Werner Lemberg
4261e497d8
* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Fix warning ( #51395 ).
8 years ago
Werner Lemberg
1c85479d2d
[truetype] Prevent address overflow ( #51365 ).
...
* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
8 years ago
Alexei Podtelezhnikov
c56d8851ea
* src/base/ftlcdfil.c (ft_lcd_filter_fir): Improve code.
8 years ago
Werner Lemberg
ca799e9be5
[truetype] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2455
* src/truetype/ttinterp.c (Ins_SCFS): Use SUB_LONG.
8 years ago
Alexei Podtelezhnikov
abeb28f161
* src/sfnt/sfobjs.c (sfnt_load_face): Ignore No_Unicode_Glyph_Name.
8 years ago
Ben Wagner
7819aeb622
Avoid Microsoft compiler warnings ( #51331 ).
...
While clang's sanitizer recommends a cast to unsigned for safe
negation (to handle -INT_MIN), both MSVC and Visualc emit warning
C4146 if an unsigned value gets negated.
* include/freetype/internal/ftcalc.h (NEG_LONG, NEG_INT32),
src/base/ftcalc.c (FT_MOVE_SIGN): Replace negation with a
subtraction.
8 years ago
Werner Lemberg
2e7bb5e825
* src/cff/cffparse.c (do_fixed): Fix typo.
...
Spotted by chris <chris@gcjd.org>.
8 years ago
Werner Lemberg
dde8f5abbe
[truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391
* src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
NEG_LONG.
* src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
8 years ago
Werner Lemberg
b27cef27ff
[truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364
* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
8 years ago
Werner Lemberg
298e2ea5a6
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.
* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
8 years ago
Alexei Podtelezhnikov
75cb071b3f
[sfnt] Synthesize a Unicode charmap if one is missing.
...
* src/sfnt/ttcmap.h (tt_cmap_unicode_class_rec): Declare it.
* src/sfnt/ttcmap.c (tt_get_glyph_name, tt_cmap_unicode_init,
tt_cmap_unicode_done, tt_cmap_unicode_char_index,
tt_cmap_unicode_char_next, tt_cmap_unicode_class_rec): Implement
synthetic Unicode charmap class.
(tt_get_cmap_info): Make sure the callback is available.
* src/sfnt/sfobjs.c (sfnt_load_face)
[FT_CONFIG_OPTION_POSTSCRIPT_NAMES]: If Unicode charmap is missing,
synthesize one.
* include/freetype/config/ftoption.h: Document it.
* devel/ftoption.h: Ditto.
8 years ago
Werner Lemberg
390048fa46
Remove deprecated comment.
8 years ago
Tony Theodore
c8829e4bc1
Fix pkg-config in freetype-config for cross-compiling ( #51274 ).
...
* builds/unix/unix-def.in (PKG_CONFIG): New variable.
(freetype-config): Use it in sed expression.
* builds/unix/freetype-config.in: s/pkg-config/%PKG_CONFIG%/.
8 years ago
Werner Lemberg
8c763fb1be
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2300
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2313
* src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use ADD_INT32.
* src/truetype/ttinterp.c (Ins_ABS): Avoid FT_ABS.
8 years ago
Alexei Podtelezhnikov
7b7278334c
[base, smooth] LCD filtering cleanups.
...
* src/base/ftlcdlil.c (ft_lcd_filter_fir, _ft_lcd_filter_legacy):
Clean up, start filtering from the bottom-left origin.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Updated.
8 years ago
Werner Lemberg
4dc00cf5c0
[truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2270
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2278
* src/truetype/ttinterp.c (Ins_MDRP, _iup_worker_interpolate): Use
ADD_LONG and SUB_LONG.
8 years ago
Werner Lemberg
dbeb7bce7f
[bdf, cff] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261
* src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with
direct code to avoid value negation.
* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and
ADD_INT32.
8 years ago
Werner Lemberg
79e3789f81
* src/winfonts/winfnt.c (FNT_Face_Init): Don't set active encoding.
...
FreeType only sets a default active encoding for Unicode.
8 years ago
Werner Lemberg
5c402d97af
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
8 years ago
Werner Lemberg
3ed3a96181
[cff] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2200
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2210
* src/cff/cf2hints.c (cf2_hintmap_insertHint): Use SUB_INT32 and
ADD_INT32.
* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdVMOVETO>: Use
ADD_INT32.
8 years ago
Werner Lemberg
5f2a72cbc7
[truetype] Fix TT_Set_Var_Design.
...
Reported by Nikolaus Waxweiler <madigens@gmail.com>.
* src/truetype/ttgxvar.c (TT_Set_Var_Design): Correctly handle the
case where we have less input coordinates than axes.
