This is inspired by the discussion in and analysis of
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=859
* src/tools/ftfuzzer/ftfuzzer.cc (LLVMFuzzerTestOneInput): Use only
up to 20 face indices.
Use only up to 20 instance indices.
Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* include/freetype/internal/tttypes.h (TT_FaceRec): New fields
`var_postscript_prefix' and `var_postscript_prefix_len'.
* src/sfnt/sfdriver.c: Include FT_TRUETYPE_IDS_H.
(sfnt_is_alphanumeric): New wrapperfunction for `ft_isalnum'.
(get_win_string, get_apple_string): Remove `const' from return
value.
(MAX_VALUE_DESCRIPTOR_LEN, MAX_PS_NAME_LEN): New macros.
(hexdigits): New array.
(sfnt_get_var_ps_name): New function, implementing Adobe TechNote
5902 to construct a PS name for a variation font instance.
(sfnt_get_ps_name): Call `sfnt_get_var_ps_name' for font instances.
* src/sfnt/sfobjs.c (sfnt_done_face): Updated.
* src/truetype/ttgxvar.c (tt_set_mm_blend): Reset
`face->postscript_name' to trigger recalculation for new instance
parameters.
Add 128bit MurmurHash 3 function.
Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* src/sfnt/sfdriver.c (ROTL32): New macro.
(fmix32, murmur_hash_3_128): New functions.
* include/freetype/internal/services/svmm.h (FT_Get_Var_Blend_Func):
Add `normalizedcoords' argument.
* src/truetype/ttgxvar.h (GX_BlendRec): Add `coords' field to store
the design coordinates of the current instance.
Updated.
* src/truetype/ttgxvar.c (TT_Set_MM_Blend): Move functionality to...
(tt_set_mm_blend): ... New function.
Convert data in `normalizedcoords' array to `coords' array on
demand.
(TT_Set_Var_Design): Store argument data in `coords' array.
(TT_Get_Var_Design): Get data from `coords' array.
(tt_get_var_blend): Updated.
(tt_done_blend): Updated.
* src/cff/cffload.c, src/cff/cffload.h (cff_get_var_blend): Updated.
* src/cff/cf2ft.c (cf2_getNormalizedVector): Updated.
* src/cff/cffobjs.c (cff_face_init): Updated.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759
* src/sfnt/sfobjs.c (sfnt_init_face): While setting number of
instances to zero for `CFF' fonts table, ensure that there is no
`CFF2' present also (which gets priority).
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738
* src/sfnt/sfobjs.c (sfnt_init_face): While setting number of
instances to zero for `CFF' fonts table, ensure that there is no `glyf'
present also (which gets priority).
As documented in the OpenType specification, an entry for the
default instance may be omitted in the named instance table. In
particular this means that even if there is no named instance table
in the font we actually do have a named instance, namely the default
instance.
For consistency, we always want the default instance in our list of
named instances. If it is missing, we try to synthesize it.
* src/sfnt/sfobjs.c (sfnt_init_face): Check whether the default
instance is in the table of named instances. Otherwise adjust
number of instances.
* src/truetype/ttgxvar.c: Include FT_TRUETYPE_IDS_H.
(TT_Get_MM_Var): Use `face->root.style_flags' as the number of named
instances.
Sythesize a named instance entry if necessary.
(tt_done_blend): Free `normalized_stylecoords'.
* src/sfnt/sfdriver.c (sfnt_ps_map): New array.
(sfnt_is_postscript): New function.
(char_type_func): New typedef.
(get_win_string, get_apple_string): Add argument to specify
character checking function.
Add argument whether argument checking failures should be reported.
Update callers.
(search_name_id): Fix return value.
* src/sfnt/sfdriver.c (sfnt_get_ps_name): Split off some
functionality into...
(IS_WIN, IS_APPLE): ... New macros.
(get_win_string, get_apple_string): ... New functions.
We need this for support of the `random' operator.
* include/freetype/ftcffdrv.h (FT_PARAM_TAG_RANDOM_SEED): New macro.
