When matching the keywords, we avoid calculating their lengths by
checking the stored values. This itself is a sufficient pre-check
before diving into `memcmp`. Therefore, we remove explicit check of
the first characters.
* include/freetype/internal/psaux.h (T1_FieldRec): Store length.
* src/cid/cidload.c (cid_parse_dict): Use `memcmp` and stored length.
* src/type1/t1load.c (parse_dict): Ditto.
* src/type42/t42parse.c (t42_parse_dict): Ditto.
In C it is undefined behavior to call a function through a function pointer
of a different type. This is now detected by the Control Flow Integrity
Sanitizer. All known issues have already been fixed. Prevent any
accidental re-introduction by removing function pointer casts when defining
services. The services will call the service functions through the function
pointers on the service. As a result the functions must have the same type
so there should be no need to cast. Removing the casts allows compilers to
warn about assignment to an incompatible function pointer type.
* cidobjs.c (cid_face_init): Set FT_FACE_FLAG_CID_KEYED.
* cidriver.c (cid_get_is_cid): Comment about the case that
is_cid cannot guarantee the glyph collection specification.
Ensure that all driver functions use the signature of the service or driver.
This avoids pointer mismatches, which are technically undefined behaviour.
Recent compilers are more picky in catching them as part of Control Flow
Integrity tests.
Update cid_get_cid_from_glyph_index() to
return an error and CID=0 in the case that
the specified glyph index points to an invalid
entry.
cidgload.h (cid_compute_fd_and_offsets):
Declare new helper function to set the
fd_select and 2 offsets to access the glyph
description data.
cidgload.c (cid_compute_fd_and_offsets):
Move the part loading fd_select and 2 offsets
from cid_load_glyph() to here. If the loaded
parameters are broken, return the Invalid_Offset
error. This function does not load the glyph
data, only fills these parameters.
(cid_load_glyph): Use new helper function in above.
cidriver.c (cid_get_cid_from_glyph_index):
Check whether the requested glyph index points
to a valid entry, by calling cid_compute_fd_and_offsets().
If it is valid, fill the cid by the glyph
index (=CID). If it is invalid, return an
error and fill the cid by 0.
The t1cid driver catches 3 types of errors in
the charstrings retrieval;
A) The invalid FD number, there are 2 subtypes;
A-1) FD number is the maximum number fitting to FDBytes.
A-2) FD number is greater than num_dicts.
B) Declared length is overrunning.
C) Declared length is invalid (its end is before its head).
Considering that some widely distributed fonts
(e.g., "CJKV" book by O'Reilly) have A-1 errors
in the unimplemented glyphs, the trace level for
A-1 is calmed to level 1.
The errors A-2, B, and C would be irregular;
their trace levels are kept at level 0, but
the updated trace messages include the CID number.
Technically, `strtol` can only be used with C strings terminated with
`\0`. CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded. AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.
To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.
* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.
Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329
* src/sfnt/ttcolr.c (FT_PaintFormat_Internal): New enumeration values
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW`,
`FT_COLR_PAINTFORMAT_INTERNAL_SKEW_CENTER`, and
`FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER`.
(read_paint): Handle new enumeration values.
Alexei Podtelezhnikov
Werner Lemberg
suzuki toshiya
Ben Wagner
Dominik Röttsches