Malformed fonts often have large values for the number of bitmap
strikes, and FreeType doesn't check the validity of all bitmap
strikes in advance.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=353
* src/tools/ftfuzzer/ftfuzzer.cc: Include `stdlib.h' for `rand'.
(Random): Small class to provide n randomly selected numbers
(without repitition) out of the value set [0,N].
(LLVMFuzzerTestOneInput): Use it to test only up to 10 bitmap
strikes.
Make some functions work before a call to `TT_Set_MM_Blend'.
* src/truetype/ttgxvar.c (tt_hadvance_adjust): Exit immediately if
we don't blend.
(TT_Get_MM_Blend, TT_Get_Var_Design): Return default values if we
don't blend.
Pdfium includes `pstables.h' a second time; moving the definition
from `pstables.h' to `psmodule.c' saves more than 60kByte data
segment space for this case.
* src/tools/glnames.py (StringTable::dump,
StringTable::dump_sublist, dump_encoding, dump_array): Emit
additional code to only define tables if `DEFINE_PS_TABLES' is set.
* src/psnames/pstables.h: Regenerated.
* src/psnames/psmodule.c (DEFINE_PS_TABLES): Define.
* src/cff/cffdrivr.c: Don't include
`FT_SERVICE_METRICS_VARIATIONS_H'.
(cff_get_advances): Use `ttface->variation_support'.
* src/truetype/ttdriver.c (tt_get_advances): Use
`ttface->variation_support'.
* src/truetype/ttgload.c (TT_Process_Simple_Glyph,
load_truetype_glyph): Use `ttface->variation_support'.
* include/freetype/internal/tttypes.h (TT_FACE_FLAG_VAR_XXX):
New macros describing available functionality of various OpenType
tables related to font variation.
(TT_Face): New fields `variation_support' and `mvar_support',
replacing and extending `use_fvar'.
* src/sfnt/sfobjs.c (sfnt_init_face, sfnt_load_face): Use
`variation_support'.
* src/truetype/ttgxvar.c (ft_var_load_hvar): Set `variation_support'
field.
(TT_Vary_Apply_Glyph_Deltas): Updated.
* src/cff/cffdrivr.c (cff_get_advances), src/truetype/ttdriver.c
(tt_get_advances): Use `is_default_instance' for test; this gets
recomputed after changing blend coordinates.
When asking for an unhinted non-default variations,
`linearVertAdvance' is currently the value from the `hmtx' table
instead of the actual value after applying the variation. `HVAR'
support fixes this, but fonts will exist without that table and will
need sane fallback.
* src/truetype/ttgload.c (TT_Process_Simple_Glyph,
load_truetype_glyph): Implement linear advance adjustments if `HVAR'
or `VVAR' tables are missing.
Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* src/base/ftadvanc.c (LOAD_ADVANCE_FAST_CHECK): Don't handle MM.
* src/cff/cffdrivr.c: Include FT_SERVICE_METRICS_VARIATIONS_H.
(cff_get_advances): Test for HVAR and VVAR.
* src/truetype/ttdriver.c (tt_get_advances): Test for HVAR and VVAR.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=304
* src/base/ftobjs.c (FT_Open_Face): Code moved to...
(ft_open_face_internal): ... this function.
Add a parameter to control whether we try special Mac font handling
in case of failure.
(FT_Open_Face, FT_New_Face, FT_New_Memory_Face,
open_face_from_buffer): Use `ft_open_face_internal'.
In particular, we need access to named instance data.
* include/freetype/internal/services/svmm.h (FT_Get_Var_Blend_Func):
Add argument for `FT_MM_Var'.
* src/cff/cffload.c (cff_get_var_blend): Updated.
* src/cff/cffload.h: Updated.
* src/cff/cf2ft.c (cf2_getNormalizedVector): Updated.
* src/truetype/ttgxvar.c (tt_get_var_blend): Updated.
Accept value `NULL' for arguments.
* src/truetype/ttgxvar.h: Updated.
This is better behaviour than exiting with an error.
* include/freetype/internal/tttypes.h (TT_Face): Add `use_fvar'
field.
* src/sfnt/sfobjs.c (sfnt_init_face): Compute `use_fvar', also
updating the validation code.
