* src/lzw/ftzopen.c (ft_lzwstate_io) <FT_LZW_PHASE_CODE>:
Ensure that subsequent (modulo garbage byte(s)) LZW_CLEAR codes are
handled as clear codes. This also re-sets old_code and old_char to
predictable values, which is a little better than using `random'
ones if the code following LZW_CLEAR is invalid.
Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is
constructed correctly. It's even less than that, see e.g.
libarchive code comment for a better size upper bound:
http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121
This patch adds explicit stack size limit, enforced when stack is
realloced.
An alternative is to ensure that code < state->prefix[code - 256]
when traversing prefix table. Such check is less efficient and
should not be required if prefix table is constructed correctly in
the first place.
* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.
LZW decompressor did not sufficiently check codes read from the
input LZW stream. A specially-crafted or corrupted input could
create a loop in the prefix table, which leads to memory usage
spikes, as there's no decompression stack size limit.
* src/lzw/ftzopen.c (ft_lzwstate_io) <FT_LZW_PHASE_START>: First
code in valid LZW stream must be 0..255.
<FT_LZW_PHASE_CODE>: In the special KwKwK case, code == free_ent,
code > free_ent is invalid.
* src/cff/cfftypes.h (CFF_FontRecDictRec): New member
`has_font_matrix'.
* src/cff/cffparse.c (cff_parse_font_matrix): Set it.
Update tracing output.
* src/cff/cffobjs.c (cff_face_init): Use it so that the heuristics
can be removed.
Found with font fuzzying.
* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Check
`decoder->buildchar'.
* src/type1/t1load.c (t1_load_keyword): Check `blend->num_designs'.
When shifting right a signed value, it is not defined by the
C standard whether one gets a sign extension or not. Use a macro to
do an explicit cast from a signed short (assuming that this is
16bit) to an int.
* src/psaux/t1decode.c (Fix2Int): New macro.
Use it where appropriate.
We want to unset FT_FACE_FLAG_SCALABLE only if there are bitmap
strikes in the font.
* src/truetype/ttobjs.c (tt_face_init): Implement it.
* docs/CHANGES: Updated.
The main problems
-----------------
o If FT_STROKER_LINEJOIN_BEVEL was specified, unlimited miter
joins (not bevel joins) were generated. Indeed, the meanings of
`miter' and `bevel' were incorrectly reversed (consistently) in
both the code and comments.
o The way bevel joins were constructed (whether specified
explicitly, or created as a result of exceeding the miter limit)
did not match what is required for stroked text in PostScript or
PDF.
The main fixes
--------------
o The behaviour of FT_STROKER_LINEJOIN_BEVEL has been corrected.
o A new line join style, FT_STROKER_LINEJOIN_MITER_FIXED, has been
introduced to support PostScript and PDF miter joins.
o FT_STROKER_LINEJOIN_MITER_VARIABLE has been introduced as an
alias for FT_STROKER_LINEJOIN_MITER.
Additionally, a variety of stroking errors have been fixed. These
would cause various artifacts (including points `at infinity'),
especially when stroking poor quality fonts.
See
http://lists.gnu.org/archive/html/freetype-devel/2011-07/msg00001.html
for example documents. The FreeType stroker now produces results
very similar to that produced by GhostScript and Distiller for these
fonts.
Other problems
--------------
The following problems have been resolved:
o Inside corners could be generated incorrectly. Intersecting the
inside corner could cause a missing triangular area and other
effects.
The intersection point can only be used if the join is between
two lines and both lines are long enough. The `optimization'
condition in `ft_stroker_inside' has been corrected; this
requires the line length to be passed into various functions and
stored in `FT_StrokerRec'.
o Incorrect cubic curves could be generated. The angle
calculations in `FT_Stroker_CubicTo' have been corrected to
handle the case of the curve crossing the +/-PI direction.
o If the border radius was greater than the radius of curvature of
a curve, then the negative sector would end up outside (not
inside) the border. This situation is now recognized and the
negative sector is circumnavigated in the opposite direction.
(If round line joins are being used, this code is disabled
because the line join will always cover the negative sector.)
o When a curve is split, the arcs may not join smoothly (especially
if the curve turns sharply back on itself). Changes in
direction between adjacent arcs were not handled. A round
corner is now added if the deviation from one arc to the next is
greater than a suitable threshold.
o The current direction wasn't retained if a the outline contained
a zero length lineto or a curve that was determined to be
`basically a point'. This could cause a spurious join to be
added.
o Cubics with close control points could be mishandled. All eight
cases are now distinguished correctly.
Other improvements
------------------
o Borders for cubic curves could be too `flat'.
FT_SMALL_CUBIC_THRESHOLD has been reduced a little to prevent
this.
o The handling and use of movable points has been simplified a
little.
o Various values are now computed only if the results are actually
needed.
o The directions of the outer and inner borders have been swapped,
as recommended by Graham Asher.
* src/base/ftstroke.c: Revised.
* include/freetype/ftstroke.h: Updated.
Passing uninitialized pointer to the buffer allocator is
not problematic theoretically (as far as the returned
pointer is checked before writing), but g++4.6 dislikes
it and warns by -Wuninitialized. Initialize them by NULL.
