Snap for 4539010 from 5630ddfdfd2e99818194d18f59ef5cb487e9f1bf to pi-release
Change-Id: Ibb58478355871b1290a6a8c4463575681d0a6cc0
diff --git a/ChangeLog b/ChangeLog
index 091724f..7eda9f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,345 @@
+2017-03-30 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Fix HVAR and VVAR handling (#50678).
+
+ * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Handle
+ glyph indices larger than `mapCount' as described in the
+ specification.
+
+2017-03-30 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Allow linear scaling for unhinted rendering (#50470).
+
+ * src/truetype/ttdriver.c (tt_size_request): Revert change from
+ 2011-07-16; the intended metrics fix seems now to be implemented in
+ a different way, making the patch unnecessary. Note that this
+ change was usually patched out by all major GNU/Linux distributions
+ due to heavy side effects.
+
+ * src/truetype/ttgload.c (compute_glyph_metrics, TT_Load_Glyph):
+ Refer to the metrics of the `TT_Size' object.
+
+2017-03-29 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Fix thinko related to PS name of default named instance.
+
+ * src/truetype/ttgxvar.c (TT_Get_MM_Var): `strid' and `psid' are
+ name ID values, not indices into the array of name entries.
+
+2017-03-27 Werner Lemberg <wl@gnu.org>
+
+ [cid, truetype] Don't use `index' as a variable name.
+
+ At least on FreeBSD there is a global declaration of `index' in file
+ `/usr/include/strings.h'.
+
+ * src/cff/cf2intrp.c, src/truetype/ttgload.c: s/index/idx/ where
+ appropriate.
+
+2017-03-27 Wojciech Mamrak <wmamrak@gmail.com>
+
+ [sfnt] Minor improvement for handling kern tables.
+
+ * src/sfnt/ttkern.c (tt_face_load_kern): Don't check for
+ cross-stream kerning tables since we reject format 2 tables later
+ on anyways.
+ Modify code for limit test...
+ (tt_face_get_kerning): ... to avoid a limit test here.
+
+2017-03-27 Werner Lemberg <wl@gnu.org>
+
+ [pcf] Fix compiler warnings.
+
+ Reported by Alexander Hedges <ahedges@student.ethz.ch>.
+
+ * src/pcf/pcfdrivr.c (pcf_property_set, pcf_property_get): Tag
+ `property_name' with `FT_UNUSED' where necessary.
+
+2017-03-26 Werner Lemberg <wl@gnu.org>
+
+ * src/psaux/psobjs.c (t1_builder_close_contour): Add safety guard.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+
+2017-03-23 Werner Lemberg <wl@gnu.org>
+
+ [psaux] Better protect `flex' handling.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+ <callothersubr>: Since there is not a single flex operator but a
+ series of subroutine calls, malformed fonts can call arbitrary other
+ operators after the start of a flex, possibly adding points. For
+ this reason we have to check the available number of points before
+ inserting a point.
+
+2017-03-23 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Fix check for default named instance.
+
+ * src/sfnt/sfobjs.c (sfnt_init_face): A `fixed' number needs four
+ bytes, not two...
+
+2017-03-23 Werner Lemberg <wl@gnu.org>
+
+ Make MM fonts work (again).
+
+ * src/base/ftmm.c (FT_Set_Var_Design_Coordinates,
+ FT_Set_MM_Blend_Coordinates, FT_Set_Var_Blend_Coordinates): Ignore
+ return value of `ft_face_get_mvar_service'; instead, check whether a
+ service is actually returned.
+
+2017-03-20 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Some variable renamings.
+
+ Too much local variables holding different structures were called
+ `metrics'.
+
+ * src/truetype/ttdriver.c (tt_size_select): s/metrics/size_metrics/.
+
+ * src/truetype/ttgload.c (tt_get_metrics_incr_overrids,
+ compute_glyph_metrics): s/metrics/incr_metrics/.
+ (load_sbit_image): s/metrics/sbit_metrics/.
+
+ * src/truetype/ttobjs.c (tt_size_run_fpgm): s/metrics/size_metrics/.
+ (tt_size_init_bytecode): s/metrics/tt_metrics/.
+ (tt_size_reset): s/metrics/size_metrics/.
+
+2017-03-20 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Don't add instances to non-variation fonts.
+
+ * src/sfnt/sfobjs.c (sfnt_init_face): Fix it.
