It is undefined behavior to pass `NULL` to `memcpy`. `coords' is
passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
explictly call `tt_set_mm_blend` with `coords` as `NULL`. In
addition, `TT_Set_MM_Blend` has a similar possible issue.
'COLR' v1 fonts do not necessarily need to have a layer list; for
this reason, 'fontTools' recently started generating fonts in a way
that drops the layer list if there are no layers in it. This
results in the layer list offset becoming zero, which FreeType
treated as an invalid table. Fix that and handle the case for layer
list offset being 0. This slightly changes how we need to calculate
the starting offset for paints.
* src/sfnt/ttcolr.c (tt_face_load_colr): Handle case of layer list
offset being zero without outright rejecting table.
The second pass also fixes horizontal lines through the pixel centers.
* src/raster/ftraster.c (black_TWorker): Do not use `second_pass'.
(Render_Glyph): Skip the second pass only with the appropriate flag.
* src/raster/ftraster.c (black_TWorker): Move `band_stack' from here..
(Render_Single_Pass): ... to here and accept limit arguments.
(Render_Glyph): Updated.
* src/raster/ftraster.c (black_TWorker): Move `arcs' from here...
(Conic_To, Cubic_To): ... to here to tighten their scope.
(Bezier_Up, Bezier_Down): ... Take the current `arc' argument.
Paint tables can appear before the `base_glyphs_v1` offset if the
font is produced with the layer list before the base glyph list. In
this case paint tables can occur after the layer list but before the
base glyph list. Checks in the 'COLR' v1 code were rejecting fonts
with this layout. Improve these checks by calculating a minimum
offset after which paint tables can occur and use that in safety
checks.
* src/sfnt/ttcolr.c (Colr, tt_face_load_colr): Declare
`paint_start_v1` and calculate that as the minimum of the end of
layer list and base glyph list.
(get_child_table_pointer, read_paint, tt_face_get_paint_layers):
Use that in safety checks.
* src/raster/ftraster.c (black_TWorker): Replace the current line
offset with the pointer and drop the increment.
(Function_Sweep_Init): Take values as arguments instead of pointers.
(Vertical_Sweep_*, Horizontal_Sweep_Init, Draw_Sweep): Updated.
We can bisect a band until it is just a single scan line. This might
be slow and cause time-outs but if we need to impose limits it should
be elsewhere.
* src/raster/ftraster.c (Render_Single_Pass): Tweak sub-banding.
FT_Render_Glyph picked up FAILURE or 1 returned from the raster
function, which became a confusing error code. Instead, return
Raster_Overflow in the unlikely event that banding does not help or
another meaningful error.
* src/smooth/ftgrays.c (gray_convert_glyph_inner, gray_convert_glyph):
Use Raster_Overflow when the rendering pool is exhausted and return it
if banding does not help.
(gray_raster_render): Use Smooth_Err_Ok.
* src/raster/ftraster.c (Render_Single_Pass): Return Raster_Overflow
if banding does not help or another error code.
* include/freetype/ftcolor.h (FT_PaintTransformed, FT_PaintFormat,
FT_COLR_Paint): Do it to make it harmonize with other names such as
'PaintTranslate'.
* src/sfnt/ttcolr.c (read_paint, tt_face_get_paint): Ditto.
We need to inverse inheritance of FT_GlyphSlot_Internal so that we
have a chance to free the rendered bitmap from the parent slot.
* src/type42/t42objs.c (T42_GlyphSlot_Init): Remove the internal parts
of the child `ttslot' and replace it with the parent structure.
(T42_GlyphSlot_Done): Updated accordingly.
* src/psaux/psintrp.c (cf2_interpT2CharString)
<cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
problem can happen with invalid user input.
Test case is file
fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read
in the `freetype2-testing` repository.
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
existing sanity checks, ensure that the pointer to the layer to be
read is within the 'COLR' v1 table.
* src/sdf/ftsdf.c: Include `ftbitmap.h`.
