It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is
NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with
`blend->num_designs` set to 2, and the user supplied `idx` to be large (for
example 0xFFFFFFFE). Since these are all `FT_UInt32` the existing bounds
check overflows in a well defined manner, allowing for an invalid call to
`memcpy`.
In addition, it is possible to call OtherSubr 19 with
`decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying
that `blend->weight_vector` and `decoder->buildchar` are NULL). This passes
the bounds check (it is logically always fine to copy nothing starting at
index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed
by `memcpy`. Calling `memcpy` with either the `src` or `dst` NULL is
undefined behavior (even if `count` is zero).
* src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that
`blend->num_designs` can be copied to `decoder->buildchar[idx]`.
Also avoid passing NULL to `ft_memcpy`.
Bug: https://crbug.com/1299259
* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
problem can happen with invalid user input.
Test case is file
fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read
in the `freetype2-testing` repository.
We no longer have to take care of the 8.3 file name limit; this
allows us (a) to introduce longer, meaningful file names, and (b) to
avoid macro names in `#include' lines altogether since some
compilers (most notably Visual C++) doesn't support this properly.
*/*: Replace
#include FOO_H
with
#include <freetype/foo.h>
or something similar. Also update the documentation.
As originally intended, a Type 1 SEAC charstring would be used for
an accented glyph (like `acaron' or `uumlaut'), where the advance
width of the SEAC glyph is the same as that of the `base' glyph
(like `a' or `u'). In this case it is not uncommon for the SEAC
glyph to not use an (H)SBW opcode of its own but to rely on the
value from the base glyph.
However, out-of-spec fonts also use SEAC glyphs for ligatures (like
`oe' or `fi'), and in those cases the overall advance width is
greater than that of the `base' glyph. For this reason we have to
allow that the SEAC glyph can have an (H)SBW value of its own, and
if it has, retain this value, rather than the one from the base
glyph.
* src/psaux/psintrp.c (cf2_interpT2CharString) <cf2_escSEAC>:
Implement it.
* src/psaux/psintrp.c (cf2_interpT2CharString): The call to
`cf2_arrstack_setCount' may fail because the allocator ran out of
memory. When this happens the stack is still written to before the
error condition is checked. This means that FreeType writes outside
of allocated memory. This commit moves the error check prior to the
stack assignment, hence the function now properly returns with an
error condition.
All of the Type 1 path building is done with code common to the
revised CFF engine, with the exception of closepath, which was still
calling ps_builder_close_contour(), thus previously cached segments
were not always written to the path, and glyph corruption, or even
invalid outlines were possible.
* src/psauc/psinterp.c (cf2_interpT2CharString) <cf2_cmdCLOSEPATH>:
Switch to calling `cf2_glyphpath_closeOpenPath'.
Before this commit we had code like
(FT_Bool)( globals->glyph_styles[gindex] & 0x8000)
Since `FT_Bool' is defined to be an `unsigned char', the code
evaluated to something like
(unsigned char)( 0x8532 & 0x8000)
which in turn expanded to
(unsigned char)( 0x8000)
and finally yielded 0x00 – i.e., false – not as expected.
Problem reported and analyzed by Tony Smith <tony.smith@macro4.com>.
* include/freetype/fttypes.h (FT_BOOL): Add a comparison against
zero so that we always have a Boolean expression.
*/*: Replace castings to `FT_Bool' with calls to `FT_BOOL' where
possible.
This monster commit was created by applying Nikhil's scripts
`docconverter.py' and `markify.py' to all C header and source files,
followed up by minor manual clean-up.
No change in functionality, of course.
I used commit f7419907bc6044b9b7057f9789866426c804ba82 from
https://github.com/nikramakrishnan/freetype-docs.git.
The interpreter in Type 1 mode rewinds the charstring after collecting
all hints for building the initial hintmap (commit d52dd7f). However,
some charstrings use `endchar' in a final subroutine call, rewinding to
the start of that subroutine, and only a small section of the actual
glyph is drawn.
* src/psaux/psintrp.c (cf2_interpT2CharString) <cf2_cmdENDCHAR>:
Ensure we are on the top level charstring before rewinding.
Type 1 hinting breaks sometimes when mid-charstring hints should
have been in the initial hintmap. This fix adds a preprocessing
pass that reads all hints and builds the correct initial hintmap
first, before proceeding to build the glyph outline.
* src/psaux/psintrp.c (cf2_interpT2CharString): New
`initial_map_ready' boolean flag.
Ignore outline commands and hint changes on first pass.