Use `use_fvar' to compute FT_FACE_FLAG_MULTIPLE_MASTERS.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Remove `fvar' validation
code.
* include/freetype/internal/tttypes.h (TT_Face): Move
`is_default_instance' into TT_CONFIG_OPTION_GX_VAR_SUPPORT
block.
* src/sfnt/sfobjs.c (sfnt_init_face): Updated.
* src/truetype/ttgload.c (IS_DEFAULT_INSTANCE): New macro.
(TT_Load_Glyph): Use it.
* src/sfnt/sfobjs.c (sfnt_init_face): If the axis count in `fvar' is
zero, set `num_instances' to zero.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Handle `fvar' table with
zero axes as invalid.
* src/truetype/ttobjs.c (tt_face_init): Improve logic of loading
`loca', `cvt', `fpgm', and `prep' table.
* src/base/ftobjs.c (FT_Open_Face): Return info on number of
available faces and numbered instances, or the indices of the
requested face and numbered instance.
* src/sfnt/sfobjs. (sfnt_open_font): Trace number of subfonts.
* src/cff/cf2font.h: Include `cffload.h'.
* src/cff/cffload.c: Include FT_MULTIPLE_MASTERS_H and
FT_SERVICE_MULTIPLE_MASTERS_H.
(cff_vstore_load): Eliminate `vsSize'.
(cff_load_private_dict): Tag as `FT_LOCAL_DEF'.
* src/cff/cffload.h: Include `cffobjs.h'.
Provide declaration for `cff_load_private_dict'.
* src/truetype/ttgxvar.c (ft_var_load_hvar): Eliminate
`minorVersion' and `map_offset'.
The font variation code. All parts dependent on the GX code in the
`truetype' module are guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
In other words, you can still compile the `cff' module without
defining TT_CONFIG_OPTION_GX_VAR_SUPPORT (which brings you CFF2
support without font variation).
* src/cff/cf2font.c (cf2_font_setup): Add support for font
variation.
* src/cff/cf2font.h (CF2_Font): Add fields for variation data.
* src/cff/cf2ft.c (cf2_free_instance): Free blend data.
(cf2_getVStore, cf2_getNormalizedVector): New functions.
* src/cff/cf2ft.h: Updated.
* src/cff/cf2intrp.c: Include `cffload.h'.
(cf2_cmdRESERVED_15, cf2_cmdRESERVED_16): Replace with...
(cf2_cmdVSINDEX, cf2_cmdBLEND): ... this new enum values.
(cf2_doBlend): New function.
(cf2_interpT2CharString): Handle `vsindex' and `blend' opcodes.
* src/cff/cffload.c (FT_fdot14ToFixed): New macro.
(cff_vstore_done, cff_vstore_load): New functions.
(cff_blend_clear, cff_blend_doBlend, cff_blend_build_vector,
cff_blend_check_vector): New functions.
(cff_load_private_dict): Add arguments for blend vector.
Handle blend data.
(cff_subfont_load, cff_subfont_done): Updated.
(cff_font_load): Handle CFF2 variation store data.
(cff_font_done): Updated.
* src/cff/cffload.h: Include `cffparse.h'.
Updated.
* src/cff/cffobjs.c (cff_face_done): Updated.
* src/cff/cffparse.c: Include `cffload.h'.
(cff_parse_num): Handle internal value 255.
(cff_parse_vsindex, cff_parse_blend): New functions.
(CFF_FIELD_BLEND): New macro.
(cff_parser_run): Updated.
* src/cff/cffparse.h (cff_kind_blend): New enum value.
* src/cff/cfftoken.h: Handle `vstore', `vsindex', and `blend'
dictionary values.
* src/cff/cfftypes.h (CFF_VarData, CFF_AxisCoords, CFF_VarRegion,
CFF_VStore, CFF_Blend): New structures.
(CFF_FontRecDict): Add `vstore_offset' field.
(CFF_Private): Add `vsindex' field.
(CFF_SubFont): Add fields for blend data.
(CFF_Font): Add `vstore' field.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): `CFF2' is equal to `gvar',
since glyph variation data is directly embedded.
(TT_Set_MM_Blend): Don't load `gvar' table for CFF2 fonts.