kc3-lang/freetype/src/sfnt
Branch :
Log
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
 |
32cb5390 | 2025-09-06 06:14:03 | Update all copyright notices. | |
|
d3668e00 | 2025-09-05 20:21:27 | src/sfnt/ttload.c (tt_face_load_any): Correctly handle font containers. Reported as https://issues.oss-fuzz.com/issues/424613326 | |
|
b04db387 | 2025-07-04 19:52:53 | [sfnt] Rewrite GPOS kerning support. (2/2) The previous code had a fundamental flaw: it didn't validate the necessary parts of the 'GPOS' table before accessing it, causing crashes with malformed data (since `TT_CONFIG_OPTION_GPOS_KERNING` is off by default, standard fuzzers don't catch these problems). Additionally, it did a lot of parsing while accessing kerning data, making it rather slow. The new implementation fixes this. After validation, offsets to the 'GPOS' lookup subtables used in the 'kern' feature that correspond to 'simple' kerning (i.e., similar to 'kern' table kerning) are stored in `TT_Face`; this greatly simplifies and accelerates access to the kerning data. Testing with font `SF-Pro.ttf` version '1.00', the validation time for the 'GPOS' table increases the start-up time of `FT_New_Face` by less than 1%, while calls to `FT_Get_Kerning` become about 3.5 times faster. * include/freetype/internal (gpos_kerning_available): Replace with... (gpos_lookups_kerning, num_gpos_lookups_kerning): ... these new fields. Update callers. * src/ttgpos.c [TT_CONFIG_OPTION_GPOS_KERNING]: A new implementation. | |
|
8ef26a80 | 2025-07-04 19:50:48 | [sfnt] Rewrite GPOS kerning support. (1/2) This commit removes the previous implementation. | |
|
fb6a7426 | 2025-07-04 06:03:37 | * src/sfnt/ttkern.h (TT_FACE_HAS_KERNING): Remove macro. Given that we also support (limited) 'GPOS' table kerning if `TT_CONFIG_OPTION_GPOS_KERNING` is defined, the name of this macro is misleading since it only is true for 'kern' table kerning. * src/sfnt/sfobjs.c (sfn_load_face): Replace `TT_FACE_HAS_KERNING` with plain code. | |
|
8d82c9fa | 2025-07-01 17:08:37 | */*: Fix trivial signedness issues with format strings in trace messages. As reported with clang 19's `-Wformat` option. | |
|
7f559fbe | 2025-06-10 04:55:43 | Update links. Found with `linkchecker --check-extern index.html` running locally in the 'freetype-web' repository. | |
|
5a07f41d | 2025-05-28 09:52:44 | [sfnt] `FT_Load_Sfnt_Table` can now also load a font's table directory. Closes issue #1263. * src/sfnt/ttload.c (tt_face_load_any): Implement it. | |
 |
5987a9f5 | 2025-05-22 02:51:36 | [ttmtx] Fix check for being non-default variation position. If user explicitly sets variations to `NULL` after it being set to something else, `face->blend` will still be non-`NULL`. The intention here however is correctly captured by `FT_IS_VARIATION`. * src/sfnt/ttmtx.c (tt_face_get_metrics): Use `FT_IS_VARIATION`. | |
|
6fa8725a | 2025-05-09 13:25:34 | [sfnt] Avoid allocation bomb in compressed SVG documents. Reported as https://issues.oss-fuzz.com/issues/416538625 * src/sfnt/ttsvg.c (MAX_SVG_SIZE): New macro. (tt_face_load_svg_doc): Reject too large buffer. | |
 |
1beb83fd | 2025-01-01 22:28:36 | * src/sfnt/ttsbit.c (tt_face_load_sbix_image): Refactor `flip`. | |
|
83af801b | 2024-09-07 13:44:57 | * src/sfnt/ttsbit.c (tt_face_load_sbix_image): Respect metrics_only. Also fixes recursive flip. | |
|
30080320 | 2024-09-06 13:43:47 | * src/sfnt/ttsbit.c (tt_face_load_sbix_image): Tweak loop. | |
 |
98283cb3 | 2024-09-06 17:03:58 | [sfnt] Support sbix graphicType 'flip'. * src/sfnt/ttsbit.c (tt_face_load_sbix_image): Currently undocumented by Apple, this flips the bitmap data horizontally. It is used on macOS in Apple Color Emoji; 19.4d6e1; 2024-02-05 (file `Apple Color Emoji.ttc`). Fixes issue #1282. | |
|
