* include/freetype/internal/t1types.h: Host PS_DesignMap and PS_Blend.
* include/freetype/ftmm.h: Host and document TT_MAX_MM_XXX.
* include/freetype/t1tables.h: Remove them from here.
`T1_FIELD_ZERO` is used to zero initialize a `T1_FieldRec`.
`T1_FIELD_ZERO` is currently initilizing `T1_FieldRec::location` with a
`T1_FieldType` and `T1_FieldRec::type` with a `T1_FieldLocation`. This
was detected with `-Wenum-conversion`.
* include/freetype/internal/psaux.h (T1_FIELD_ZERO): correct order of
initalizers
In 32 bit builds `FT_ULong` is 32 bits and can silently overflow when a
large number is read into one and then it is summed or multiplied with
another number. Checks for range overflow must be written so that they
themselves do not overflow. Also ensure that the table_size is always the
first part of the range check and consistently use `<` or `<=`.
* src/sfnt/ttcolr.c (tt_face_load_colr): Avoid overflow.
(find_base_glyph_v1_record): Remove old work-around.
Bug: https://issues.chromium.org/issues/41495455
Bug: https://issues.chromium.org/issues/40945818
FT_SqrtFixed (95b0fe2a6d) is faster and does not overflow.
* src/sdf/ftsdfcommin.h (square_root): Replace with a macro.
* src/sdf/ftsdfcommin.c (square_root): Remove function.
The upper limit of 4095 is implied by the SFNT header format
where the multiplication by 16 would overflow without it.
* src/sfnt/sfwoff.c (woff_open_font): Updated.
* src/sfnt/sfwoff2.c (woff2_open_font): Ditto.
The existing code already disallows zero table woff2 overall, but still
allows for individual CollectionFontEntry to create font instances with
zero tables. Such fonts are not useful so error early.
This also fixes an MSAN discovered issue where if a CollectionFontEntry
numTables is zero then the sfnt_header was not fully initialized.
* src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always
initalize sfnt_header
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384
Resetting of the size nodes can crash, if a parent face purge happens
simultaneously and destroys the node. It is safer to create a new node.
Fixes#1270, reopened with a separate issue.
* src/cache/ftcbasic.c (FTC_BasicAttrRec): Match type of `load_flags`
to its main purpose in `FT_Load_Glyph`.
(FTC_ImageCache_Lookup{,Scaler},FTC_SBitCache_Lookup{,Scaler}): Updated.
Manipulate the cache after a face is requested or a size is looked up
successfully. Fixes#1270.
* src/cache/ftcmanag.c (ftc_size_node_init, ftc_size_node_reset,
ftc_face_node_init): Check for errors before accepting a change.
* src/cache/ftcmru.c (FTC_MruList_New): Do nothing if reset fails.
With horizontal bisections, the smallest section is a whole single
scanline. Almost horizontal lines or other complex scanlines can
easily overflow the rendering pool. Switching to vertical bisections
splits the scanlines and should rule out the overflows. Fixes#1269.
* src/smooth/ftgrays.c (gray_convert_glyph): Bisect vertically.
When creating a CID parser the location of the 'StartData' or '/sfnts'
tokens needs to be known. However, the token parser requires that the
entire document be in memory and flattening the entire stream into memory is
to be avoided.
To avoid forcing the entire stream into memory, previously this code would
scan through the stream looking for 'StartData' or '/sfnts' as strings.
However, these strings could have been in a comment or string token, so the
stream would be read into memory up to that point and the parser run to
check that these strings were actually tokens. This forced a parser restart
from the beginning each time; as a result, data with many 'StartData'
non-tokens would take n^2 time to check.
* src/cid/cidparse.c (cid_parser_new): Change algorithm to make the initial
scan look for the last possible 'StartData' or '/sfnts' string in the
stream. The stream is read forward instead of backward as a typical normal
CID font will have one 'StartData' toward the beginning of the data and it
it much faster to read the data from beginning to end instead of end to
beginning. For memory-based fonts the limit is set to the end of the stream
since the stream is already in memory. Then the parser is run once to look
for 'StartData' or '/sfnts' tokens. If they are found the parser is re-set
to reflect this new information.
Reported as
https://issues.chromium.org/issues/40201695
For default variable instances `cff_face_init` did not set the blend. This
mostly worked as later use of the unset blend produced the default
variation. However, if a user called `TT_Get_MM_Var` the blend would be
partially set up, but not fully. In particular the number of axes, the axis
definitions, and the instance locations would be set up, but not the current
instance location (`coords` and `normalizedcoords`). This could lead to the
default instances of CFF2 fonts erroring on any use of `blend`.
Ensure the default variable instance is fully set up by always calling
`FT_Set_Named_Instance` on a variable face.
* src/cff/cffobjs.c (cff_face_init): Call `FT_Set_Named_Instance` on
default instances.
* src/truetype/ttobjs.c (tt_face_init): Ditto.
Fixes#1268.
Alexei Podtelezhnikov