| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent MR [1], Adrian Johnson writes:
For additional safety you could change the unsigned long to size_t
since long is 32-bits on Win64. The CFF spec says the offset size used
in decode_index_offset must be between 1 and 4 so you could range
check that to avoid overflowing the offset.
This commit implements exactly that.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
|
|
|
|
| |
While working on the previous commit, I noticed that nothing makes sure
that the entry points within the font data. Thus, this could easily
cause out-of-bounds reads.
This commit adds a suitable length check for this.
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I was looking at [1]. While trying to reproduce the problem that is
described there, valgrind reported:
Argument 'size' of function malloc has a fishy (possibly negative) value: -8
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B20E92: cairo_cff_font_read_name (cairo-cff-subset.c:895)
by 0x4B221AD: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4B24EF2: cairo_cff_font_generate (cairo-cff-subset.c:2587)
by 0x4B25EA3: _cairo_cff_subset_init (cairo-cff-subset.c:2979)
This commit is about fixing the above.
The function decode_index_offset() returns an unsigned long. This value
was cast to an "int" in cff_index_read(), leading to a possibility for
over/underflow. Also, nothing checked that an entry in the index table
had a non-zero length, leading to an entry with length -8 as reported by
valgrind.
Fix this by using "unsigned long" for the local variables and checking
the length to be non-negative.
With the above fixed, the original test case started crashing.
Apparently, cairo_cff_font_read_name() does not expect nor handle
failures from cff_index_read(). Thus, a check for this case was added to
make the new crash go away.
[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51324
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
| |
|
|
|
|
| |
Fixes #399
|
|
|
|
| |
Fixes #413
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function cairo_cff_font_read_cid_fontdict() has a local variable
"cairo_array_t index". This array is first filled with data from the
font with cff_index_read(). Later in this function, each resulting entry
is given to cff_dict_read(). Nothing else is done with the array.
Thus, nothing can keep a reference to "index" and thus this array has to
be finalised at the end of the function to avoid a memory leak.
This commit does that by falling through to the call to cff_index_fini()
that is already there in the error case. This function checks for each
element if its ->is_copy is true and then frees the data. However,
cff_index_read() only creates elements with ->is_copy = FALSE, thus this
does not do anything. At the end, this calls _cairo_array_fini() which
frees the array's memory.
Fixes the following memory leak according to valgrind:
24 bytes in 1 blocks are definitely lost in loss record 173 of 490
at 0x48386AF: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x483ADE7: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4A5ECC3: _cairo_array_grow_by (cairo-array.c:115)
by 0x4A5EEEE: _cairo_array_allocate (cairo-array.c:317)
by 0x4A5EE95: _cairo_array_append_multiple (cairo-array.c:288)
by 0x4A5EE6B: _cairo_array_append (cairo-array.c:265)
by 0x4AFB12E: cff_index_read (cairo-cff-subset.c:438)
by 0x4AFC280: cairo_cff_font_read_cid_fontdict (cairo-cff-subset.c:1022)
by 0x4AFCD42: cairo_cff_font_read_top_dict (cairo-cff-subset.c:1232)
by 0x4AFD145: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4AFFDC0: cairo_cff_font_generate (cairo-cff-subset.c:2583)
by 0x4B00D71: _cairo_cff_subset_init (cairo-cff-subset.c:2975)
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30650
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
| |
- it aims to fix issue #488.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in cairo-cff-subset.c parses a binary format without seeming to
bother much with verifying the data. The result is that poppler can be
used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
via a crafted font file. Fix this by adding the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/451
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444
Signed-off-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
|
|
|
| |
Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
StemSnapH and StemSnapV have operands of type delta which can be
a number or an array of delta-encoded numbers. This array can be
empty according to freetype developers.
This commit checks whether current operator is among those listed
and permits empty operand in such case.
|
|
|
|
|
|
|
|
|
|
| |
_cairo_malloc(0) always returns NULL, but has not been used
consistently. This patch replaces many calls to malloc() with
_cairo_malloc().
Fixes: fdo# 101547
CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
|
| |
|
|
|
|
|
|
| |
fixes the warning:
warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
|
|
|
|
|
| |
If the font is a non default variant, fallback to creating a font from
the outlines.
|
|
|
|
| |
Bug 91902
|
|
|
|
| |
Bug 90538
|
|
|
|
|
|
|
|
| |
Debian bug 712836 reported bus errors in cff subsetting when
running on a sparc. This is because unlike truetype, all data
in the compact font format is not aligned.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712836
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor out a cairo_get_locale_decimal_point() routine to handle a case
where localeconv() is not available.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=70492
Reviewed-by: Bryce Harrington <b.harrington@samsung.com>
[edit: Condensed cairo_get_locale_decimal_point and conditionalized
locale.h inclusion. -- bryce]
|
|
|
|
|
| |
Signed-off-by: Bryce Harrington <b.harrington@samsung.com>
Reviewed-by: Uli Schlachter <psychon@znc.in>
|
|
|
|
|
|
| |
Escape PostScript names of loaded fonts. These can not
contain white spaces and delimiter characters when saving
them to a PostScript file or a PDF file.
|
|
|
|
|
| |
fd_default_width and fd_nominal_width
are arrays of doubles not arrays of ints.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- _cairo_type1_font_subset_fini doesn't free font->cleartext
- _cairo_cff_font_create can exit without freeing font->font_name and/or
font->data; _cairo_cff_font_load_opentype_cff is called to allocate
font_name, then _cairo_cff_font_load_cff is called to allocate
font->data, then _cairo_cff_font_load_cff's return status is checked
and if it failed, it jumps to fail1. This can cause font_name to leak
since the fail1 target only frees the font variable. In addition,
_cairo_cff_font_load_cff can fail -after- allocating data, and then
data won't be freed either.
