Previously the `blend->weight_vector`, `blend->default_weight_vector`,
and `blend->design_pos` were set early to allocated but uninitialized
memory under the assumption that the memory would eventually be
initialized. However, it is possible that some of the required
keywords may not actually be present, leaving the memory uninitialized.
This is different from a present but invalid table, which would produce
an error.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261762
* src/type1/t1load.c (t1_allocate_blend): Remove early allocation and
initialization.
(parse_blend_design_positions, parse_weight_vector): Parse into local
and assign to blend if valid.
(T1_Open_Face): Check that if a blend exists that it has the weight
vector and design positions.
The vstore->regionCount and vstore->dataCount were read directly
from the data. However, vstore->varRegionList and vstore->varData
would still contain uninitialized entries with uninitialized
pointers in the event of an error, leading to issues when attempting
to clean up.
Reportd as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40104
* src/cff/cffload.c (cff_vstore_load): Read the region and data counts
into locals and update the vstore counts immediately after each entry
becomes free-able.
Previously, the gasp.numRanges was set and gasp.gaspRanges was
allocated and assigned before a possible early exit if the frame could
not be entered. It is also possible that the gaspRanges allocation
could fail but the numRanges still be set to non-zero. In such cases
an error would be returned, but the face would have a gasp in an
inconsistent state which may still be accessed.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261450
* src/sfnt/ttload.c (tt_face_load_gasp): Delay setting gasp.numRanges
and gasp.gaspRanges until after the ranges are initialized.
Previously, the table->names and table->langTags fields were created
pointing to uninitialized memory and an early exit could happen if the
frame could not be entered. The caller would then be unable to properly
dispose of the memory as the string fields had not been initialized.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261343
* src/sfnt/ttload.c (tt_face_load_name): delay setting table->langTags
and table->names until after the memory they will point to is fully
initialized.
This is mainly for better diagnostics of malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Stop font format testing if the first
input line is too long or doesn't end with `\r` or `\n`.
* src/cid/cidparse.c (cid_parser_new): Don't handle too short input as an
error but as an unknown format.
* src/pfr/pfrobjs.c (pfr_face_init): Ditto.
* src/winfonts/winfnt.c (fnt_font_load, fnt_face_get_dll_font): Ditto.
Fallout reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40027
* src/bdf/bdflib.c (_bdf_add_property): Cosmetic NULL.
(bdf_create_property): Limit allocations to customary signed
FT_Long and NULL-initialize unused storage.
(bdf_free_font): Do not free unused storage.
FT_QNEW_ARRAY and FT_QRENEW_ARRAY were using the non-Q
FT_MEM_NEW_ARRAY and FT_MEM_RENEW_ARRAY. Change these to use the Q
versions. Also fix the one issue discovered in tt_face_load_name
where table->names is created with FT_QNEW_ARRAY but the extra
string member is not initialized to NULL.
* include/freetype/internal/ftmemory.h (FT_Q(RE)NEW_ARRAY):
Use FT_MEM_Q(RE)NEW_ARRAY as needed.
* src/sfnt/ttload.c (tt_face_load_name): Initialize `entry->string`.
When a different hinting mode from the current is selected, the `prep` table
must be re-executed with the new mode. After this happens the context must
be re-loaded in preparation for the glyph program to be run.
Fixes#1104.
* truetype/ttgload.c (tt_loader_init): Add call to `TT_Load_Context`.
It is easier to check directions using flags than integer values.
* src/pshinter/pshalgo.h (PSH_Dir): Redefine directions.
(PSH_PointRec): Use them as an enum type.
* src/pshinter/pshalgo.c (psh_compute_dir): Modify return type.
(psh_glyph_init, psh_hint_table_find_strong_points,
psh_glyph_find_blue_points): Update users.
BDF comments are neither actually collected nor retrieved. There is
no need to be fancy with delimiters.
* src/bdf/bdflib.c (_add_bdf_comment): Delimit comments with zeros...
(bdf_load_font): ...and do not null-terminate comments additionally.
(_bdf_parse_glyphs): Check if comments are kept, which they are not.
(_bdf_parse_start): Minor clean up.
* src/pcf/pcfread.c (pcf_load_font): Do not call `FT_MulDiv` for a
small job.
* src/bdf/bdfdrivr.c (BDF_Face_Init): Ditto.
* src/bdf/bdflib.c (_bdf_parse_glyphs): Fix a comment.
With Windows memory management tracking heap, it is important to use
it during the stream opening fallback. In Unix, the argument is
unused, but it is better to set it correctly.
* src/base/ftobjs.c (FT_Stream_New): Set memory before calling
`FT_Stream_Open`.
* builds/windows/ftsystem.c, builds/unix/ftsystem.c (FT_Stream_Open,
ft_close_stream_by_free): Call `ft_alloc` and `ft_free` with proper
memory argumment.
Loops with unsigned decrement can be reliably stopped when the counter
wraps around after reaching zero.
* src/cff/cffload.c (cff_charset_compute_cids): Use unsigned counter.
* src/pshinter/pshalgo.c (psh_hint_table_activate_mask): Ditto.
* src/pshinter/pshrec.c (ps_mask_table_merge): Ditto.
Ben Wagner