+
+2017-03-20 Werner Lemberg <wl@gnu.org>
+
+ * src/cff/cffgload.c (cff_builder_init): Add safety guard (#50578).
+
+2017-03-18 Werner Lemberg <wl@gnu.org>
+
+ Introduce FT_UINT_TO_POINTER macro (#50560).
+
+ We have to make a separate case for Windows 64's LLP64 data model.
+
+ * builds/unix/ftconfig.in, builds/vms/ftconfig.h,
+ include/freetype/config/ftconfig.h (FT_UINT_TO_POINTER): New macro.
+
+ * src/truetype/ttgload.c (load_truetype_glyph): Use it.
+
+2017-03-18 Werner Lemberg <wl@gnu.org>
+
+ * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter (#50573).
+
+ The problematic font that exceeds the old limit is Lato-Regular,
+ version 2.007, containing bytecode generated by a buggy version of
+ ttfautohint.
+
+2017-03-18 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Another limitation for bytecode loop count maximum.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=900
+
+ * src/truetype/ttinterp.c (TT_RunIns): Limit `loopcall_counter_max'
+ by number of glyphs also.
+
+2017-03-18 Werner Lemberg <wl@gnu.org>
+
+ [ftfuzzer] Minor improvement.
+
+ * src/tools/ftfuzzer/ftfuzzer.cc: Don't set intermediate axis if
+ bitmap strikes are active.
+
+2017-03-18 Werner Lemberg <wl@gnu.org>
+
+ Improve `make multi'.
+
+ * src/autofit/aflatin2.c: Guard file with FT_OPTION_AUTOFIT2.
+
+ * src/base/ftmac.c: Guard more parts of the file with FT_MACINTOSH.
+
+ * src/psaux/afmparse.c: Guard file with T1_CONFIG_OPTION_NO_AFM.
+
+ * src/sfnt/pngshim.c: Guard file with
+ TT_CONFIG_OPTION_EMBEDDED_BITMAPS also.
+
+ * src/sfnt/ttbdf.c: Avoid empty source file.
+ * src/sfnt/ttpost.c: Guard file with
+ TT_CONFIG_OPTION_POSTSCRIPT_NAMES.
+ * src/sfnt/ttsbit.c: Guard file with
+ TT_CONFIG_OPTION_EMBEDDED_BITMAPS.
+
+ * src/truetype/ttgxvar.c, src/truetype/ttinterp.c: Avoid empty
+ source file.
+
+ * src/truetype/ttsubpix.c: Guard file with
+ TT_USE_BYTECODE_INTERPRETER also.
+
+ * src/type1/t1afm.c: Guard file with T1_CONFIG_OPTION_NO_AFM.
+
+ * src/autofit/autofit.c, src/base/ftbase.c, src/cache/ftcache.c,
+ src/cff/cff.c, src/cid/type1cid.c, src/gxvalid/gxvalid.c,
+ src/pcf/pcf.c, src/pfr/pfr.c, src/psaux/psaux.c,
+ src/pshinter/pshinter.c, src/psnames/psnames.c, src/raster/raster.c,
+ src/sfnt/sfnt.c, src/smooth/smooth.c, src/truetype/truetype.c,
+ src/type1/type1.c, src/type42/type42.c: Remove conditionals; sort
+ entries.
+
+2017-03-17 Werner Lemberg <wl@gnu.org>
+
+ Fixes for conditional compilation.
+
+ * src/autofit/afcjk.c, src/autofit/afindic.c: Include `afcjk.h'
+ earlier.
+
+ * src/sfnt/sfobjs.c (sfnt_init_face): Put `memory' variable into
+ TT_CONFIG_OPTION_GX_VAR_SUPPORT block.
+ (sfnt_done_face): Protect some code with
+ TT_CONFIG_OPTION_GX_VAR_SUPPORT.
+
+ * src/sfnt/ttsbit.c (tt_face_load_sbix_image): Remove compiler
+ warning.
+
+ * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Put `tmp' variable
+ into TT_USE_BYTECODE_INTERPRETER block.
+
+ (tt_loader_init): Put `error' variable into
+ TT_USE_BYTECODE_INTERPRETER block.
+
+2017-03-17 Werner Lemberg <wl@gnu.org>
+
+ Fix preprocessor warning.