d2612e1c | 2024-08-26 07:01:19 | * src/sfnt/ttcmap.c (tt_cmap*_get_info): Remove casting. | |
|
6b992aaa | 2024-08-11 19:44:13 | * src/*/*: Fix C++ compilation; fix clang warnings. | |
|
ed8b82ba | 2024-08-08 10:28:05 | Various minor documentation or formatting fixes. | |
|
3f8edd23 | 2024-07-28 20:56:07 | * src/sfnt/ttload.c (tt_face_load_name): Shorten dereference. | |
|
24888540 | 2024-07-28 19:42:49 | [bdf,pcf,winfonts,sfnt] Remove barely used marcros. * include/freetype/internal/ftobjs.h (FT_FACE_SIZE, FT_SIZE_FACE): Removed. * src/bdf/bdfdrivr.c (BDF_Glyph_Load): Updated. * src/pcf/pcfdrivr.c (PCF_Glyph_Load): Ditto. * src/winfonts/winfnt.c (FNT_Load_Glyph): Ditto * src/sfnt/ttbdf.c (tt_face_find_bdf_prop): Ditto. | |
|
bab9564a | 2024-06-26 05:39:11 | Make 'multi' build work again. * src/psaux/psobjs.c: Include `psft.h`. * src/sfnt/rules.mk (SFNT_DRV_SRC): Add `ttgpos.c`. Fixes issue #1284. | |
 |
5858fa16 | 2024-05-07 18:19:58 | [colr] Avoid overflow in range checks In 32 bit builds `FT_ULong` is 32 bits and can silently overflow when a large number is read into one and then it is summed or multiplied with another number. Checks for range overflow must be written so that they themselves do not overflow. Also ensure that the table_size is always the first part of the range check and consistently use `<` or `<=`. * src/sfnt/ttcolr.c (tt_face_load_colr): Avoid overflow. (find_base_glyph_v1_record): Remove old work-around. Bug: https://issues.chromium.org/issues/41495455 Bug: https://issues.chromium.org/issues/40945818 | |
|
7bd887f1 | 2024-05-03 16:04:35 | * src/sfnt/sfwoff2.c (woff2_open_font): Fix copy-paste typo. | |
|
3f28a6b6 | 2024-05-03 15:44:57 | [woff,woff2] Limit the number of tables and use FT_MSB. The upper limit of 4095 is implied by the SFNT header format where the multiplication by 16 would overflow without it. * src/sfnt/sfwoff.c (woff_open_font): Updated. * src/sfnt/sfwoff2.c (woff2_open_font): Ditto. | |
 |
13d1180f | 2024-05-02 13:16:46 | [woff2] Disallow zero table font entries The existing code already disallows zero table woff2 overall, but still allows for individual CollectionFontEntry to create font instances with zero tables. Such fonts are not useful so error early. This also fixes an MSAN discovered issue where if a CollectionFontEntry numTables is zero then the sfnt_header was not fully initialized. * src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always initalize sfnt_header Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384 | |
|
4d504684 | 2024-05-01 23:19:31 | [sfnt] Use faster macros in checksums. * src/truetype/ttobjs.c (tt_synth_sfnt_checksum): Use FT_NEXT_XXX. * src/sfnt/sfwoff2.c (compute_ULong_sum): Use macros. | |
|
13da9042 | 2024-05-01 00:34:21 | * src/sfnt/sfwoff2.c (compute_ULong_sum): Clean up. | |
|
f42ce255 | 2024-03-08 14:55:12 | [colr] Ensure enough bytes for PaintColrLayers * src/sfnt/ttcolr.c (read_paint): check that there are five additional bytes to be read when reading PaintColrLayers. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66566 | |
|
47574f7e | 2024-01-27 11:11:22 | Update all copyright notices. | |
|
4f0256c1 | 2024-01-27 10:47:10 | * src/sfnt/ttgpos.c (tt_gpos_get_glyph_class): Fix warning C4018. | |
 |