* include/freetype/internal/ftobjs.h (FT_Face_InternalRec): New
field `random_seed'.
* src/cff/cffobjs.h (CFF_DriverRec): New field `random_seed'.
This commit provides the framework, to be filled with something
useful in the next commits.
* include/freetype/freetype.h (FT_Face_Properties): Declare.
* src/base/ftobjs.c (FT_Face_Properties): New function.
Problem reported as
https://github.com/google/fonts/issues/632
The font in question (Nunito) has values 705 and 713 for the
reference and overshoot values, respectively, of the first blue
zone. Blue zone 2, however, has value 710 for both the reference
and overshoot. At 12ppem, reference and overshoot of blue zone 0
becomes 8px, while blue zone 2 becomes 9px.
A peculiarity of this font is that the tops of isolated vertical
stems like `N' have a slight overshoot also. The auto-hinter tries
to find the nearest blue zone using the *original* coordinates. For
vertical stems, this is value 713. For normal horizontal tops like
in character `E', this is value 710. Since value 713 is mapped to
8px but value 710 to 9px, `N' and similar characters are one pixel
higher than `E', which looks very bad.
This commit sanitizes blue zones to avoid such a behaviour.
* src/autofit/aflatin.c (af_latin_sort_blue): New function.
(af_latin_metrics_init_blues): Sort blue values and remove overlaps.
* src/truetype/ttgxvar.h (GX_HVarTable): Renamed to...
(GX_HVVarTable): ...This.
(GX_Blend): Add fields for `VVAR' table handling.
Other minor updates.
* src/truetype/ttgxvar.c (ft_var_load_hvar): Renamed to...
(ft_var_load_hvvar): ...This.
Handle VVAR loading also (controlled by an additional parameter).
(tt_hadvance_adjust): Renamed to...
(tt_hvadvance_adjust): ...This.
Handle application of advance height also (controlled by an
additional parameter).
(tt_hadvance_adjust, tt_vadvance_adjust): Wrappers for
`tt_hvadvance_adjust'.
* src/truetype/ttdriver.c (tt_service_metrics_variations): Updated.
The number of lowercase characters for computing the top flat blue
zone value was too small (in most cases only `x' and `z'). If one
of the two characters has a large serif, say, it can happen that
FreeType must select between two different values, having a 50%
chance to use the wrong one. As a result, rendering at larger PPEM
values could yield uneven lowercase glyph heights.
Problem reported by Christoph Koeberlin <christoph@koe.berlin>.
* src/autofit/afblue.dat (AF_BLUE_STRING_LATIN_SMALL): Replaced
with...
(AF_BLUE_STRING_LATIN_SMALL_TOP, AF_BLUE_STRING_LATIN_SMALL_BOTTOM):
... New, extended sets.
(AF_BLUE_STRINGSET_LATN): Updated.
* src/autofit/afblue.c, scr/autofit/afblue.h: Regenerated.
Only now I've got an OTF with an HVAR table for testing...
The code in `ftmm.c' uses `FT_FACE_LOOKUP_SERVICE' to get the
metrics variations interface. However, this didn't work with
`FT_FACE_FIND_GLOBAL_SERVICE' used in `sfnt_init_face'.
* src/cff/cffdrivr.c: Include FT_SERVICE_METRICS_VARIATIONS_H.
(cff_hadvance_adjust, cff_metrics_adjust): Wrapper functions for
metric service functions from the `truetype' module.
(cff_service_metrics_variations): New service.
(cff_services): Updated.
* src/cff/cffpic.h (CFF_SERVICE_METRICS_VAR_GET): New macro.
[FT_CONFIG_OPTION_PIC]: Synchronize code.
* src/sfnt/sfobjs.c (sfnt_init_face): Replace call to
FT_FACE_FIND_GLOBAL_SERVICE with `ft_module_get_service' to always
load the service from the `truetype' module.
* include/freetype/internal/tttypes.h (TT_LangTagRec): New
structure.
(TT_NameTableRec): Add fields `numLangTagRecords' and `langTags'.