<cf2_cmdENDCHAR>: Add section to build hintmap and rewind.
* src/psaux/psintrp.c (cf2_interpT2CharString): Fix check for pop
results.
s/font->decoder/decoder/ where necessary.
<cf2_cmdHSTEM, cf2_cmdVSTEM, cf2_escHSTEM3, cf2_escVSTEM3>: Use
offset parameter in `cf2_doStems' instead of doing correction for
left-sidebearing.
This concludes the changes needed to add Type 1 support.
* src/psaux/psintrp.c: Update includes.
(cf2_interpT2CharString) <cf2_escSEAC>: Implement this similarly to
implied seac for CFF.
* src/psaux/t1decode.c (t1_lookup_glyph_by_stdcharcode_ps): New
function to look up the glyph index.
* src/psaux/psft.c (cf2_getT1SeacComponent,
cf2_freeT1SeacComponent): New functions to get the charstrings for
seac components.
* src/psaux/t1decode.h, src/psaux/psft.h: Update declarations.
* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Fix Flex feature handling (OtherSubrs 0, 1,
2).
<cf2_cmdRMOVETO>: Do not actually move the `glyphPath' while doing
flex. This is to avoid closing the current contour.
* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Copy code from
`t1_decoder_parse_charstrings' (in `t1decode.c').
OtherSubr 3 (change hints) should reset the hintmask, so that the
new hints are applied.
Fix function calls and stack access.
* src/psaux/psintrp.c (cf2_interpT2CharString): Change how unhandled
OtherSubr results are stored. Implement the PostScript stack using
an array.
<cf2_escPOP>: Ensure that the stack is not cleared after getting
`OtherSubr' results.
Fix stack access.
* src/psaux/psintrp.c (cf2_interpT2CharString) <cf2_escDIV>: Add
Type 1 mode. Type 1 requires large integers to be followed by
`div'; cf. `Adobe Type 1 Font Format', section 6.2.
<op == 255>: Push Type 1 four-byte numbers as `Int' always. This is
to ensure `div' and `callsubr' get values they can use.
* src/psaux/psintrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
cf2_cmdVSTEM>: Add correction for left sidebearing in Type 1 mode.
Allow adding hints mid-charstring.
<cf2_escVSTEM3, cf2_escHSTEM3>: Translate into equivalent commands
for three normal stem hints. This requires some recalculation of
stem positions.
Correction for left sidebearing.
* src/psaux/psintrp.c (cf2_doStems): `hsbw' or `sbw' must be the
first operation in a Type 1 charstring.
(cf2_interpT2CharString): Remove unused variables.
<cf2_cmdHMOVETO, cf2_cmdVMOVETO, cf2_cmdRMOVETO>: `hsbw' or `sbw'
must be the first operation in a Type 1 charstring.
<cf2_cmdHSBW, cf2_escSBW>: Fix data access and add correction for
left sidebearing.
* src/psaux/psintrp.c (cf2_interpT2CharString) <c2f_cmdCLOSEPATH>:
Use the right builder function. We can use the `haveWidth' boolean
already present, instead of implementing `parse_state'.
The following Type 1 specific ops have been added (copied from
`t1decode'):
closepath
vstem3
hstem3
seac
sbw
callothersubr
pop
setcurrentpoint
hsbw
The following require a Type 1 mode, because of differences in
specification:
hstem
vstem
vmoveto
callsubr
div
rmoveto
hmoveto
Numbers
The subsequent commits will implement these changes and adapt
accesses of data and objects to the new interpreter.
NOTE: Will not compile in the meantime!
* src/psaux/psintrp.c: Add opcodes to enum.
(cf2_interpT2CharString): Copy relevant code over from
`t1_decoder_parse_charstrings' (in `t1decode.c').
* include/freetype/internal/psaux.h, src/psaux/psauxmod.c: Fix
switching between new and old engines.
* src/cff/cffgload.c, src/cff/cffparse.c: Update calls.
* src/psaux/psblues.c, src/psaux/psfont.c, src/psaux/psfont.h,
src/psaux/psft.c, src/psaux/psft.h, src/psaux/psintrp.c: Update all
to use new objects.
Replace the `cf2' file name prefix with `ps' as the Adobe engine
will be used for both PostScript Types 1 and 2 (CFF) instead of just
CFF.
s/cf2/ps/ for all following.
* src/psaux/cf2*: Rename files.
* src/psaux/*: Update includes.
* src/psaux/Jamfile (_sources), src/psaux/rules.mk (PSAUX_DRC_SRC,
PSAUX_DRV_H): Update file references.
Ben Wagner