8f286c86 | 2024-01-19 16:42:48 | Add support for kerning from 'GPOS' tables. This commit adds support for kerning from 'GPOS' tables, while maintaining support for basic 'kern' tables. `FT_HAS_KERNING` will be true for a font with either available and `FT_Get_Kerning` will still use the basic 'kern' table data if avilable, otherwise check the GPOS 'kern' feature. This feature is disabled by default; it can be enabled with the `TT_CONFIG_OPTION_GPOS_KERNING` flag. Only basic kerning (pair positioning with just an x advance) is supported from the GPOS layout features; support for that was added to make the existing `FT_Get_Kerning` API more consistently functional. FreeType does not intend to extend itself to further GPOS functionality though; a higher-level library like HarfBuzz can be used instead for that. * include/freetype/config/ftoption.h, include/devel/ftoption.h (TT_CONFIG_OPTION_GPOS_KERNING): New configuration option. * include/freetype/internal/fttrace.h: Add `ttgpos` trace handler. * include/freetype/internal/sfnt.h (SFNT_Interface): Add `load_gpos` and `get_gpos_kerning` fields. (FT_DEFINE_SFNT_INTERFACE): Updated. * include/freetype/internal/tttypes.h: Include `fttypes.h`. (TT_FaceRec) [TT_CONFIG_OPTION_GPOS_KERNING]: Add `gpos_table` and `gpos_kerning_available` fields. * src/sfnt/ttgpos.c, src/sfnt/ttgpos.h: New files. * src/sfnt/sfdriver.c [TT_CONFIG_OPTION_GPOS_KERNING]: Include `ttgpos.h`. (sfnt_interface): Updated. * src/sfnt/sfnt.c: Include `ttgpos.c`. * src/sfnt/sfobjs.c [TT_CONFIG_OPTION_GPOS_KERNING]: Include `ttgpos.h`. (sfnt_load_face) [TT_CONFIG_OPTION_GPOS_KERNING]: Load and free GPOS kerning data; check GPOS kerning availability. * src/truetype/ttdriver.c (tt_get_kerning): Use GPOS kerning if there's no 'kern' table. | |
 |
7bac4d14 | 2024-01-08 20:25:31 | * src/sfnt/ttcolr.c (find_base_glyph_v1_record): Fix build in C90 mode. | |
|
4a85ff0b | 2024-01-04 21:38:51 | [sfnt] Restrict POST version 1.0. A font has surfaced with `post` version 1.0 and fewer than 258 glyphs. Its glyphs did not correspond to their names. We now reject such `post` strictly following specifications. * src/sfnt/ttpost.c (tt_face_get_ps_name): Check the number of glyphs for version 1.0. | |
|
57c4252a | 2024-01-02 17:55:33 | [sfnt] Guard access in 'COLR' v1 glyph binary search. Reported as https://bugs.chromium.org/p/chromium/issues/detail?id=1505216 * src/sfnt/ttcolr.c (find_base_glyph_v1_record): Guard access of the search pointer during binary search. The pointer needs to be checked as we go as the test that compares number of v1 glyphs with table size at the time of loading the table is not sufficient on its own. A scenario is possible in which the `BaseGlyphRecord` list extends into non-`BaseGlyphRecord` parts of the 'COLR' v1 table (but passed the size comparison check). Then, at those locations, invalid glyph ID values are read and may provoke an invalid read due to reassigning min and max values during the binary search. | |
|
4904d1eb | 2023-09-06 22:58:46 | * src/sfnt/ttpost.c (load_format_20): Micro-optimize. | |
|
000b26a3 | 2023-08-30 23:03:02 | * src/sfnt/ttpost.c (load_format_20): Rework tracing. | |
|
2f7abe48 | 2023-08-29 19:18:43 | Comment added. | |
|
c46c4b8e | 2023-08-29 17:52:06 | * src/sfnt/ttpost.c (load_format_20): Permit long names. Fixes #1254. | |
|
3829fdaa | 2023-08-04 11:41:23 | Avoid overflow in COLR bounds checks. The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long` is 32 bits adding 4 to such values will wrap and pass bounds checks but accessing values at such offsets will be out of bounds. On the other hand `table_size` has already been tested to be at least `COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it. * src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size` instead of adding 4 to font data offsets in bounds checks Fixes: https://crbug.com/1469348 | |
|
dd3c9c5f | 2023-07-18 13:25:57 | [woff2] Clean up on large brotli expansion * src/sfnt/sfwoff2.c (woff2_open_font): set error and goto cleanup Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60711 | |
|
336503df | 2023-07-16 07:36:01 | [woff2] Avoid allocation bomb. This is a fix for commit 85167dbd5, reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60615 * src/sfnt/sfwoff2.c (MAX_SFNT_SIZE): New macro. (woff2_open_font): Use it to limit the maximum size of an uncompressed WOFF2 font. | |
