Malformed fonts often have large values for the number of bitmap
strikes, and FreeType doesn't check the validity of all bitmap
strikes in advance.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=353
* src/tools/ftfuzzer/ftfuzzer.cc: Include `stdlib.h' for `rand'.
(Random): Small class to provide n randomly selected numbers
(without repitition) out of the value set [0,N].
(LLVMFuzzerTestOneInput): Use it to test only up to 10 bitmap
strikes.
Make some functions work before a call to `TT_Set_MM_Blend'.
* src/truetype/ttgxvar.c (tt_hadvance_adjust): Exit immediately if
we don't blend.
(TT_Get_MM_Blend, TT_Get_Var_Design): Return default values if we
don't blend.
Pdfium includes `pstables.h' a second time; moving the definition
from `pstables.h' to `psmodule.c' saves more than 60kByte data
segment space for this case.
* src/tools/glnames.py (StringTable::dump,
StringTable::dump_sublist, dump_encoding, dump_array): Emit
additional code to only define tables if `DEFINE_PS_TABLES' is set.
* src/psnames/pstables.h: Regenerated.
* src/psnames/psmodule.c (DEFINE_PS_TABLES): Define.
* src/cff/cffdrivr.c: Don't include
`FT_SERVICE_METRICS_VARIATIONS_H'.
(cff_get_advances): Use `ttface->variation_support'.
* src/truetype/ttdriver.c (tt_get_advances): Use
`ttface->variation_support'.
* src/truetype/ttgload.c (TT_Process_Simple_Glyph,
load_truetype_glyph): Use `ttface->variation_support'.
* include/freetype/internal/tttypes.h (TT_FACE_FLAG_VAR_XXX):
New macros describing available functionality of various OpenType
tables related to font variation.
(TT_Face): New fields `variation_support' and `mvar_support',
replacing and extending `use_fvar'.
* src/sfnt/sfobjs.c (sfnt_init_face, sfnt_load_face): Use
`variation_support'.
* src/truetype/ttgxvar.c (ft_var_load_hvar): Set `variation_support'
field.
(TT_Vary_Apply_Glyph_Deltas): Updated.
* src/cff/cffdrivr.c (cff_get_advances), src/truetype/ttdriver.c
(tt_get_advances): Use `is_default_instance' for test; this gets
recomputed after changing blend coordinates.
When asking for an unhinted non-default variations,
`linearVertAdvance' is currently the value from the `hmtx' table
instead of the actual value after applying the variation. `HVAR'
support fixes this, but fonts will exist without that table and will
need sane fallback.
* src/truetype/ttgload.c (TT_Process_Simple_Glyph,
load_truetype_glyph): Implement linear advance adjustments if `HVAR'
or `VVAR' tables are missing.
Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
* src/base/ftadvanc.c (LOAD_ADVANCE_FAST_CHECK): Don't handle MM.
* src/cff/cffdrivr.c: Include FT_SERVICE_METRICS_VARIATIONS_H.
(cff_get_advances): Test for HVAR and VVAR.
* src/truetype/ttdriver.c (tt_get_advances): Test for HVAR and VVAR.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=304
* src/base/ftobjs.c (FT_Open_Face): Code moved to...
(ft_open_face_internal): ... this function.
Add a parameter to control whether we try special Mac font handling
in case of failure.
(FT_Open_Face, FT_New_Face, FT_New_Memory_Face,
open_face_from_buffer): Use `ft_open_face_internal'.
In particular, we need access to named instance data.
* include/freetype/internal/services/svmm.h (FT_Get_Var_Blend_Func):
Add argument for `FT_MM_Var'.
* src/cff/cffload.c (cff_get_var_blend): Updated.
* src/cff/cffload.h: Updated.
* src/cff/cf2ft.c (cf2_getNormalizedVector): Updated.
* src/truetype/ttgxvar.c (tt_get_var_blend): Updated.
Accept value `NULL' for arguments.
* src/truetype/ttgxvar.h: Updated.
This is better behaviour than exiting with an error.
* include/freetype/internal/tttypes.h (TT_Face): Add `use_fvar'
field.
* src/sfnt/sfobjs.c (sfnt_init_face): Compute `use_fvar', also
updating the validation code.
Use `use_fvar' to compute FT_FACE_FLAG_MULTIPLE_MASTERS.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Remove `fvar' validation
code.
* include/freetype/internal/tttypes.h (TT_Face): Move
`is_default_instance' into TT_CONFIG_OPTION_GX_VAR_SUPPORT
block.
* src/sfnt/sfobjs.c (sfnt_init_face): Updated.
* src/truetype/ttgload.c (IS_DEFAULT_INSTANCE): New macro.
(TT_Load_Glyph): Use it.
* src/sfnt/sfobjs.c (sfnt_init_face): If the axis count in `fvar' is
zero, set `num_instances' to zero.
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Handle `fvar' table with
zero axes as invalid.
* src/truetype/ttobjs.c (tt_face_init): Improve logic of loading
`loca', `cvt', `fpgm', and `prep' table.
* src/base/ftobjs.c (FT_Open_Face): Return info on number of
available faces and numbered instances, or the indices of the
requested face and numbered instance.
* src/sfnt/sfobjs. (sfnt_open_font): Trace number of subfonts.
* src/cff/cf2font.h: Include `cffload.h'.
* src/cff/cffload.c: Include FT_MULTIPLE_MASTERS_H and
FT_SERVICE_MULTIPLE_MASTERS_H.
(cff_vstore_load): Eliminate `vsSize'.
(cff_load_private_dict): Tag as `FT_LOCAL_DEF'.
* src/cff/cffload.h: Include `cffobjs.h'.
Provide declaration for `cff_load_private_dict'.
* src/truetype/ttgxvar.c (ft_var_load_hvar): Eliminate
`minorVersion' and `map_offset'.