+
+ * devel/ftoption.h, include/freetype/config/ftoption.h: Test whether
+ TT_CONFIG_OPTION_SUBPIXEL_HINTING is defined before checking its
+ value.
+
+2017-03-17 Werner Lemberg <wl@gnu.org>
+
+ `make multi' fixes; compiler warnings.
+
+ * src/base/ftsnames.c: Include FT_INTERNAL_DEBUG_H.
+
+ * src/cff/cffobjs.c [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Include
+ FT_MULTIPLE_MASTERS_H and FT_SERVICE_MULTIPLE_MASTERS_H.
+
+ * src/sfnt/sfdriver.c [TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Include
+ FT_MULTIPLE_MASTERS_H and FT_SERVICE_MULTIPLE_MASTERS_H.
+ (get_win_string, get_apple_string): Initialize `result'.
+
+2017-03-17 Dave Arnold <darnold@adobe.com>
+
+ [cff] Fix potential bugs in default NDV for CFF2.
+
+ * src/cff/cffload.c (cff_blend_build_vector): Explicitly build blend
+ vector when `lenNDV' is zero; don't rely on zero-init.
+ Save `lenNDV' as part of cache key even when `lenNDV' is zero.
+
+2017-03-17 Dave Arnold <darnold@adobe.com>
+
+ [cff] Fix CFF2 stack allocation.
+
+ * src/cff/cffparse.c (cff_parser_init) add 1 for operator.
+
+2017-03-16 Werner Lemberg <wl@gnu.org>
+
+ * src/truetype/ttgxvar.c (tt_done_blend): Free `vvar_table'.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=883
+
+2017-03-15 Werner Lemberg <wl@gnu.org>
+
+ Remove clang compiler warnings (#50548).
+
+ * include/freetype/internal/tttypes.h (TT_FaceRec): Make
+ `var_postscript_prefix_len' unsigned.
+
+ * src/autofit/afwarp.c (af_warper_compute_line_best): Remove
+ redundant assignment.
+
+ * src/cff/cffload.c (cff_subfont_load): Add casts.
+
+ * src/cff/cffparse.c (cff_parse_blend): Remove redundant assignment.
+
+ * src/sfnt/sfdriver.c (fmix32, murmur_hash_3_128): Add `static'
+ keyword.
+ Add casts.
+ (fixed2float): Add cast.
+ (sfnt_get_var_ps_name): Make `p' always initialized.
+ Add casts.
+
+ * src/truetype/ttgxvar.c (TT_Get_MM_Var): Add casts.
+
+2017-03-15 Werner Lemberg <wl@gnu.org>
+
+ [ftfuzzer] Limit number of tested faces and instances.
+
+ This is inspired by the discussion in and analysis of
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=859
+
+ * src/tools/ftfuzzer/ftfuzzer.cc (LLVMFuzzerTestOneInput): Use only
+ up to 20 face indices.
+ Use only up to 20 instance indices.
+
+2017-03-15 Werner Lemberg <wl@gnu.org>
+
+ * src/tools/ftfuzzer/ftfuzzer.cc: Improve readability; formatting.
+
+2017-03-14 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Implement PS names for font instances [3/3].
+
+ Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
+
+ * include/freetype/internal/tttypes.h (TT_FaceRec): New fields
+ `var_postscript_prefix' and `var_postscript_prefix_len'.
+
+ * src/sfnt/sfdriver.c: Include FT_TRUETYPE_IDS_H.
+ (sfnt_is_alphanumeric): New wrapperfunction for `ft_isalnum'.
+ (get_win_string, get_apple_string): Remove `const' from return
+ value.
+ (MAX_VALUE_DESCRIPTOR_LEN, MAX_PS_NAME_LEN): New macros.
+ (hexdigits): New array.
+ (sfnt_get_var_ps_name): New function, implementing Adobe TechNote
+ 5902 to construct a PS name for a variation font instance.
+ (sfnt_get_ps_name): Call `sfnt_get_var_ps_name' for font instances.
+
+ * src/sfnt/sfobjs.c (sfnt_done_face): Updated.
+
+ * src/truetype/ttgxvar.c (tt_set_mm_blend): Reset
+ `face->postscript_name' to trigger recalculation for new instance
+ parameters.
+
+2017-03-14 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Implement PS names for font instances [2/3].