|
85167dbd | 2023-07-13 16:49:34 | [woff2] Remove sfnt size guess check In WOFF the `totalSfntSize` must be correct, however in WOFF2 this value is now just a hint and a conforming implementation must not reject otherwise valid data if the `totalSfntSize` turns out not to be exact. * src/sfnt/sfwoff2.c (woff2_open_font): remove check that uncompressed woff2 data would fit in the sfnt size guess. Fixes: #1235 | |
|
2fb8eda5 | 2023-06-01 19:38:36 | */*: Remove many function pointer casts. In C it is undefined behavior to call a function through a function pointer of a different type. This is now detected by the Control Flow Integrity Sanitizer. All known issues have already been fixed. Prevent any accidental re-introduction by removing function pointer casts when defining services. The services will call the service functions through the function pointers on the service. As a result the functions must have the same type so there should be no need to cast. Removing the casts allows compilers to warn about assignment to an incompatible function pointer type. | |
|
365eb10d | 2023-05-07 19:16:38 | * src/sfnt/ttcmap: Signature fixes. | |
|
e245951c | 2023-05-06 23:59:25 | * src/sfnt/sfdriver.c, src/sfnt/ttbdf.c: Clean up interface. Ensure that all driver functions use the signature of the service or driver. This avoids pointer mismatches, which are technically undefined behaviour. Recent compilers are more picky in catching them as part of Control Flow Integrity tests. * src/sfnt/sfdriver.c (sfnt_load_table): New wrapper function. (sfnt_service_sfnt_table): Use it. | |
|
8fe50c2a | 2023-04-27 23:06:51 | [truetype] Fix style name handling for variation fonts. * include/freetype/internal/tttypes.h (TT_FaceRec): New field `non_var_style_name`. * src/sfnt/sfobjs.c (sfnt_load_face): Initialize `non_var_style_name`. (sfnt_done_face): Free `non_var_style_name`. * src/truetype/ttgxvar.c (TT_Set_Named_Instance): Restore non-VF style name if switching back to non-VF mode. | |
|
fb982e78 | 2023-04-26 08:17:17 | New Variation Font function `FT_Get_Default_Named_Instance`. * include/freetype/ftmm.h, src/base/ftmm.c (FT_Get_Default_Named_Instance): New function. * include/freetype/internal/services/svmm.h (FT_Get_Default_Named_Instance_Func): New typedef. (FT_Service_MultiMasters): New field `get_default_named_instance`. (FT_DEFINE_SERVICE_MULTIMASTERSREC): Updated. * include/freetype/internal/tttypes.h (TT_Face): New field `var_default_named_instance`. * src/sfnt/sfobjc.s (sfnt_init_face): Initialize `var_default_named_instance`. * src/cff/cffdrivr.c (cff_get_default_named_instance): New function. (cff_service_multi_masters): Updated. * src/truetype/ttgxvar.c (TT_Get_MM_Var): Initialize `var_default_named_instance`. (TT_Get_Default_Named_Instance): New function. * src/truetype/ttgxvar.h: Updated. * src/truetype/ttdriver.c (tt_service_gx_multi_masters): Updated. * src/type1/t1driver.c (t1_service_multi_masters): Updated. * docs/CHANGES: Updated. | |
|
36a086b6 | 2023-04-28 19:40:35 | * src/sfnt/pngshim.c (Load_SBit_Png): Remove FALL_THROUGH warning. | |
|
08268691 | 2023-04-28 15:32:16 | * src/sfnt/ttload.c (tt_face_load_font_dir): Add another guard. Reject 'OTTO' fonts with no valid tables. | |
|
0a3836c9 | 2023-04-25 09:54:09 | Improve/add source comments and documentation. | |
|
40676afc | 2023-04-25 09:30:30 | [sfnt] Fix handling of PS names for Variation Fonts. * src/sfnt/sfdriver.c (get_win_string, get_apple_string): Continue construction of string if an invalid character is encountered. Fixes #1218. | |
|