* src/base/ftobjs.c (FT_Stream_New): Init `stream'.
(new_memory_stream): Ditto.
(FT_New_GlyphSlot): Init `slot'.
(FT_CMap_New): Init `cmap'.
(open_face_PS_from_sfnt_stream): Init `sfnt_ps'.
(Mac_Read_POST_Resource): Init `pfb_data'.
(Mac_Read_sfnt_Resource): Init `sfnt_data'.
* src/base/ftrfork.c (FT_Raccess_Get_DataOffsets):
Init `offsets_internal' and `ref'.
(raccess_guess_darwin_hfsplus): Init `newpath'.
(raccess_guess_darwin_newvfs): Ditto.
* src/base/ftbitmap.c (ft_bitmap_assure_buffer):
Init `buffer'.
* src/base/ftstroke.c (FT_Stroker_New): Init `stroker'.
Some invalid, overrunning, unrecommended non-zero values
are cared in paranoid validation mode only. There are
many lines looking like:
if ( valid->root->level >= FT_VALIDATE_PARANOID )
FT_INVALID_xxx;
To simplify them, GXV_SET_ERR_IF_PARANOID( err ) is
introduced for more paranoid validation in future.
* src/gxvalid/gxvcommn.h (IS_PARANOID_VALIDATION):
New macro to assure valid->root->level is more or
equal to FT_VALIDATE_PARANOID. (GXV_SET_ERR_IF_PARANOID):
New macro to raise an error if in paranoid validation.
* src/gxvalid/gxvcommn.c: Use GXV_SET_ERR_IF_PARANOID().
* src/gxvalid/gxvfeat.c: Ditto.
* src/gxvalid/gxvjust.c: Ditto.
* src/gxvalid/gxvkern.c: Ditto.
* src/gxvalid/gxvmort.c: Ditto.
* src/gxvalid/gxvmort0.c: Ditto.
* src/gxvalid/gxvmort1.c: Ditto.
* src/gxvalid/gxvmort2.c: Ditto.
* src/gxvalid/gxvmorx1.c: Ditto.
* src/gxvalid/gxvmorx2.c: Ditto.
* src/gxvalid/gxvmort.c (gxv_mort_subtables_validate):
Conditionalize unvalidated variable `subFeatureFlags'.
(gxv_mort_chain_validate): Conditionalize unvalidated
variable `defaultFlags'.
* src/gxvalid/gxmort0.c
(gxv_mort_subtable_type0_entry_validate): Check the
conflict of the marks for the glyphs.
* src/gxvalid/gxmort1.c
(gxv_mort_subtable_type1_offset_to_subst_validate):
Local variables `min_gid', `max_gid' are replaced by
variables in the validator.
(gxv_mort_subtable_type1_entry_validate): Conditionalize
unvalidated variables; `setMark', `dontAdvance'.
(gxv_mort_subtable_type1_substTable_validate):
Validate the GID by the min/max GIDs in the validator.
* src/gxvalid/gxvmort2.c
(gxv_mort_subtable_type2_ligActionOffset_validate):
Conditionalize unvalidated variables; `last', `store'.
Checking for overrunning offset is added.
(gxv_mort_subtable_type2_entry_validate):
Conditionalize unvalidated variables; `setComponent',
`dontAdvance'.
(gxv_mort_subtable_type2_ligatureTable_validate):
Check if the GID for ligature does not exceed the
max GID in `maxp' table.
* src/gxvalid/gxvmort5.c
(gxv_mort_subtable_type5_InsertList_validate):
Conditionalize unvalidated loading of `insert_glyphID'
array. (gxv_mort_subtable_type5_entry_validate):
Conditionalize unvalidated variables; `setMark',
`dontAdvance', `currentIsKashidaLike',
`markedIsKashidaLike', `currentInsertBefore',
`markedInsertBefore'.
* src/gxvalid/gxvjust.c (gxv_just_check_max_gid):
New function to unify the checks of too large GID.
(gxv_just_wdp_entry_validate): Conditionalize unvalidated
variables; `beforeGrowLimit', `beforeShrinkGrowLimit',
`afterGrowLimit', `afterShrinkGrowLimit', `growFlags',
`shrinkFlags'. Additional check for non-zero values in
unused storage `justClass' is added.
(gxv_just_actSubrecord_type0_validate): Conditionalize
unvalidated variable `order'. GID is checked by
gxv_just_check_max_gid(). Additional check for upside-down
relationship between `lowerLimit' and `upperLimit' is added.
(gxv_just_actSubrecord_type1_validate): GID is checked by
gxv_just_check_max_gid().
(gxv_just_actSubrecord_type2_validate): Conditionalize
unvalidated variable `substThreshhold'. GID is checked by
gxv_just_check_max_gid().
(gxv_just_actSubrecord_type5_validate): GID is checked by
gxv_just_check_max_gid().
(gxv_just_classTable_entry_validate): Conditionalize
unvalidated variables; `setMark', `dontAdvance',
`markClass', `currentClass'.