The new 'hvf' module is a thin wrapper around 'libhvf' with the necessary
boilerplate stuff to integrate it into FreeType. Note that this currently
works on macOS >= 15.4 and iOS >= 18.4 only.
* include/freetype/tttags.h (TTAG_hvgl, TTAG_hvpm): New macros.
* include/freetype/config/ftmodule.h: Add `hvf_driver_class`.
* include/freetype/internal/fttrace.h: Add tracing tags `hvfdrv`, `hvfobjs`,
and `hvfload`
* include/freetype/internal/services/svfntfmt.h (FT_FONT_FORMAT_HVF): New
macro.
* modules.cfg (FONT_MODULES): Add `hvf` module.
* src/sfnt/sfobjc.s (sfnt_init_face): Handle 'hvgl' table.
* src/hvf/*: New files.
* src/base/src/base/ftobjs.c (ft_glyphslot_alloc_bitmap): Use preset
dimensions and call FT_MEM_ALLOC_MULT.
* include/freetype/internal/ftobjs.h (ft_glyphslot_alloc_bitmap):
Updated signature...
* src/*: ... and all callers.
Problem reported by Marc Schönefeld.
* src/sfnt/ttgpos.c (tt_face_validate_lookup_table, tt_face_load_gpos): Fix
counting of fitting subtables by correctly rejecting invalid data.
The previous code had a fundamental flaw: it didn't validate the necessary
parts of the 'GPOS' table before accessing it, causing crashes with
malformed data (since `TT_CONFIG_OPTION_GPOS_KERNING` is off by default,
standard fuzzers don't catch these problems). Additionally, it did a lot of
parsing while accessing kerning data, making it rather slow.
The new implementation fixes this. After validation, offsets to the 'GPOS'
lookup subtables used in the 'kern' feature that correspond to 'simple'
kerning (i.e., similar to 'kern' table kerning) are stored in `TT_Face`;
this greatly simplifies and accelerates access to the kerning data.
Testing with font `SF-Pro.ttf` version '1.00', the validation time for the
'GPOS' table increases the start-up time of `FT_New_Face` by less than 1%,
while calls to `FT_Get_Kerning` become about 3.5 times faster.
* include/freetype/internal (gpos_kerning_available): Replace with...
(gpos_lookups_kerning, num_gpos_lookups_kerning): ... these new fields.
Update callers.
* src/ttgpos.c [TT_CONFIG_OPTION_GPOS_KERNING]: A new implementation.
Given that we also support (limited) 'GPOS' table kerning if
`TT_CONFIG_OPTION_GPOS_KERNING` is defined, the name of this macro is
misleading since it only is true for 'kern' table kerning.
* src/sfnt/sfobjs.c (sfn_load_face): Replace `TT_FACE_HAS_KERNING` with
plain code.
If user explicitly sets variations to `NULL` after it being set to something
else, `face->blend` will still be non-`NULL`. The intention here however is
correctly captured by `FT_IS_VARIATION`.
* src/sfnt/ttmtx.c (tt_face_get_metrics): Use `FT_IS_VARIATION`.
* src/sfnt/ttsbit.c (tt_face_load_sbix_image): Currently undocumented by
Apple, this flips the bitmap data horizontally. It is used on macOS in
Apple Color Emoji; 19.4d6e1; 2024-02-05 (file `Apple Color Emoji.ttc`).
Fixes issue #1282.
In 32 bit builds `FT_ULong` is 32 bits and can silently overflow when a
large number is read into one and then it is summed or multiplied with
another number. Checks for range overflow must be written so that they
themselves do not overflow. Also ensure that the table_size is always the
first part of the range check and consistently use `<` or `<=`.
* src/sfnt/ttcolr.c (tt_face_load_colr): Avoid overflow.
(find_base_glyph_v1_record): Remove old work-around.
Bug: https://issues.chromium.org/issues/41495455
Bug: https://issues.chromium.org/issues/40945818
The upper limit of 4095 is implied by the SFNT header format
where the multiplication by 16 would overflow without it.
* src/sfnt/sfwoff.c (woff_open_font): Updated.
* src/sfnt/sfwoff2.c (woff2_open_font): Ditto.
The existing code already disallows zero table woff2 overall, but still
allows for individual CollectionFontEntry to create font instances with
zero tables. Such fonts are not useful so error early.
This also fixes an MSAN discovered issue where if a CollectionFontEntry
numTables is zero then the sfnt_header was not fully initialized.
* src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always
initalize sfnt_header
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384
This commit adds support for kerning from 'GPOS' tables, while maintaining
support for basic 'kern' tables. `FT_HAS_KERNING` will be true for a font
with either available and `FT_Get_Kerning` will still use the basic 'kern'
table data if avilable, otherwise check the GPOS 'kern' feature.
This feature is disabled by default; it can be enabled with the
`TT_CONFIG_OPTION_GPOS_KERNING` flag.
Only basic kerning (pair positioning with just an x advance) is supported
from the GPOS layout features; support for that was added to make the
existing `FT_Get_Kerning` API more consistently functional. FreeType does
not intend to extend itself to further GPOS functionality though; a
higher-level library like HarfBuzz can be used instead for that.
* include/freetype/config/ftoption.h, include/devel/ftoption.h
(TT_CONFIG_OPTION_GPOS_KERNING): New configuration option.
* include/freetype/internal/fttrace.h: Add `ttgpos` trace handler.
* include/freetype/internal/sfnt.h (SFNT_Interface): Add `load_gpos` and
`get_gpos_kerning` fields.
(FT_DEFINE_SFNT_INTERFACE): Updated.
* include/freetype/internal/tttypes.h: Include `fttypes.h`.
(TT_FaceRec) [TT_CONFIG_OPTION_GPOS_KERNING]: Add `gpos_table` and
`gpos_kerning_available` fields.
* src/sfnt/ttgpos.c, src/sfnt/ttgpos.h: New files.
* src/sfnt/sfdriver.c [TT_CONFIG_OPTION_GPOS_KERNING]: Include `ttgpos.h`.
(sfnt_interface): Updated.
* src/sfnt/sfnt.c: Include `ttgpos.c`.
* src/sfnt/sfobjs.c [TT_CONFIG_OPTION_GPOS_KERNING]: Include `ttgpos.h`.
(sfnt_load_face) [TT_CONFIG_OPTION_GPOS_KERNING]: Load and free GPOS kerning
data; check GPOS kerning availability.
* src/truetype/ttdriver.c (tt_get_kerning): Use GPOS kerning if there's no
'kern' table.
A font has surfaced with `post` version 1.0 and fewer than 258 glyphs.
Its glyphs did not correspond to their names. We now reject such `post`
strictly following specifications.
* src/sfnt/ttpost.c (tt_face_get_ps_name): Check the number of glyphs
for version 1.0.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1505216
* src/sfnt/ttcolr.c (find_base_glyph_v1_record): Guard access of the search
pointer during binary search. The pointer needs to be checked as we go as
the test that compares number of v1 glyphs with table size at the time of
loading the table is not sufficient on its own.
A scenario is possible in which the `BaseGlyphRecord` list extends into
non-`BaseGlyphRecord` parts of the 'COLR' v1 table (but passed the size
comparison check). Then, at those locations, invalid glyph ID values are
read and may provoke an invalid read due to reassigning min and max values
during the binary search.