e78e2d29 | 2023-04-06 11:16:29 | [sfnt, truetype] Add `size_reset` to `MetricsVariations`. This is a generalization of commit ``` commit e6699596af5c5d6f0ae0ea06e19df87dce088df8 Author: Werner Lemberg <wl@gnu.org> Date: Thu Feb 2 11:38:04 2017 +0100 [truetype] Fix MVAR post-action handling. ``` It is also possible for plain `CFF ` style fonts to contain an `fvar` and `MVAR` table and use `cff_metrics_adjust`. `tt_size_reset` should only be called with `TT_Size` and never with `CFF_Size`. Allow the "metrics-variations" service to specify the correct function (if any) to reset `FT_Size`s after adjusting metrics. * src/truetype/ttobjs.c (tt_size_reset): Split off some functionality into... (tt_size_reset_height): ... this new function. * src/truetype/ttdriver.c (tt_service_metrics_variations): Add `size_reset`. (tt_size_select, tt_size_request): Updated. * src/truetype/ttobjs.h: Updated. * include/freetype/internal/services/svmetric.h (MetricsVariations): Add `size_reset`. (FT_DEFINE_SERVICE_METRICSVARIATIONSREC): Updated. * include/freetype/internal/tttypes.h (TT_FaceRec_): Rename `var` to `tt_var` and add `face_var`. * src/cff/cffdrivr.c (cff_service_metrics_variations): Add `size_reset`. (cff_hadvance_adjust, cff_metrics_adjust): Updated. * src/cff/cffobjs.c (cff_face_init): Use `face_var`. * src/sfnt/sfobjs.c (sfnt_init_face): Initialize `face_var`. * src/sfnt/ttmtx.c (tt_face_get_metrics): Use `tt_var`. * src/truetype/ttgxvar.c (tt_size_reset_iterator): Renamed to... (ft_size_reset_iterator): ... this new function. Call `size_reset`. (tt_apply_mvar): Pass `size_reset` to `ft_size_reset_iterator`. Fixes #1211 | |
|
1a4c18f7 | 2023-04-10 15:30:43 | Align `char_next` return types. This is mostly cosmetic because FT_UInt and FT_UInt32 are likely identical. * src/sfnt/ttcmap.c, src/cff/cffcmap.c, src/psaux/t1cmap.c, src/psnames/psmodule.c, include/freetype/internal/service/svpcsmap.h, src/pfr/pfrcmap.c, src/winfonts/winfnt.c (*_char_next): return FT_UInt. | |
|
d2544433 | 2023-04-08 23:15:41 | [sfnt] Clean up CMAP{4,12,13} handling. This moves the charcode overflow checks upstream and turns some while-loops into the do-while ones to avoid the uninitialized warnings. This should slightly reduce the number of checks and jumps. * src/sfnt/ttcmap.c (tt_cmap{4,12,13}_next, tt_cmap{4.12.13}_char_map_linear): Remove the charcode overflow check. (tt_cmap{4,12,13}_char_map_binary): Ditto and use do-while. (tt_cmap{12,13}_char_next): Add the overflow check. | |
|
b0a4f992 | 2023-04-02 22:45:48 | * src/sfnt/ttpost.c (load_format_25): Do not abort frame reading. | |
|
340767bf | 2023-04-02 22:00:59 | * src/sfnt/ttpost.c (load_format_*): Streamline frame reading. | |
|
311b78fa | 2023-04-02 09:24:16 | * src/sfnt/ttpost.c: Formatting and comments. | |
|
8f7b1455 | 2023-04-01 23:37:51 | [sfnt] Consolidate POST version 2.0 and 2.5 (pt 2). * src/sfnt/ttpost.c (load_format_20, load_format_25): Update arguments and move shared calls and checks upstream to... (load_post_names): ... this function. (tt_face_free_ps_names, tt_face_get_ps_name): Updated. | |
|
9597a62b | 2023-04-01 22:34:30 | [sfnt] Consolidate POST version 2.0 and 2.5 (pt 1). The deprecated POST version 2.5 can be handled using the data structures of version 2.0. The goal is to reduce the footprint. * include/freetype/internal/tttypes.h (TT_Post_Names): Absorb and... (TT_Post_20, TT_Post_25): ... remove these structures. src/sfnt/ttpost.c (load_post_names, tt_face_get_ps_name, tt_face_free_ps_names, load_format_20): Updated accordingly. (load_format_25): ditto and convert offsets to glyph indices. | |
|
6d7b8b22 | 2023-03-31 23:17:46 | [sfnt] Miscellaneous POST clean-ups. * src/sfnt/ttpost.c (load_format_20): Decrease casts. (load_format_25): Check the table length and impose a theoretical glyph number limit usable with 8-bit offset. Decrease casts. (load_post_names): Pass the mapping data length without 2 bytes. | |
|
