summaryrefslogtreecommitdiff
path: root/src/cairo-cff-subset.c
Commit message (Collapse)AuthorAgeFilesLines
* Use _cairo_strndup where appropriateAdrian Johnson2023-01-031-5/+3
|
* Improve cff index reading codeUli Schlachter2022-12-311-3/+3
| | | | | | | | | | | | | | | In a recent MR [1], Adrian Johnson writes: For additional safety you could change the unsigned long to size_t since long is 32-bits on Win64. The CFF spec says the offset size used in decode_index_offset must be between 1 and 4 so you could range check that to avoid overflowing the offset. This commit implements exactly that. [1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743 Signed-off-by: Uli Schlachter <psychon@znc.in>
* Fix a possible out-of-bounds readUli Schlachter2022-12-311-1/+1
| | | | | | | | | | While working on the previous commit, I noticed that nothing makes sure that the entry points within the font data. Thus, this could easily cause out-of-bounds reads. This commit adds a suitable length check for this. Signed-off-by: Uli Schlachter <psychon@znc.in>
* Fix out-of-bounds access in cff subsetUli Schlachter2022-12-311-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I was looking at [1]. While trying to reproduce the problem that is described there, valgrind reported: Argument 'size' of function malloc has a fishy (possibly negative) value: -8 at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4B20E92: cairo_cff_font_read_name (cairo-cff-subset.c:895) by 0x4B221AD: cairo_cff_font_read_font (cairo-cff-subset.c:1351) by 0x4B24EF2: cairo_cff_font_generate (cairo-cff-subset.c:2587) by 0x4B25EA3: _cairo_cff_subset_init (cairo-cff-subset.c:2979) This commit is about fixing the above. The function decode_index_offset() returns an unsigned long. This value was cast to an "int" in cff_index_read(), leading to a possibility for over/underflow. Also, nothing checked that an entry in the index table had a non-zero length, leading to an entry with length -8 as reported by valgrind. Fix this by using "unsigned long" for the local variables and checking the length to be non-negative. With the above fixed, the original test case started crashing. Apparently, cairo_cff_font_read_name() does not expect nor handle failures from cff_index_read(). Thus, a check for this case was added to make the new crash go away. [1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51324 Signed-off-by: Uli Schlachter <psychon@znc.in>
* Fix some warningsAdrian Johnson2021-08-221-3/+3
|
* cff: use correct size cast when decoding bytes to a signed intAdrian Johnson2021-07-211-2/+2
| | | | Fixes #399
* cff: Check subroutine number is valid before using as an array indexAdrian Johnson2021-07-201-2/+6
| | | | Fixes #413
* Fix memory leak in cairo_cff_font_read_cid_fontdictUli Schlachter2021-06-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The function cairo_cff_font_read_cid_fontdict() has a local variable "cairo_array_t index". This array is first filled with data from the font with cff_index_read(). Later in this function, each resulting entry is given to cff_dict_read(). Nothing else is done with the array. Thus, nothing can keep a reference to "index" and thus this array has to be finalised at the end of the function to avoid a memory leak. This commit does that by falling through to the call to cff_index_fini() that is already there in the error case. This function checks for each element if its ->is_copy is true and then frees the data. However, cff_index_read() only creates elements with ->is_copy = FALSE, thus this does not do anything. At the end, this calls _cairo_array_fini() which frees the array's memory. Fixes the following memory leak according to valgrind: 24 bytes in 1 blocks are definitely lost in loss record 173 of 490 at 0x48386AF: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x483ADE7: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4A5ECC3: _cairo_array_grow_by (cairo-array.c:115) by 0x4A5EEEE: _cairo_array_allocate (cairo-array.c:317) by 0x4A5EE95: _cairo_array_append_multiple (cairo-array.c:288) by 0x4A5EE6B: _cairo_array_append (cairo-array.c:265) by 0x4AFB12E: cff_index_read (cairo-cff-subset.c:438) by 0x4AFC280: cairo_cff_font_read_cid_fontdict (cairo-cff-subset.c:1022) by 0x4AFCD42: cairo_cff_font_read_top_dict (cairo-cff-subset.c:1232) by 0x4AFD145: cairo_cff_font_read_font (cairo-cff-subset.c:1351) by 0x4AFFDC0: cairo_cff_font_generate (cairo-cff-subset.c:2583) by 0x4B00D71: _cairo_cff_subset_init (cairo-cff-subset.c:2975) Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30650 Signed-off-by: Uli Schlachter <psychon@znc.in>
* Allow empty postscript name when using a CFF font in pdfCalixte Denizet2021-05-261-1/+1
| | | | - it aims to fix issue #488.