8 years ago
Werner Lemberg
2c4fba9c91
* src/base/ftcalc.c (FT_DivFix): Fix embarrassing typo.
...
Bug introduced 2017-05-28.
8 years ago
Werner Lemberg
9038837ee2
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2144
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2151
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2153
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2173
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2186
* src/cff/cf2blues.c (cf2_blues_init): Use SUB_INT32.
* src/truetype/ttinterp.c (Round_None, Round_To_Grid,
Round_To_Half_Grid, Round_Down_To_Grid, Round_Up_To_Grid,
Round_To_Double_Grid, Round_Super, Round_Super_45): Use ADD_LONG,
SUB_LONG, NEG_LONG, FT_PIX_ROUND_LONG, FT_PIX_CEIL_LONG,
FT_PAD_ROUND_LONG
(Ins_SxVTL, Ins_MIRP): Use SUB_LONG.
(_iup_worker_shift): Use SUB_LONG and ADD_LONG.
8 years ago
Werner Lemberg
96d26926d1
Provide more macros for flooring, ceiling, and rounding.
...
These versions don't produce run-time errors due to integer
overflow.
* include/freetype/internal/ftobjs.h: Include FT_INTERNAL_CALC_H.
(FT_PAD_ROUND_LONG, FT_PAD_CEIL_LONG, FT_PIX_ROUND_LONG,
FT_PIX_CEIL_LONG): New macros.
(FT_PAD_ROUND_INT32, FT_PAD_CEIL_INT32, FT_PIX_ROUND_INT32,
FT_PIX_CEIL_INT32): New macros.
8 years ago
Werner Lemberg
faf34d29e2
Remove unused macros.
...
* include/freetype/internal/ftcalc.h (ADD_INT, SUB_INT, MUL_INT,
NEG_INT): Deleted.
8 years ago
Werner Lemberg
dcd8de272f
*/*: Remove `OVERFLOW_' prefix.
...
This increases readability.
8 years ago
Werner Lemberg
7bffeacd7e
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2133
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2137
* src/cff/cf2hints.c (cf2_hint_init): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (PROJECT, DUALPROJ): Use
OVERFLOW_SUB_LONG.
8 years ago
Werner Lemberg
24848a3d58
[cff] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122
* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
* src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
branches.
8 years ago
Werner Lemberg
8667042997
[cff] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089
* src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
8 years ago
Werner Lemberg
9fa8a2997f
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2075
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2088
* src/cff/cf2font.c (cf2_font_setup): Use OVERFLOW_MUL_INT32.
* src/truetype/ttinterp.c (Ins_ISECT): Use OVERFLOW_MUL_LONG,
OVERFLOW_ADD_LONG, and OVERFLOW_SUB_LONG.
8 years ago
Werner Lemberg
addb2dddb6
[base, cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068
* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
* src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c
(cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32.
* src/truetype/ttgload.c (compute_glyph_metrics): User
OVERFLOW_SUB_LONG.
* src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig,
Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X,
Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
8 years ago
Werner Lemberg
c9a9cf5915
* builds/unix/freetype-config.in: Fix pkg-config test ( #51162 ).
...
Patch directly taken from bug report.
8 years ago
Werner Lemberg
2c2e6403b7
[bdf] Synchronize sanity checks with pcf driver.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058
* src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent.
Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and
RESOLUTION_Y properties.
8 years ago
Werner Lemberg
1ea343228d
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
8 years ago
Werner Lemberg
c5a225413f
ftcalc.h: Avoid left-shift of negative numbers.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2055
* include/freetype/internal/ftcalc.h (INT_TO_F26DOT6,
INT_TO_F2DOT14, INT_TO_FIXED, F2DOT14_TO_FIXED): Use multiplication.
8 years ago
Werner Lemberg
0716c6ab7a
[cff] Even more integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.
8 years ago
Werner Lemberg
7a4276fb90
[cff] More integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2032
* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
8 years ago
Werner Lemberg
03b0cc2ea9
[bdf] Don't left-shift negative numbers.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2031
* src/bdf/bdfdrivr.c (BDF_Face_Init): Use multiplication.
8 years ago
Werner Lemberg
47a03e9b23
[bdf] Fix integer scanning routines.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2029
* src/bdf/bdflib.c (_bdf_atoul, _bdf_atol, _bdf_atous, _bdf_atos):
Stop scanning if result would overflow.
8 years ago
Werner Lemberg
3802ca8b64
[cff] Fix integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
8 years ago
Werner Lemberg
cd02d359a6
[smooth] Some 32bit integer overflow run-time errors.
...
