* src/sfnt/ttsvg.c (SVG_TABLE_HEADER_SIZE, SVG_DOCUMENT_RECORD_SIZE,
SVG_DOCUMENT_LIST_MINIMUM_SIZE, SVG_MINIMUM_SIZE): New macros.
(tt_face_load_svg): Check offsets.
Check table and record sizes.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43918
* builds/unix/configure.raw: Check for 'librsvg'.
(LIB_CLOCK_GETTIME): Don't call `AC_SUBST` on this but on...
(FT_DEMO_CFLAGS, FT_DEMO_LDFLAGS): ... these two new variables.
* builds/unix/unix-cc.in (LIB_CLOCK_GETTIME): Replaced by...
(FT_DEMO_CFLAGS, FT_DEMO_LDFLAGS): ... these two new variables.
* include/freetype/config/ftheader.h (FT_OTSVG_H): New macro.
* include/freetype/freetype.h (FT_FACE_FLAG_SVG, FT_HAS_SVG): New macros.
(FT_LOAD_SVG_ONLY): New internal macro.
* include/freetype/ftimage.h (FT_Glyph_Format): New enumeration value
`FT_GLYPH_FORMAT_SVG`.
* include/freetype/internal/ftobjs.h (FT_GLYPH_OWN_GZIP_SVG): New macro.
* include/freetype/internal/fttrace.h: Add `ttsvg` for `ttsvg.c`.
* include/freetype/internal/sfnt.h(load_svg, free_svg, load_svg_doc): New
functions.
* include/freetype/internal/tttypes.h (TT_FaceRec): Add `svg` for
the SVG table.
* include/freetype/otsvg.h (FT_SVG_DocumentRec): New structure to hold the
SVG document and other necessary information of an OT-SVG glyph in a glyph
slot.
* include/freetype/tttags.h (TTAG_SVG): New macro.
* src/base/ftobjs.c: Include `otsvg.h`.
(ft_glyphslot_init): Allocate `FT_SVG_DocumentRec` in `slot->other`
if the SVG table exists.
(ft_glyphslot_clear): Free it upon clean-up if it is a GZIP compressed
glyph.
(ft_glyphslot_done): Free the document data if it is a GZIP compressed
glyph.
(FT_Load_Glyph): Don't auto-hint SVG documents.
* src/cache/ftcbasic.c (ftc_basic_family_load_glyph): Add support for
FT_GLYPH_FORMAT_SVG.
* src/sfnt/rules.mk (SFNT_DRV_SRC): Add `ttsvg.c`.
* src/sfnt/sfdriver.c: Include `ttsvg.h`.
(sfnt_interface): Add `tt_face_load_svg`, `tt_face_free_svg` and
`tt_face_load_svg_doc`.
* src/sfnt/sfnt.c: Include `ttsvg.c`.
* src/sfnt/sfobjs.c (sfnt_load_face, sfnt_done_face): Add code to load and
free data of the the SVG table.
* src/sfnt/ttsvg.c: New file, implementing `tt_face_load_svg`,
`tt_face_free_svg` and `tt_face_load_svg_doc`.
* src/sfnt/ttsvg.h: Declarations of the SVG functions in
`ttsvg.c`.
This flag is going to be used to conditionally compile support for OT-SVG
glyphs. FreeType will do the parsing and rely on external hooks for
rendering of OT-SVG glyphs.
* devel/ftoption.h, include/freetype/config/ftoption.h
(FT_CONFIG_OPTION_SVG): New flag.
It might be surprising that FreeType does not have default ppem and
the size has to be set explicitly or face undefined behavior with
undefined variables and errors. This offers an alternative to
missing or zero scale by simply setting FT_LOAD_NO_SCALE. Defined
behavior is bettr than undefined one.
This is alternative to !132 and discussed in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43708
* src/base/ftobjs.c (FT_Load_Glyph): Deal with zero scale.
* include/freetype/freetype.h: Document it.
In the unlikely case the source is built with OpenWatcom's -ec?
switches to enforce a calling convention, the qsort() compare
function must still be set to __watcall.
* include/freetype/internal/compiler-macros.h (FT_COMPARE_DEF):
Updated.
The `normal_top.count` may be 0, implying no `normal_top.zones` exist.
The code must not access these (non-existent) `normal_top.zones`.
* src/pshinter/pshalgo.c (ps_hints_apply): Do not assume that
`normal_top.zones[0]` is initialized. Test `normal_top.count`
before using `normal_top.zones[0]`. Do not rescale if there are no
`zones`.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43675
* include/freetype/config/integer-types.h: Make sure `long long` is
used then available.
* include/freetype/internal/ftcalc.h (FT_MSB): Add Watcom C/C++ pragma.
According to the bzip documentation it is undefined what will happen if
`BZ2_bzDecompress` is called on a `bz_stream` it has previously returned an
error against. If `BZ2_bzDecompress` returns anything other than `BZ_OK`
the only valid next action is `BZ2_bzDecompressEnd`.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43564
* src/bzip2/ftbzip2.c (FT_BZip2FileRec_): Add `reset` to track the need to
reset the stream.
(ft_bzip2_file_init): Initialize `reset` to 0.
(ft_bzip2_file_reset): Set `reset` to 0 after resetting.
(ft_bzip2_file_fill_output): Set `reset` to 1 when `BZ2_bzDecompress`
returns anything other than `BZ_OK`.
