Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=981
* include/freetype/fterrdef.h (FT_Err_DEF_In_Glyf_Bytecode): New
error code.
* src/truetype/ttinterp.c (Ins_FDEF, Ins_IDEF): Prohibit execution
of these two opcodes in `glyf' bytecode.
(TT_RunIns): Don't enforce reexecution of `fpgm' and `prep' bytecode
in case of error since function tables can no longer be modified
(due to the changes in `Ins_FDEF' and `Ins_IDEF'). This change can
enormously speed up handling of broken fonts.
* src/truetype/ttdriver.c (tt_size_request): Revert change from
2011-07-16; the intended metrics fix seems now to be implemented in
a different way, making the patch unnecessary. Note that this
change was usually patched out by all major GNU/Linux distributions
due to heavy side effects.
* src/truetype/ttgload.c (compute_glyph_metrics, TT_Load_Glyph):
Refer to the metrics of the `TT_Size' object.
At least on FreeBSD there is a global declaration of `index' in file
`/usr/include/strings.h'.
* src/cff/cf2intrp.c, src/truetype/ttgload.c: s/index/idx/ where
appropriate.
* src/sfnt/ttkern.c (tt_face_load_kern): Don't check for
cross-stream kerning tables since we reject format 2 tables later
on anyways.
Modify code for limit test...
(tt_face_get_kerning): ... to avoid a limit test here.
Reported by Alexander Hedges <ahedges@student.ethz.ch>.
* src/pcf/pcfdrivr.c (pcf_property_set, pcf_property_get): Tag
`property_name' with `FT_UNUSED' where necessary.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<callothersubr>: Since there is not a single flex operator but a
series of subroutine calls, malformed fonts can call arbitrary other
operators after the start of a flex, possibly adding points. For
this reason we have to check the available number of points before
inserting a point.
* src/base/ftmm.c (FT_Set_Var_Design_Coordinates,
FT_Set_MM_Blend_Coordinates, FT_Set_Var_Blend_Coordinates): Ignore
return value of `ft_face_get_mvar_service'; instead, check whether a
service is actually returned.
Too much local variables holding different structures were called
`metrics'.
* src/truetype/ttdriver.c (tt_size_select): s/metrics/size_metrics/.
* src/truetype/ttgload.c (tt_get_metrics_incr_overrids,
compute_glyph_metrics): s/metrics/incr_metrics/.
(load_sbit_image): s/metrics/sbit_metrics/.
* src/truetype/ttobjs.c (tt_size_run_fpgm): s/metrics/size_metrics/.
(tt_size_init_bytecode): s/metrics/tt_metrics/.
(tt_size_reset): s/metrics/size_metrics/.
We have to make a separate case for Windows 64's LLP64 data model.
* builds/unix/ftconfig.in, builds/vms/ftconfig.h,
include/freetype/config/ftconfig.h (FT_UINT_TO_POINTER): New macro.
* src/truetype/ttgload.c (load_truetype_glyph): Use it.
* src/autofit/afcjk.c, src/autofit/afindic.c: Include `afcjk.h'
earlier.
* src/sfnt/sfobjs.c (sfnt_init_face): Put `memory' variable into
TT_CONFIG_OPTION_GX_VAR_SUPPORT block.
(sfnt_done_face): Protect some code with
TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* src/sfnt/ttsbit.c (tt_face_load_sbix_image): Remove compiler
warning.
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Put `tmp' variable
into TT_USE_BYTECODE_INTERPRETER block.
(tt_loader_init): Put `error' variable into
TT_USE_BYTECODE_INTERPRETER block.
* src/base/ftsnames.c: Include FT_INTERNAL_DEBUG_H.
* src/cff/cffobjs.c [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Include
FT_MULTIPLE_MASTERS_H and FT_SERVICE_MULTIPLE_MASTERS_H.
* src/sfnt/sfdriver.c [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Include
FT_MULTIPLE_MASTERS_H and FT_SERVICE_MULTIPLE_MASTERS_H.
(get_win_string, get_apple_string): Initialize `result'.
* src/cff/cffload.c (cff_blend_build_vector): Explicitly build blend
vector when `lenNDV' is zero; don't rely on zero-init.
Save `lenNDV' as part of cache key even when `lenNDV' is zero.
This is inspired by the discussion in and analysis of
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=859
* src/tools/ftfuzzer/ftfuzzer.cc (LLVMFuzzerTestOneInput): Use only
up to 20 face indices.
Use only up to 20 instance indices.
Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* include/freetype/internal/tttypes.h (TT_FaceRec): New fields
`var_postscript_prefix' and `var_postscript_prefix_len'.
* src/sfnt/sfdriver.c: Include FT_TRUETYPE_IDS_H.
(sfnt_is_alphanumeric): New wrapperfunction for `ft_isalnum'.
(get_win_string, get_apple_string): Remove `const' from return
value.
(MAX_VALUE_DESCRIPTOR_LEN, MAX_PS_NAME_LEN): New macros.
(hexdigits): New array.
(sfnt_get_var_ps_name): New function, implementing Adobe TechNote
5902 to construct a PS name for a variation font instance.
(sfnt_get_ps_name): Call `sfnt_get_var_ps_name' for font instances.
* src/sfnt/sfobjs.c (sfnt_done_face): Updated.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Reset
`face->postscript_name' to trigger recalculation for new instance
parameters.
Add 128bit MurmurHash 3 function.
Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* src/sfnt/sfdriver.c (ROTL32): New macro.
(fmix32, murmur_hash_3_128): New functions.
* include/freetype/internal/services/svmm.h (FT_Get_Var_Blend_Func):
Add `normalizedcoords' argument.
* src/truetype/ttgxvar.h (GX_BlendRec): Add `coords' field to store
the design coordinates of the current instance.
Updated.
* src/truetype/ttgxvar.c (TT_Set_MM_Blend): Move functionality to...
(tt_set_mm_blend): ... New function.
Convert data in `normalizedcoords' array to `coords' array on
demand.
(TT_Set_Var_Design): Store argument data in `coords' array.
(TT_Get_Var_Design): Get data from `coords' array.
(tt_get_var_blend): Updated.
(tt_done_blend): Updated.
* src/cff/cffload.c, src/cff/cffload.h (cff_get_var_blend): Updated.
* src/cff/cf2ft.c (cf2_getNormalizedVector): Updated.
* src/cff/cffobjs.c (cff_face_init): Updated.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759
* src/sfnt/sfobjs.c (sfnt_init_face): While setting number of
instances to zero for `CFF' fonts table, ensure that there is no
`CFF2' present also (which gets priority).
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738
* src/sfnt/sfobjs.c (sfnt_init_face): While setting number of
instances to zero for `CFF' fonts table, ensure that there is no `glyf'
present also (which gets priority).
As documented in the OpenType specification, an entry for the
default instance may be omitted in the named instance table. In
particular this means that even if there is no named instance table
in the font we actually do have a named instance, namely the default
instance.
For consistency, we always want the default instance in our list of
named instances. If it is missing, we try to synthesize it.
* src/sfnt/sfobjs.c (sfnt_init_face): Check whether the default
instance is in the table of named instances. Otherwise adjust
number of instances.
* src/truetype/ttgxvar.c: Include FT_TRUETYPE_IDS_H.
(TT_Get_MM_Var): Use `face->root.style_flags' as the number of named
instances.
Sythesize a named instance entry if necessary.
(tt_done_blend): Free `normalized_stylecoords'.