ps_parser_load_field_table), src/psaux/t1decode
(t1_decoder_parse_charstrings) <op_endchar>, src/truetype/ttgload.c
(load_truetype_glyph <subglyph loop>, tt_loader_init,
TT_Load_Glyph), src/truetype/ttgxvar.c (TT_Set_MM_Blend),
src/truetype/ttobjs.c (tt_size_run_fpgm, tt_size_run_prep): Do it.
Don't cast cmap init function pointers to an incompatible type.
Without this patch, the number of parameters between declaration and
the real signature differs. Calling such a function results in
undefined behavior.
ISO/IEC 9899:TC3 (Committee Draft September 7, 2007)
6.5.2.2 Function calls
9 If the function is defined with a type that is not
compatible with the type (of the expression) pointed to by
the expression that denotes the called function, the
behavior is undefined.
On certain platforms (c -> js with emscripten) this causes
termination of execution or invalid calls because in the emscripten
implementation, function pointers of different types are stored in
different pointer arrays. Incorrect pointer type here results in
indexing of an incorrect array.
* src/cff/cffcmap.c (cff_cmap_encoding_init, cff_cmap_unicode_init),
src/pfr/pfrcmap.c (pfr_cmap_init), src/psaux/t1cmap.c
t1_cmap_standard_init, t1_cmap_expert_init, t1_cmap_custom_init,
t1_cmap_unicode_init), src/winfonts/winfnt.c (fnt_cmap_init): Fix
signature.
* src/type1/t1load.c (t1_parse_font_matrix): Properly handle result
of `T1_ToFixedArray'.
* src/cid/cidload.c (cid_parse_font_matrix): Synchronize with
`t1_parse_font_matrix'.
* src/type42/t42parse.c (t42_parse_font_matrix): Synchronize with
`t1_parse_font_matrix'.
(t42_parse_encoding): Synchronize with `t1_parse_encoding'.
* src/psaux/psobjs.c (ps_parser_load_field) <T1_FIELD_TYPE_BBOX>,
<T1_FIELD_TYPE_MMOX>: Properly handle result of `ps_tofixedarray'.
http://cppcheck.sourceforge.net/
Note that the current version heavily chokes on FreeType, delivering
even wrong results. I will report those issues to the cppcheck team
so that a newer version gives improved results hopefully.
*/* Improve variable scopes.
*/* Remove redundant initializations which get overwritten.
* src/base/ftmac.c ,builds/mac/ftmac.c (count_faces_scalable):
Remove unused variable.
* src/base/ftdbgmem.c (ft_mem_table_destroy): `table' can't be zero.
* src/gxvalid/gxvkern.c (gxv_kern_subtable_fmt1_entry_validate):
Remove functionless code.
* src/tools/ftrandom.c (main): Fix memory leak.
* src/base/ftcalc.c (FT_DivFix): Use unsigned values for
computations which use the left shift operator and convert to signed
as the last step.
* src/base/fttrigon.c (ft_trig_prenorm, FT_Vector_Rotate,
FT_Vector_Length, FT_Vector_Polarize): Ditto.
* src/cff/cffgload.c (cff_decoder_parse_charstrings): Simplify.
* src/cff/cffload.c (cff_subfont_load): Fix constant.
* src/cff/cffparse.c (cff_parse_integer, cff_parse_real, do_fixed,
cff_parse_fixed_dynamic): Use unsigned values for computations which
use the left shift operator and convert to signed as the last step.
* src/cid/cidload.c (cid_get_offset): Ditto.
* src/psaux/psconv.c (PS_Conv_ToFixed): Ditto.
* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Ditto.
* src/truetype/ttinterp.c (TT_MulFix14, TT_DotFix14): Ditto.
This is essentially a mechanical conversion, adding inclusion of
`FT_INTERNAL_DEBUG_H' where necessary, and providing the macros for
stand-alone compiling modes of the rasterizer modules.
To convert the remaining occurrences of FT_Err_XXX and friends it is
necessary to rewrite the code. Note, however, that it doesn't harm
if some cases are not handled since FT_THROW is a no-op.
* src/psaux/psconv.c (PS_Conv_Strtol): Always parse complete number,
even in case of overflow.
(PS_Conv_ToInt): Only increase cursor if parsing was successful.
(PS_Conv_ToFixed): Ditto.
Trace underflow and data error.
* src/psaux/psconv.c: Include FT_INTERNAL_DEBUG_H.
(FT_COMPONENT): Define.
(PS_Conv_Strtol): Return FT_Long.
Handle bad data and overflow.
Emit some tracing messages in case of error.
(PS_Conv_ToInt): Return FT_Long.
(PS_Conv_ToFixed): Updated.
* src/psaux/psconv.h: Updated.
* include/freetype/internal/fttrace.h: Add `psconv'.
* src/psaux/afmparse.c (afm_parse_track_kern): Don't inverse sign
for `min_kern'. It is indeed quite common that track kerning
*increases* spacing for very small sizes.
Werner Lemberg