* src/sfnt/ttload.c (tt_face_load_name): Add support for language
tags.
Reduce array size of name strings in case of invalid entries.
(tt_face_free_name): Updated.
* docs/CHANGES: Updated.
* src/truetype/ttgxvar.h (GX_MVarTable): `axisCount' has been
removed frem the specification; it is now reserved.
* src/truetype/ttgxvar.c (ft_var_load_mvar): Updated.
(GX_FVar_Head): Remove `countSizePairs'; the corresponding data
field in the `MVAR' table is now reserved.
(fvar_fields): Updated.
* src/base/ftmm.c: Include FT_SERVICE_METRICS_VARIATIONS_H.
(ft_face_get_mvar_service): New auxiliary function to look up
metrics variation service.
(FT_Set_Var_Design_Coordinates, FT_Set_MM_Blend_Coordinates,
FT_Set_Var_Blend_Coordinates): Call metrics variation service.
* src/truetype/ttobjs.c (tt_face_init): Use metrics variations for
named instances.
* src/truetype/ttgxvar.h (MVAR_TAG_XXX): New macros for MVAR tags.
(GX_Value, GX_MVarTable): New structures.
(GX_Blend): Add it.
* src/truetype/ttgxvar.c (GX_VALUE_SIZE, GX_VALUE_CASE,
GX_GASP_CASE): New macros.
(ft_var_get_value_pointer): New auxiliary function to get a pointer
to a value from various SFNT tables already stored in `TT_Face'.
(ft_var_load_mvar): New function.
(TT_Get_MM_Var): Call it.
(tt_done_blend): Updated.
* src/truetype/ttobjs.c (tt_size_reset): Add argument to make
function only recompute ascender, descender, and height.
* src/truetype/ttobjs.h: Updated.
* src/truetype/ttdriver.c (tt_size_select, tt_size_request):
Updated.
The change from 2016-09-29 was too radical (except for people using
the openSuSE GNU/Linux distribution). To ameliorate the situation,
PCF_CONFIG_OPTION_LONG_FAMILY_NAMES gets introduced which controls
the feature; if set, a new PCF property option
`no-long-family-names' can be used to switch this feature off.
* include/freetype/config/ftoption.h, devel/ftoption.h
(PCF_CONFIG_OPTION_LONG_FAMILY_NAMES): New option.
* include/freetype/ftpcfdrv.h: New header file (only containing
comments currently, used for building the documentation).
* include/freetype/config/ftheader.h (FT_PCF_DRIVER_H): New macro.
* src/pcf/pcf.h (PCF_Driver): Add `no_long_family_names' field.
* src/pcf/pcfdrivr.c: Include FT_SERVICE_PROPERTIES_H and
FT_PCF_DRIVER_H.
(pcf_property_set, pcf_property_get): New functions.
(pcf_service_properties): New service.
(pcf_servives): Updated.
(pcf_driver_init) [PCF_CONFIG_OPTION_LONG_FAMILY_NAMES]: Handle
`no_long_family_names'.
* src/pcf/pcfread.c (pcf_load_font): Handle `no_long_family_names'
and PCF_CONFIG_OPTION_LONG_FAMILY_NAMES.
* docs/CHANGES: Updated.
To be filled later on with something useful.
* src/pcf/pcf.h (PCF_Driver): New structure.
* src/pcf/pcfdrivr.c (pcf_driver_init, pcf_driver_done): New dummy
functions.
(pcf_driver_class): Updated.
We need this later on for MVAR also.
* src/truetype/ttgxvar.c (tt_hadvance_adjust): Split off computing
an item store variation delta into...
(ft_var_get_item_delta): ...new function.
* include/freetype/internal/tttypes.h (TT_FACE_FLAG_VAR_XXX):
Remove all flags related to MVAR; replace it with...
(TT_FACE_FLAG_VAR_MVAR): ...this new macro.
(TT_Face): Remove `mvar_support' field (which was still unused).
We need this later on for MVAR also.