0db69970 | 2023-03-30 09:06:35 | * src/sfnt/ttpost.c (load_format_20): Simplify comutations. | |
|
4679fcb6 | 2023-03-29 00:21:00 | [sfnt] Streamline POST format 2.0 handing (cont'd). * src/sfnt/ttpost.c (load_format_20): Co-allocate the string data and their pointers, which makes it easier to handle and free them. (tt_face_free_ps_names): Updated. * include/freetype/internal/tttypes.h (TT_Post_20): Update type. | |
|
fc01e7dd | 2023-03-05 22:05:24 | Fix a couple of MSVC warnings. * src/base/ftcalc.c (FT_MulAddFix): Add cast. * src/sfnt/ttcolr.c (tt_face_get_colorline_stops, read_paint): Ditto. | |
|
7ae20e55 | 2023-03-03 22:41:09 | * src/sfnt/sfobjs.c (sfnt_load_face): Shorten de-referencing. | |
|
d399657f | 2023-02-26 20:18:54 | * src/*: Replace leading underscores with trailing ones in dummy variables. This is to avoid clang warnings. | |
|
663486a7 | 2023-02-08 20:56:19 | Fix `FT_LOCAL` and `FT_LOCAL_DEF` tags. | |
|
ac5babe8 | 2023-02-08 19:36:10 | Fix 'fall-through' warning messages. Modern compilers get more insistent on that... * include/freetype/internal/compiler-macros.h (FALL_THROUGH): Define. * src/*: Use it instead of `/* fall through */` comments. | |
|
da9eb9c7 | 2023-02-07 07:01:36 | Fix minor clang and clang++ warnings. | |
|
e97544a7 | 2023-01-28 17:04:38 | Minor changes. Comment fixes, typos, removing of unnecessary parentheses. | |
|
bacc48e6 | 2023-01-28 17:04:11 | Whitespace. | |
 |
a297feab | 2023-01-17 14:30:48 | [sfnt] Avoid nullptr dereference in reading malformed 'COLR' v1 table. Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044. * src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is too small, don't deallocate delta set index map structures. | |
|
65f85237 | 2023-01-17 09:18:25 | Update all copyright notices. | |
|
6a179ff7 | 2023-01-16 16:38:56 | sr/*.c: Various minor fixes. * src/autofit/ft-hb.c (_hb_ft_reference_table): Call `FT_UNUSED` after variable declarations. * src/gxvalid/gxvjust.c (gxv_just_widthDeltaClusters_validate): Eliminate unused variable. * src/gzip/ftgzip.c: Don't call GCC '-Wstrict-prototypes' pragma for C++ compiler. * src/sfnt/ttcolr.c (ENSURE_READ_BYTES): Remove final semicolon to avoid compiler warning. * src/sfnt/ttsvg.c (tt_face_load_svg_doc): Fix signedness warning. | |
|
2692b321 | 2023-01-03 17:19:02 | [sfnt] Remove temporary runtime flag for variable 'COLR' v1. Fixes #1187. * src/sfnt/ttcolr.c (top level, read_paint, tt_face_load_colr, tt_face_free_colr, get_deltas_for_var_index_base, tt_face_get_color_glyph_clipbox, tt_face_get_colorline_stops): Remove macro definition `VARIABLE_COLRV1_ENABLED` and its usage. * src/truetype/ttdriver.c (tt_property_set): Remove parsing of 'TEMPORARY-enable-variable-colrv1' property name. * src/truetype/ttobjs.h (TT_DriverRec): Remove `enable_variable_colrv1` flag. | |
|
63f37136 | 2023-01-04 15:52:41 | [sfnt] Fix color stop bounds check calculation at table end. Fixes https://bugs.chromium.org/p/skia/issues/detail?id=14021 * src/sfnt/ttcolr.c (VAR_IDX_BASE_SIZE): New macro. (tt_face_get_colorline_stops): Fix off-by-one bounds check calculation, take `VarColorStop` into account, and hopefully make it easier to read. | |
|
26e9028f | 2022-12-13 09:53:26 | [sdf, sfnt] Handle minor compiler warnings. * src/sdf/ftsdf.c (get_min_distance_conic): Initialize `nearest_point`. * src/sfnt/ttsvg.c (find_doc): Initialize `mid_doc`. Fixes #1195. | |
|
0b62c1e4 | 2022-10-18 14:45:43 | [sfnt] Additional bounds checks for `COLR` v1 table handling. * src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for... ... another use of `ENSURE_READ_BYTES`. Update callers. (tt_face_get_paint_layers): Ensure that the 4-byte paint table offset can be read. This is a follow-up to !124 and issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404 | |
|