* src/sdf/ftsdfcommon.h: Move function bodies to `ftsdfcommon.c`.
Include `ftobjs.h` to get definitions of `FT_LOCAL` and friends.
* src/sdf/ftsdfcommon.c: New file.
* src/sdf/rules.mk, src/sdf/sdf.c: Updated.
Since 8-bits is enough to represent SDF data we no longer require
16-bits for this purpose. Also, we now normalize the output data
to use the entire 8-bit range efficiently. For example: if we use
3.5 format with a spread of 1 we basically only use the starting
5-bits. By normalizing we can use the entire 8-bit range.
* include/freetype/freetype.h (FT_Render_Mode): Updated description
for `FT_RENDER_MODE_SDF` regarding this change.
* include/freetype/ftimage.h (FT_Pixel_Mode): Removed
`FT_PIXEL_MODE_GRAY16` since no longer required.
* include/freetype/fttypes.h (FT_F6Dot10): Removed since no longer
required.
* src/sdf/ftsdfrend.c (ft_sdf_render, ft_bsdf_render): Allocate 8-bit
bitmap instead of 16-bit buffer.
* src/sdf/ftsdfcommon.h (map_fixed_to_sdf): Added function to convert
16.16 distance value to our desired format.
* src/sdf/ftsdf.c (sdf_generate_with_overlaps,
sdf_generate_bounding_box): Use the new `map_fixed_to_sdf` function
and also use 8-bit output buffer.
* src/sdf/ftbsdf.c (finalize_sdf): Output to a 8-bit buffer instead
of 16-bit buffer.
The autohinter could not access the base (unscaled) outline in the
child TrueType glyph slot. We now share the internal parts between
the parent and child glyph slots. Fixes#1057.
* src/type42/t42objs.c (T42_GlyphSlot_Init): Remove the internal parts
of `T42_GlyphSlot' and replace it with the child TrueType structure.
(T42_GlyphSlot_Done): Updated accordingly.
While a function pointer may be cast to another function pointer
type, it is required to cast the function pointer back to the
original function pointer type before calling it. If a parameter is
a pointer the exact pointer type is required. Using a pointer to a
different underlying type is technically undefined behavior. The
wrapper functions `ft_gzip_alloc` and `ft_gzip_free` took
`FT_Memory` (a `FT_MemoryRec_*`) instead of `voidpf` (`void*`), so
when gzip calls these callbacks through `alloc_func` or `free_func`
it invokes undefined behavior. On most platforms this works out as
expected, but newer undefined behavior detectors and targets like
wasm can detect this and will produce an error.
* src/gzip/ftgzip.c (ft_gzip_alloc, ft_gzip_free): Update signatures
to exactly match `alloc_func` and `free_func`, respectively.
Internally, cast the `void*` opaque pointer to `FT_Memory`.
Fixes timeout (#1055) analyzed by Ben Wagner, reported as
https://crbug.com/1194092
* src/sfnt/ttload.c (tt_face_load_post): Check POST format.
* src/sfnt/sfobjs.c (sfnt_load_face): Synthesize the missing unicode
charmap only if the glyph names exist.
* src/psnames/psmodule.c (ps_unicode_value): Short cut ".notdef" and
".null".
Fixes timeout reported as
https://crbug.com/1206181
* src/psaux/psarrst.c (cf2_arrstack_{push,init}): Implement it.
* src/psaux/psarrst.h (CF2_ArrStackiRec): Drop `chunk'.
Selecting the fill rule or checking the direct mode each time we call
`gray_hline' is sub-optimal. This effectively splits the direct mode
into a separate code path while inlining `gray_hline' and saving 5-7%
of rendering time.
* src/smooth/ftgrays.c (gray_hline): Eliminated in favor of...
(FT_FILL_RULE, FT_GRAY_SET): ... these new macros...
(gray_sweep): ... inlined here.
(gray_sweep_direct): New function that handles the direct span buffer.
(gray_TWorker): Remove the span buffer.
(gray_raster_render, gray_convert_glyph): Updated.
Ben Wagner