* Fix undefined left-shiftsHeiko Lewin2021-03-311-1/+1
|
* Add a bounds check to cairo_cff_font_read_fdselect()Uli Schlachter2021-01-071-0/+2
| | | | | | | | | | | | | | | | | | The code in cairo-cff-subset.c parses a binary format without seeming to bother much with verifying the data. The result is that poppler can be used to cause an out-of-bounds write in cairo_cff_font_read_fdselect() via a crafted font file. Fix this by adding the needed length check. The other code in the file also contains lots of similar things. Since I cannot really fix everything properly, I'll just fix the one instance that was found by a fuzzer. No testcase is added, because this depends on a broken font that is quite large. Adding something this big to the test suite does not seem sensible. Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/451 Signed-off-by: Uli Schlachter <psychon@znc.in>
* Add a bounds check to cairo_cff_parse_charstring()Uli Schlachter2020-12-251-0/+2
| | | | | | | | | | | | | | | | | | | The code in cairo-cff-subset.c parses a binary font format without seeming to bother much verifying the data. The result is that poppler can be used to cause an out-of-bounds access in cairo_cff_parse_charstring() via a crafted font file. Fix this by adding the needed length check. The other code in the file also contains lots of similar things. Since I cannot really fix everything properly, I'll just fix the one instance that was found by a fuzzer. No testcase is added, because this depends on a broken font that is quite large. Adding something this big to the test suite does not seem sensible. Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444 Signed-off-by: Uli Schlachter <psychon@znc.in>
* cff: Allow empty array of operands for certain operatorsMarek Kasik2020-11-201-29/+49
| | | | | | | | | Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues, StemSnapH and StemSnapV have operands of type delta which can be a number or an array of delta-encoded numbers. This array can be empty according to freetype developers. This commit checks whether current operator is among those listed and permits empty operand in such case.
* Use _cairo_malloc instead of mallocAdrian Johnson2018-05-071-18/+18
| | | | | | | | | | _cairo_malloc(0) always returns NULL, but has not been used consistently. This patch replaces many calls to malloc() with _cairo_malloc(). Fixes: fdo# 101547 CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299 Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
* factor out ascii to double code in cff-subset into _cairo_strtodAdrian Johnson2017-09-221-24/+3
|
* replace _BSD_SOURCE with _DEFAULT_SOURCEAdrian Johnson2017-09-161-1/+1
| | | | | | fixes the warning: warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
* subsetting: support variable fontsAdrian Johnson2017-05-281-3/+10
| | | | | If the font is a non default variant, fallback to creating a font from the outlines.
* cff: opentype fonts always use gid to lookup glyphAdrian Johnson2015-09-071-6/+10
| | | | Bug 91902
* cff: ensure glyph widths are positive when font matrix yy is negativeAdrian Johnson2015-05-211-2/+2
| | | | Bug 90538
* CFF: Fix unaligned accessAdrian Johnson2014-10-191-16/+19
| | | | | | | | Debian bug 712836 reported bus errors in cff subsetting when running on a sparc. This is because unlike truetype, all data in the compact font format is not aligned. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712836
* Fix compilation with bionic libcAdrian Johnson2014-09-231-3/+1
| | | | | | | | | | | Refactor out a cairo_get_locale_decimal_point() routine to handle a case where localeconv() is not available. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=70492 Reviewed-by: Bryce Harrington <b.harrington@samsung.com> [edit: Condensed cairo_get_locale_decimal_point and conditionalized locale.h inclusion. -- bryce]
* Fix some memory leaks found by scan-build, the LLVM/Clang static analyzerSylvestre Ledru2014-05-161-1/+3
| | | | | Signed-off-by: Bryce Harrington <b.harrington@samsung.com> Reviewed-by: Uli Schlachter <psychon@znc.in>
* font: Generate PDFs with correct font namesMarek Kasik2014-01-101-0/+2
| | | | | | Escape PostScript names of loaded fonts. These can not contain white spaces and delimiter characters when saving them to a PostScript file or a PDF file.