+
+ * src/sfnt/sfdriver.c (fix2float) [TT_CONFIG_OPTION_GX_VAR_SUPPORT]:
+ New function to find the shortest representation of a 16.16
+ fractional number.
+
+2017-03-14 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Implement PS names for font instances [1/3].
+
+ Add 128bit MurmurHash 3 function.
+
+ Everything is guarded with TT_CONFIG_OPTION_GX_VAR_SUPPORT.
+
+ * src/sfnt/sfdriver.c (ROTL32): New macro.
+ (fmix32, murmur_hash_3_128): New functions.
+
2017-03-13 Werner Lemberg <wl@gnu.org>
[truetype] Ignore invalid MVAR tags.
diff --git a/README.android b/README.android
index d97d32d..752fd6e 100644
--- a/README.android
+++ b/README.android
@@ -20,4 +20,15 @@
The following option is enabled to support color fonts.
- FT_CONFIG_OPTION_USE_PNG
\ No newline at end of file
+ FT_CONFIG_OPTION_USE_PNG
+
+HOW TO UPDATE
+* Check out external/freetype to <checkout_dir>
+ ex: git clone https://android.googlesource.com/platform/external/freetype
+* Locate the commit you'd like to move.
+ ex: for 2.8.1: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?h=VER-2-8-1&id=39ce3ac499d4cd7371031a062f410953c8ecce29
+* In <checkout_dir>, run git merge <commit_sha>
+ i.e. git merge 39ce3ac499d4cd7371031a062f410953c8ecce29
+* Upload the changes.
+ ex: git push origin HEAD:refs/for/master
+* Gerrit will run the text related tests.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 3277905..79c0bb9 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1007,16 +1007,15 @@
if ( table->widthMap.innerIndex )
{
- if ( gindex >= table->widthMap.mapCount )
- {
- FT_TRACE2(( "gindex %d out of range\n", gindex ));
- error = FT_THROW( Invalid_Argument );
- goto Exit;
- }
+ FT_UInt idx = gindex;
+
+
+ if ( idx >= table->widthMap.mapCount )
+ idx = table->widthMap.mapCount - 1;
/* trust that HVAR parser has checked indices */
- outerIndex = table->widthMap.outerIndex[gindex];
- innerIndex = table->widthMap.innerIndex[gindex];
+ outerIndex = table->widthMap.outerIndex[idx];
+ innerIndex = table->widthMap.innerIndex[idx];
}
else
{
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 7179ffd..5d4fd09 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -7605,15 +7605,16 @@
exc->twilight.n_points = (FT_UShort)num_twilight_points;
}
- /* Set up loop detectors. We restrict the number of LOOPCALL loops */
- /* and the number of JMPR, JROT, and JROF calls with a negative */
- /* argument to values that depend on the size of the CVT table and */
- /* the number of points in the current glyph (if applicable). */
- /* */
- /* The idea is that in real-world bytecode you either iterate over */
- /* all CVT entries (in the `prep' table), or over all points (or */
- /* contours, in the `glyf' table) of a glyph, and such iterations */
- /* don't happen very often. */
+ /* Set up loop detectors. We restrict the number of LOOPCALL loops */
+ /* and the number of JMPR, JROT, and JROF calls with a negative */
+ /* argument to values that depend on various parameters like the */
+ /* size of the CVT table or the number of points in the current */
+ /* glyph (if applicable). */
+ /* */
+ /* The idea is that in real-world bytecode you either iterate over */
+ /* all CVT entries (in the `prep' table), or over all points (or */
+ /* contours, in the `glyf' table) of a glyph, and such iterations */
+ /* don't happen very often. */
exc->loopcall_counter = 0;
exc->neg_jump_counter = 0;
@@ -7625,7 +7626,14 @@
exc->cvtSize / 10 );
else
exc->loopcall_counter_max = FT_MAX( 100,
- 5 * exc->cvtSize );
+ 10 * exc->cvtSize );
+
+ /* as a protection against an unreasonable number of CVT entries */
+ /* we assume at most 100 control values per glyph for the counter */
+ if ( exc->loopcall_counter_max >
+ 100 * (FT_ULong)exc->face->root.num_glyphs )
+ exc->loopcall_counter_max = 100 * (FT_ULong)exc->face->root.num_glyphs;
+
FT_TRACE5(( "TT_RunIns: Limiting total number of loops in LOOPCALL"
" to %d\n", exc->loopcall_counter_max ));