b8882a3e | 2022-10-18 15:58:02 | * src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Simplify calculations. | |
|
04272824 | 2022-10-17 18:18:49 | [sfnt] Guard individual `COLR` v1 paint field reads. * src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro. (read_paint): Use it – after the start pointer `p` has been checked for whether it allows reading the format byte, each successive paint table field read need to be bounds-checked before reading further values. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404 | |
|
141d979a | 2022-10-10 12:25:51 | Minor comment changes. | |
|
ff66e912 | 2022-09-29 17:46:23 | * src/sfnt/ttsbit.c (tt_face_load_strike_metrics): Use lighter FT_DivFix. | |
|
df260139 | 2022-09-27 17:50:55 | [sfnt] Guard access in 'COLR' table when requesting child table pointer. * src/sfnt/ttcolr.c (tt_face_get_colorline_stops, read_paint): Tighten pointer bounds checks. (get_child_table_pointer): Check whether incoming pointer `p` lies within the 'COLR' table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816 | |
|
bd417007 | 2022-09-26 14:46:42 | [sfnt] Add SVG document bounds checking. Add a check that the document content is actually contained within the `SVG ` table. Without this check a malformed font may claim arbitrary memory as its document content. * src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when testing 'documentRecord' extents. (find_doc): Rename `stream` to `document_records` for clarity. (tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity. Test that the document content is contained within the table. Ensure minimum length of document before testing for gzip format. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812 | |
|
33ceac2a | 2022-09-15 09:47:07 | Reject 'COLR' table if version is 1 but header too small. * src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to be 1, then the table size has to be at least the size of the v1 header. Also, for peeking the number of base glyphs and entries in the layer list, ensure that the table is sufficiently long. Fixes #1179. Original patch by Sergey Temnikov. | |
|
91a7fae7 | 2022-09-05 15:49:27 | [sfnt] Handle variable `COLR` v1 fonts without delta set index map Fixes #1178. * src/sfnt/ttcolr.c (get_deltas_for_var_index_base): Set outer index to 0 and inner index to the delta index when retrieving deltas if the `COLR` table has no delta set index map. | |
|
6d62076a | 2022-08-30 15:00:37 | [sfnt] Pointer sanity checks before reading layer info in 'COLR' v0 * src/sfnt/ttcolr.c (tt_face_get_colr_layer): Check that the pointer to read from is within the 'COLR' table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50633 | |
|
a1017e26 | 2022-08-19 19:07:42 | [sfnt] Don't require 'gvar' table to support variation fonts. Fixes #1172. * src/sfnt/sfobjs.c (sfnt_load_face): Tag font as Multiple Masters font if `fvar` is present; do not require other tables to be present. * src/truetype/ttgxvar.c (tt_set_mm_blend): Allow for a missing 'gvar' table when setting variation coordinates. However, if a 'gvar' table is actually present, do perform a sanity check and fail on malformedness. (TT_Get_MM_Var): Don't assume 'fvar' needs 'gvar' or 'CFF2 tables in all cases, which is an overly tight check. | |
|
4797b2ff | 2022-08-26 12:08:34 | [sfnt] Avoid undefined shifts in `COLR` v1 color line retrieval * src/sfnt/ttcolr.c (tt_face_get_colorline_stops): Disambiguate shift behavior by using multiplication using macros from ftcalc.h. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50573 | |
|
dcb5fc5b | 2022-08-02 17:10:25 | * src/sfnt/ttload.c: Trace formatting updates. | |
|
919561ca | 2022-07-30 12:09:21 | [sfnt] Implement VarClipBox. * src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Depending on the format, read `var_index_base`, then retrieve and apply scaled deltas. | |