Bug 56566
|
|
|
|
| |
Bug 52972
|
| |
|
|
|
|
| |
Bug 51443
|
|
|
|
|
|
| |
to fix bug when decoding cff real numbers.
Bug 51443
|
|
|
|
| |
Fixes crash in https://bugzilla.gnome.org/show_bug.cgi?id=677422
|
|
|
|
| |
Bug 41548
|
|
|
|
|
|
| |
Need to use charset to map CID to GID.
Bug 41548
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most fonts use Window platform specific encoded font names since they
allow unicode names.
- Make _cairo_truetype_read_font_name() read the Windows platform
names first. If this fails, fallback to reading he the Mac platform
MacRoman encoded name.
- Use the PDF method of encoding non ASCII PS font names. Poppler will
correctly extract the unicode name.
- Make PDF embed the font family name as AsciiHex if the name is not ASCII.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having spent the last dev cycle looking at how we could specialize the
compositors for various backends, we once again look for the
commonalities in order to reduce the duplication. In part this is
motivated by the idea that spans is a good interface for both the
existent GL backend and pixman, and so they deserve a dedicated
compositor. xcb/xlib target an identical rendering system and so they
should be using the same compositor, and it should be possible to run
that same compositor locally against pixman to generate reference tests.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
P.S. This brings massive upheaval (read breakage) I've tried delaying in
order to fix as many things as possible but now this one patch does far,
far, far too much. Apologies in advance for breaking your favourite
backend, but trust me in that the end result will be much better. :)
|
|
|
|
|
| |
so we don't end up with two subset tags in the font name when cairo
appends its own subset tag.
|
| |
|
|
|
|
|
|
|
| |
width
The 2 byte operators can be ignored of we don't need or have already found
the width.
|
|
|
|
| |
We need to parse all used charstrings in bare CFF fonts to extract the widths.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch has been generated by the following Coccinelle semantic patch:
// Remove useless checks for NULL before freeing
//
// free (NULL) is a no-op, so there is no need to avoid it
@@
expression E;
@@
+ free (E);
+ E = NULL;
- if (unlikely (E != NULL)) {
- free(E);
(
- E = NULL;
|
- E = 0;
)
...
- }
@@
expression E;
@@
+ free (E);
- if (unlikely (E != NULL)) {
- free (E);
- }
|
|
|
|
|
|
| |
The code incorrectly initialized the fields of the data structure,
which are about to be overwritten, instead of the temporary variables
which are used to compute them.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids fallback when using poppler cairo for printing PDFs with
CFF fonts.
The current CFF subsetting only works with Opentype/CFF fonts. CFF
fonts inside PDF files are usually embedded as a bare CFF font without
the Opentype wrapper.
Making the CFF subset work with bare CFF fonts requires doing a bit of
extra work to extract the fontname, font bbox, and glyph widths from
the CFF data instead of using the Opentype tables.
|
|
|
|
|
|
|
| |
Step 1, fix the failings sighted recently by tracking clip-boxes as an
explicit property of the clipping and of composition.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
| |
|
|
|
|
|
|
| |
caused by holding a pointer into a cairo_array after a realloc
https://bugs.freedesktop.org/show_bug.cgi?id=35161
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Go through each Charstring looking for the local and global
subroutines called. To avoid modifying the Charstrings [1], the unused
subroutines are reduced to a single byte return op [2] leaving the
remaining subroutines in their original array index position.
Results of testing with some CFF fonts with a 26 glyph [a-z] subset:
Font Subset size: Before After
-------------------------------------------------------
LinBiolinum_Re-0.6.4.otf 48,423 8,295
LinBiolinum_It-0.5.1.otf 88,942 11,501
LinBiolinum_Sl-0.4.9.otf 89,231 11,505
LinLibertine_Re-4.7.5.otf 51,125 8,654
LinLibetine_It-4.2.6.otf 59,333 9,632
Inconsolata.otf 13,826 8,407
[1] Further reductions could be obtained by stripping out unused
subroutines and renumbering the remaining subroutines but is more
complicated due to the encoding used for subroutine numbers that is
both variable length and a function of the size of the subroutine
array.
[2] Poppler and Fontforge do not seem to like zero length unused
subroutines.
|
| |
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=31878
|
|
|
|
|
|
|
|
| |
493aaf0f15bfedc88371ffab07d862a400b0da38 made all cairo_array
functions use unsigned int for indexes and sizes.
This commit fixes the compiler warnings about those values being
compared to signed int's.
|
| |
|
|
|
|
|
|
| |
If the font has been synthesized we can't use the native subsetters as
the outlines won't be the same. Instead force the use of the fallback
subsetters so the synthesized outlines will used to generate the font.
|