* src/smooth/ftgrays.c [STANDALONE] (OVERFLOW_ADD_LONG,
OVERFLOW_SUB_LONG, OVERFLOW_MUL_LONG, NEG_LONG): New macros.
[!STANDALONE]: Include FT_INTERNAL_CALC_H.
(gray_render_cubic): Use those macros where appropriate.
8 years ago
Werner Lemberg
a607e3919d
Minor comment.
8 years ago
Werner Lemberg
0ad3262366
* src/base/ftglyph.c (FT_Get_Glyph): Check `slot->advance'.
8 years ago
Werner Lemberg
4a1f1a6d2a
[psaux] 32bit integer overflow tun-time errors ( #46149 ).
...
* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG where appropriate.
8 years ago
Werner Lemberg
8d435c463d
* src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again.
...
Problem reported by Marek Kašík <mkasik@redhat.com>.
The problematic font that exceeds the old limit is Padauk-Bold,
version 3.002, containing bytecode generated by a buggy version of
ttfautohint.
8 years ago
Werner Lemberg
e66d7300fe
[cff] 32bit integer overflow run-time errors 2/2 ( #46149 ).
...
This commit handles the new engine.
* include/freetype/internal/ftcalc.h (OVERFLOW_ADD_INT32,
OVERFLOW_SUB_INT32, OVERFLOW_MUL_INT32, NEG_INT, NEG_LONG,
NEG_INT32): New macros.
* src/cff/cf2ft.c (cf2_getScaleAndHintFlag): Use OVERFLOW_ADD_INT32.
* src/cff/cf2hints.c (cf2_getWindingMomentum, cf2_hint_init,
cf2_hintmap_map, cf2_glyphpath_hintPoint,
cf2_glyphpath_computeIntersection, cf2_glyphpath_computeOffset,
cf2_glyphpath_lineTo, cf2_glyphpath_curveTo): Use
OVERFLOW_ADD_INT32, OVERFLOW_SUB_INT32, OVERFLOW_MUL_INT32, and
NEG_INT32 where appropriate.
* src/cff/cf2intrp.c (cf2_doFlex, cf2_doBlend,
cf2_interpT2CharString): Ditto.
Also add some other code where needed to avoid overflow.
8 years ago
Werner Lemberg
9b710cd56e
[cff] 32bit integer overflow run-time errors 1/2 ( #46149 ).
...
This commit handles the old engine.
* src/cff/cffgload.c: Include FT_INTERNAL_CALC_H.
(cff_decoder_parse_charstrings): Use OVERFLOW_ADD_LONG and
OVERFLOW_SUB_LONG where needed.
* src/cff/cffparse.c: Include FT_INTERNAL_CALC_H.
(power_ten_limits): New static array.
(do_fixed): Use it to prevent multiplication overflow.
(cff_parser_run): Use OVERFLOW_ADD_LONG.
8 years ago
Werner Lemberg
0e7b9f864f
[psaux] Correctly handle sequences of multiple number signs.
...
* src/psaux/psconv.c (PS_Conv_Strtol, PS_Conv_ToFixed): Return zero
if we encounter more than a single sign.
8 years ago
Werner Lemberg
f01463297f
[pcf] 32bit integer overflow run-time errors ( #46149 ).
...
* src/pcf/pcfread.c (pcf_get_accel): Add sanity checks for
`fontAscent' and `fontDescent'.
(pcf_load_font): Add sanity checks for global height.
Add sanity checks for AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE,
RESOLUTION_X, and RESOLUTION_Y properties.
8 years ago
Werner Lemberg
fbe2fe4c75
Handle some integer overflow run-time errors ( #46149 , #48979 ).
...
This commit (mainly for 32bit CPUs) is the first of a series of
similar commits to handle known integer overflows. Basically, all
of them are harmless, since they affect rendering of glyphs only,
not posing security threats. It is expected that fuzzying will show
up more overflows, to be fixed in due course.
The idea is to mark places where overflows can occur, using macros
that simply cast to unsigned integers, because overflow arithmetic
is well defined in this case. Doing so suppresses run-time errors
of sanitizers without adding computational overhead.
* include/freetype/internal/ftcalc.h (OVERFLOW_ADD_INT,
OVERFLOW_SUB_INT, OVERFLOW_MUL_INT, OVERFLOW_ADD_LONG,
OVERFLOW_SUB_LONG, OVERFLOW_MUL_LONG): New macros.
* src/base/ftcalc.c (FT_RoundFix, FT_CeilFix, FT_Matrix_Multiply,
FT_Matrix_Multiply_Scaled, FT_Vector_Transform_Scaled,
ft_corner_orientation): Use new macros.
* src/base/ftoutln.c (FT_Outline_Get_Orientation): Use new macros.
8 years ago