|
649352ab | 2022-07-30 12:09:09 | [sfnt] Fix typo in clip box computation. * src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Use appropriate scale factor for `yMin` and `yMax`. | |
|
a3749a64 | 2022-07-29 21:49:51 | Fix compilation if `TT_CONFIG_OPTION_GX_VAR_SUPPORT` is not set. * src/sfnt/ttcolr.c: Protect relevant code with `TT_CONFIG_OPTION_GX_VAR_SUPPORT`. | |
|
38dc768a | 2022-07-29 21:17:06 | Fix clang14 compiler warnings. * include/freetype/internal/ftstream.h (FT_GET_SHORT_LE, FT_GET_USHORT_LE): Fix type. * src/sfnt/ttcolr.c (get_deltas_for_var_index_base): Always return boolean value. (tt_face_get_colorline_stops): Fix type of `var_index_base`. | |
|
275b116b | 2022-07-05 15:16:31 | [sfnt] Support variable 'COLR' v1 `PaintVarSkew*`. * src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW`, `FT_COLR_PAINTFORMAT_INTERNAL_SKEW_CENTER`, and `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER`. (read_paint): Handle new enumeration values. | |
|
44fd524e | 2022-07-05 15:09:28 | [sfnt] Support variable 'COLR' v1 `PaintVarRotate*`. * src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values `FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE` and `FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE_CENTER`. (read_paint): Handle new enumeration values. | |
|
603fef28 | 2022-07-05 14:56:22 | [sfnt] Support 'COLR' v1 variable `PaintVarScale*`. * src/sfnt/ttcolr.c: (FT_PaintFormatInternal): New enumeration values `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE`, `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE_CENTER`, `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE_UNIFORM`, and `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE_UNIFORM_CENTER`. (read_paint): Handle new enumeration values. | |
|
d134b9e3 | 2022-07-05 14:51:48 | [sfnt] Support for 'COLR' v1 variable translate. * src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value `FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSLATE`. (read_paint): Handle new enumeration value. | |
|
8ec531c2 | 2022-07-05 14:47:57 | [sfnt] Support for 'COLR' v1 variable transforms. * src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration value `FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSFORM`. (read_paint): Handle new enumeration value. | |
|
9c4ad2a9 | 2022-07-05 14:43:10 | [sfnt] Deltas for 'COLR' v1 gradient coordinates. * src/sfnt/ttcolr.c (read_paint) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Read and apply deltas to radial, linear, and sweep gradient coordinates such as 'p0', 'p1', 'p2', 'center', 'radii', and 'angles'. | |
|
3414fef7 | 2022-07-04 16:29:31 | [sfnt] Support variable 'COLR' v1 color lines. * include/freetype/ftcolor.h (FT_ColorStopIterator): Add field `read_variable` to indicate whether a variation index base should be read. * src/sfnt/ttcolr.c: (FT_PaintFormat_Internal): New enumerations `FT_COLR_PAINTFORMAT_INTERNAL_VAR_LINEAR_GRADIENT` `FT_COLR_PAINTFORMAT_INTERNAL_VAR_RADIAL_GRADIENT`, and `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SWEEP_GRADIENT`. (read_color_line): New parameter `read_variable`; update callers. (read_paint): Handle new enumerations. | |
|
7c151abb | 2022-07-04 12:44:06 | [sfnt] Apply variation deltas to `PaintVarSolid`. * src/sfnt/ttcolr.c (FT_PaintFormat_Internal_): New enumeration `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`. (get_deltas_for_var_index_base) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: New function to retrieve an array of delta values, which will be used for most of 'COLR' v1 variation formats (in follow-up commits). (read_paint): Add `face` parameter; update caller. Handle `FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID`. |