Fetch current list of valid CAs from Windows Update and manually import them
to trusted datastore. This action is required to make downloads work from
sites that need recent Let's Encrypt ISRG Root X1 certificate.
This reverts commit d276bcb7f0.
The original commit did avoid the use of uninitialized memory. However,
it appears that the original commit is no longer required. The
underlying issue was resolved by a change in freetype2-testing "Build
bzip2 correctly." [0]. Prior to [0] bzip2 was built without msan, so
bzip2 writes were not tracked or considered initialized. Clearing
`buffer` in the original commit allowed msan to see the `buffer` content
initialized once in FreeType code, but msan saw no writes into buffer
from bzip2. With bzip2 now built with msan, the bzip2 writes are
properly instrumented and msan sees the bzip2 writes into the buffer. As
a result the original commit can be safely reverted to allow for better
detection of other uninitialized data scenarios.
* src/bzip2/ftbzip2.c (FT_Stream_OpenBzip2): Revert to using `FT_QNEW`.
[0] 3c052a837a
Currently `T42_Open_Face` eagerly allocates 12 bytes for the ttf header
data which it expects `t42_parse_sfnts` to fill out from /sfnts data.
However, there is no guarantee that `t42_parse_sfnts` will actually be
called while parsing the type42 data as the /sfnts array may be missing
or very short. This is also confusing behavior as it means
`T42_Open_Face` is tightly coupled to the implementation of the very
distant `t42_parse_sfnts` code which requires at least 12 bytes to
already be reserved in `face->ttf_data`.
`t42_parse_sfnts` itself eagerly updates `face->ttf_size` to track how
much space is reserved for ttf data instead of traking how much data has
actually been written into `face->ttf_data`. It will also act strangely
in the presense of multiple /sfnts arrays.
* src/type42/t42objs.c (T42_Open_Face): ensure `ttf_data` is initialized
to NULL. Free `ttf_data` on error.
* src/type42/t42parse.c (t42_parse_sfnts): delay setting `ttf_size` and
set it to the actual number of bytes read. Ensure `ttf_data` is freed
if there are multiple /sfnts arrays or there are any errors.
While using zlib in 'solo' mode (via the `Z_SOLO` macro), we actually
include some standard header files, making the typedef fail on systems where
the native `ptrdiff_t` type differs.
Fixes#1124.
* src/zlib/zutil.h: Comment out definition; it doesn't work on Windows.
* src/zlib/patches/freetype-zlib.diff: Updated.
We now first apply zlib's `zlib2ansi` script, then FreeType's patch file.
* src/gzip/README.freetype: Updated.
* patches/0001-zlib-Fix-zlib-sources-to-compile-for-FreeType.patch: Renamed
to...
* patches/freetype-zlib.diff: This.
Clean up description, then regenerate it as follows:
- Copy unmodified files from `zlib` repository.
- Run `zlib2ansi` script.
- Run `git diff -R > patches/freetype-zlib.diff.new`.
- Insert patch description of old diff file, then replace old diff with
new diff file.
This can be tested by building with the Unix development build
make setup devel
make
or by building the freetype-demos programs with
meson setup build -Dfreetype2:zlib=internal
meson compile -C out
and trying to run `ftview` with a `.pcf.gz` font file.
* src/gzip/ftgzip.c, src/gzip/rules.mk: Update for new zlib sources. Also
remove the temporary fix introduced in commit 6a431038 to work around the
fact that the internal sources were too old.
* src/gzip/README.freetype: New file describing the origin of the sources
and how they were modified.
* src/gzip/patches/*: Patch files applied to original sources.
* src/gzip/*: Updated zlib sources with the patch file(s) from
`src/gzip/patches/` applied, followed by a conversion with zlib's
`zlib2ansi` script.
* meson_options.txt, meson.build: Change the format of the 'zlib' meson
build configuration option to be a combo with the following choices:
- none: Do not support gzip-compressed streams at all.
- internal: Support gzip-compressed streams using the copy of the gzip
sources under `src/gzip/`; this should only be used during development
to ensure these work properly.
- external: Support gzip-compressed streams using the 'zlib' Meson
subproject, linked as a static library.
- system: Support gzip-compressed streams using a system-installed version
of zlib.
- auto: Support gzip-compressed streams using a system-installed version
of zlib, if available, or using the 'zlib' subproject otherwise. This
is the default.
- disabled: Backward-compatible alias for 'none'.
- enabled: Backward-compatible alias for 'auto'.
* src/bzip2/ftbzip2.c (FT_Stream_OpenBzip2): Don't use `FT_QNEW` but
`FT_NEW` for setting up `zip` to avoid uninitialized memory access while
handling malformed PCF fonts later on.
Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42800
The 0-base index is equal to the number of previosly parsed entries.
It is an error to adjust it by one to get the number truncated by
a stream error. This is probably inconsequential because valid
entries are correctly accounted for.
* src/sfnt/ttload.c (check_table_dir): Do not adjust the truncated
number of tables.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
When iterating over the cvt tuples and reading in the points it is necessary
to set all of `localpoints`, `points`, and `point_count` in all cases. The
existing code did not reset `localpoints` to `NULL` when there were no
private point numbers. If the previous tuple did have private point numbers
and set `localpoints` to `ALL_POINTS` this would not be cleared and the
wrong branch would be taken later, leading to possible heap buffer overflow.
* src/truetype/ttgxvar.c (tt_face_vary_cvt): Reset `localpoints` to `NULL`
when it isn't valid.
Fixes: https://crbug.com/1284742
