Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=981
* include/freetype/fterrdef.h (FT_Err_DEF_In_Glyf_Bytecode): New
error code.
* src/truetype/ttinterp.c (Ins_FDEF, Ins_IDEF): Prohibit execution
of these two opcodes in `glyf' bytecode.
(TT_RunIns): Don't enforce reexecution of `fpgm' and `prep' bytecode
in case of error since function tables can no longer be modified
(due to the changes in `Ins_FDEF' and `Ins_IDEF'). This change can
enormously speed up handling of broken fonts.
* src/truetype/ttinterp.h (TT_ExecContextRec): Using `FT_ULong' for
loop counter handling.
* src/truetype/ttinterp.c: Updated.
(Ins_SCANTYPE): Use signed constant.
(TT_RunIns): Ensure `num_twilight_points' is 16bit.
This speeds up FreeType's handling of malformed fonts.
* src/truetype/ttinterp.c (TT_RunIns): Set up limits for the number
of twilight points, the total number of negative jumps, and the
total number of loops in LOOPCALL opcodes. The values are based on
the number of points and entries in the CVT table.
(Ins_JMPR): Test negative jump counter.
(Ins_LOOPCALL): Test loopcall counter.
* src/truetype/ttinterp.h (TT_ExecContext): Updated.
* docs/CHANGES: Updated.
To match the logic in FDEF. The value of the end is only used for
bound-checking in `Ins_JMPR', so it may not have been obvious that
it was not recorded. Tested (as part of Font Validator 2.0) all the
fonts on Fedora and did not see any change.
* src/truetype/ttinterp.c (Ins_IDEF): Updated.
GETDATA[], opcode 0x92
bytecode instruction. It always returns 17, and we have absolutely
no idea what it is good for...
* src/truetype/ttinterp.c (Pop_Push_Count, opcode_name): Updated.
(Ins_GETDATA): New function.
(TT_RunIns): Add it.
This commit implements undocumented (but confirmed) stuff from
Apple's old bytecode engine.
GETVARIATION[], opcode 0x91
This opcode pushes normalized variation coordinates for all axes
onto the stack (in 2.14 format). Coordinate of first axis gets
pushed first.
GETINFO[], selector bit 3
If GX variation support is enabled, bit 10 of the result is set
to 1.
* src/truetype/ttinterp.c: Include FT_MULTIPLE_MASTERS_H.
(opcode_name) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Updated.
(Ins_GETINFO) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Handle selector
bit 3, checking support for variation glyph hinting.
(Ins_GETVARIATION) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New function
to implement opcode 0x91.
(TT_RunIns) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Handle opcode 0x91.
* src/truetype/ttinterp.c (Ins_SHPIX): Allow SHPIX to move points in
the twilight zone. Otherwise, treat SHPIX the same as DELTAP.
Unbreaks various fonts such as older versions of Rokkitt and DTL
Argo T Light that would glitch severly after calling ALIGNRP after a
blocked SHPIX.
=======================
Tag sources with `VER-2-6'.
* docs/VERSION.DLL: Update documentation and bump version number to
2.6.
* README, Jamfile (RefDoc), builds/windows/vc2005/freetype.vcproj,
builds/windows/vc2005/index.html,
builds/windows/vc2008/freetype.vcproj,
builds/windows/vc2008/index.html,
builds/windows/vc2010/freetype.vcxproj,
builds/windows/vc2010/index.html,
builds/windows/visualc/freetype.dsp,
builds/windows/visualc/freetype.vcproj,
builds/windows/visualc/index.html,
builds/windows/visualce/freetype.dsp,
builds/windows/visualce/freetype.vcproj,
builds/windows/visualce/index.html,
builds/wince/vc2005-ce/freetype.vcproj,
builds/wince/vc2005-ce/index.html,
builds/wince/vc2008-ce/freetype.vcproj,
builds/wince/vc2008-ce/index.html: s/2.5.5/2.6/, s/255/26/.
* include/freetype/freetype.h (FREETYPE_MINOR): Set to 6.
(FREETYPE_PATCH): Set to 0.
* builds/unix/configure.raw (version_info): Set to 18:0:12.
* CMakeLists.txt (VERSION_MINOR): Set to 0.
(VERSION_PATCH): Set to 6.
* src/autofit/afmodule.c [!FT_MAKE_OPTION_SINGLE_OBJECT]: Add
declarations for dumping functions.
* src/truetype/ttinterp.c (TT_New_Context): Pacify compiler.
* builds/toplevel.mk: Use `freetype.mk's code to compute the version
string.
Don't include a zero patch level in version string.
* builds/freetype.mk: Remove code for computing the version string.
* src/truetype/ttinterp.c: Change all existing TRACE7 calls to
TRACE6.
(opcode_name): Add string lengths.
(TT_RunIns): Implement display of code position and stack.
* src/truetype/ttgload.c, src/truetype/ttinterp.c: Guard new code
with `TT_CONFIG_OPTION_SUBPIXEL_HINTING'.
Problem reported by Nikolaus Waxweiler <madigens@gmail.com>.
This flag activates `native ClearType hinting', disabling backwards
compatibility mode as described in Greg Hitchcocks whitepaper. In
other words, it enables unrestricted functionality of all TrueType
instructions in ClearType.
* src/truetype/ttgload.c (tt_get_metrics): Call `sph_set_tweaks'
unconditionally.
(tt_loader_init): Unset `ignore_x_mode' flag if bit 2 of
`GS.instruct_control' is active.
* src/truetype/ttinterp.c (Ins_INSTCTRL): Handle selector index 3.
(Ins_GETINFO): Updated.
* docs/CHANGES: Document it.
Previously the code had stipulation for using a per-TT_Size exec
context if `size->debug' was true. But there was no way that
`size->debug' could *ever* be true. As such, the code was always
using the singleton `TT_ExecContext' that was stored in `TT_Driver'.
This was, clearly, not threadsafe.
With this patch, loading glyphs from different faces from different
threads doesn't crash in the bytecode loader code.
* src/truetype/ttobjs.h (TT_SizeRec): Remove `debug' member.
(TT_DriverRec): Remove `context' member.
* src/truetype/ttobjs.c (tt_size_run_fpgm, tt_size_run_prep): Remove
`TT_ExecContext' code related to a global `TT_Driver' object.
(tt_driver_done): Don't remove `TT_ExecContext' object here but ...
(tt_size_done_bytecode): ... here.
(tt_driver_init): Don't create `TT_ExecContext' object here but ...
(tt_size_init_bytecode): ... here, only on demand.
* src/truetype/ttinterp.c (TT_Run_Context): Remove defunct debug
code.
(TT_New_Context): Remove `TT_ExecContext' code related to a global
`TT_Driver' object.
* src/truetype/ttinterp.h: Updated.
* src/truetype/ttgload.c (TT_Hint_Glyph, tt_loader_init): Updated.
Werner Lemberg