* src/truetype/ttgxvar.c (tt_done_blend): Split off handling of item
variation store into...
(ft_var_done_item_variation_store): ...new function.
We need this later on for MVAR also.
* src/truetype/ttgxvar.c (ft_var_load_delta_set_index_mapping): Add
parameters for delta-set index mapping and item variation store.
(ft_var_load_item_variation_store): Add parameter for item variation
store.
s/hvarData/varData/.
Move allocation of `hvar_table' to...
(ft_var_load_hvar): ...this function.
Updated.
* src/truetype/ttgxvar.c (): Split off loading of item variation
store and delta set index mapping into...
(ft_var_load_item_variation_store,
ft_var_load_delta_set_index_mapping): ... new functions.
* src/truetype/ttgxvar.c (ft_var_load_hvar): Handle case where
`offsetToAdvanceWidthMapping' is zero.
(tt_hadvance_adjust): Implement direct deltaSet access by glyph
index.
This commit improves tracing and handling of malformed fonts. In
particular, the changes to `pcf_get_properties' fix
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=379
* src/pcf/pcfread.c (tableNames): Use long names for better
readability.
(pcf_read_TOC): Allow at most 9 tables.
(pcf_get_properties): Allow at most 256 properties.
Limit strings array length to 256 * (65536 + 1) bytes.
Better tracing.
(pcf_get_metric): Trace metric data.
(pcf_get_metrics): Allow at most 65536 metrics.
Fix comparison of `metrics->ascent' and `metrics->descent' to avoid
potential overflow.
Better tracing.
(pcf_get_bitmaps): Allow at most 65536 bitmaps.
Better tracing.
(pcf_get_encodings, pcf_get_accel): Better tracing.
* src/pcf/pcfdrivr.c (PCF_Glyph_Load): Don't trace `format' details.
These are now shown by `pcf_get_bitmaps'.
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Check instruction
size only if we do native hinting.
(TT_Load_Glyph): Trace returned error code.
* src/truetype/ttobjs.c (tt_size_run_fpgm, tt_size_run_prep): Trace
returned error code.
(tt_size_ready_bytecode): Don't run `prep' table if `fpgm' table is
invalid.
* src/cff/cffload.c (FT_fdot14ToFixed): Fix casting.
(cff_blend_doBlend): Don't left-shift negative numbers.
Handle 5-byte numbers byte by byte to avoid alignment issues.
* src/cff/cffparse.c (cff_parse): Handle 5-byte numbers byte by byte
to avoid alignment issues.
* src/cid/cidload (cid_read_subrs): Do nothing if we don't have any
subrs.
* src/psaux/t1decode.c (t1_decode_parse_charstring): Fix tracing.
* src/tools/glnames.py (main): Put `DEFINE_PSTABLES' guard around
definition of `ft_get_adobe_glyph_index'.
* src/psnames/pstables.h: Regenerated.
* src/psnames/psmodule.c: Inlude `pstables.h' twice to get both
declaration and definition.
* src/truetype/ttgxvar.c (FT_fdot14ToFixed, FT_intToFixed): Fix
casting.
Without this patch, requesting information for face index N returned
the data for face index N+1 (or index 0).
* src/sfnt/sfobjs.c (sfnt_init_face): Correctly adjust `face_index'
for negative `face_instance_index' values.
Malformed fonts often have large values for the number of bitmap
strikes, and FreeType doesn't check the validity of all bitmap
strikes in advance.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=353
* src/tools/ftfuzzer/ftfuzzer.cc: Include `stdlib.h' for `rand'.
(Random): Small class to provide n randomly selected numbers
(without repitition) out of the value set [0,N].
(LLVMFuzzerTestOneInput): Use it to test only up to 10 bitmap
strikes.
Make some functions work before a call to `TT_Set_MM_Blend'.
* src/truetype/ttgxvar.c (tt_hadvance_adjust): Exit immediately if
we don't blend.
(TT_Get_MM_Blend, TT_Get_Var_Design): Return default values if we
don't blend.