* cff-subset: Fix allocation of width arraysMarek Kasik2013-03-151-2/+2
| | | | | fd_default_width and fd_nominal_width are arrays of doubles not arrays of ints.
* type1-subset, cff-subset: Plugged 2 memory leaksKevin Tardif2012-10-301-3/+3
| | | | | | | | | | | | | | - _cairo_type1_font_subset_fini doesn't free font->cleartext - _cairo_cff_font_create can exit without freeing font->font_name and/or font->data; _cairo_cff_font_load_opentype_cff is called to allocate font_name, then _cairo_cff_font_load_cff is called to allocate font->data, then _cairo_cff_font_load_cff's return status is checked and if it failed, it jumps to fail1. This can cause font_name to leak since the fail1 target only frees the font variable. In addition, _cairo_cff_font_load_cff can fail -after- allocating data, and then data won't be freed either. Bug 56566
* cff subsetting: widths can be floating pointAdrian Johnson2012-07-311-11/+11
| | | | Bug 52972
* cff: initialise variable to prevent valgrind warningAdrian Johnson2012-07-051-0/+1
|
* cff: use correct size for bufferAdrian Johnson2012-07-051-1/+1
| | | | Bug 51443
* cff: convert '.' to locale specific decimal point before using sscanfAdrian Johnson2012-07-041-1/+25
| | | | | | to fix bug when decoding cff real numbers. Bug 51443
* cff-subsetting: Ignore charset for non cid fontsAdrian Johnson2012-06-071-7/+9
| | | | Fixes crash in https://bugzilla.gnome.org/show_bug.cgi?id=677422
* cff: fallback if seac style endchar is foundAdrian Johnson2011-10-091-0/+7
| | | | Bug 41548
* cff: in CID fonts the CID is the glyph indexAdrian Johnson2011-10-091-3/+95
| | | | | | Need to use charset to map CID to GID. Bug 41548
* subsetting: Support unicode fontnamesAdrian Johnson2011-09-151-6/+6
| | | | | | | | | | | | | | Most fonts use Window platform specific encoded font names since they allow unicode names. - Make _cairo_truetype_read_font_name() read the Windows platform names first. If this fails, fallback to reading he the Mac platform MacRoman encoded name. - Use the PDF method of encoding non ASCII PS font names. Poppler will correctly extract the unicode name. - Make PDF embed the font family name as AsciiHex if the name is not ASCII.
* Introduce a new compositor architectureChris Wilson2011-09-121-3/+5
| | | | | | | | | | | | | | | | | | Having spent the last dev cycle looking at how we could specialize the compositors for various backends, we once again look for the commonalities in order to reduce the duplication. In part this is motivated by the idea that spans is a good interface for both the existent GL backend and pixman, and so they deserve a dedicated compositor. xcb/xlib target an identical rendering system and so they should be using the same compositor, and it should be possible to run that same compositor locally against pixman to generate reference tests. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> P.S. This brings massive upheaval (read breakage) I've tried delaying in order to fix as many things as possible but now this one patch does far, far, far too much. Apologies in advance for breaking your favourite backend, but trust me in that the end result will be much better. :)
* cff: strip subset tag when reading font nameAdrian Johnson2011-09-081-3/+18
| | | | | so we don't end up with two subset tags in the font name when cairo appends its own subset tag.
* cff-subset: fix decoding of real numbersAdrian Johnson2011-08-231-1/+3
|
* cff-subset: don't easily give up parsing a charstring if we already have the ↵Adrian Johnson2011-08-211-4/+10
| | | | | | | width The 2 byte operators can be ignored of we don't need or have already found the width.
* cff-subset: fallback when parsing the charstrings in bare cff fonts failsAdrian Johnson2011-08-211-6/+17
| | | | We need to parse all used charstrings in bare CFF fonts to extract the widths.
* Remove useless checks for NULL before freeingAndrea Canciani2011-07-311-36/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch has been generated by the following Coccinelle semantic patch: // Remove useless checks for NULL before freeing // // free (NULL) is a no-op, so there is no need to avoid it @@ expression E; @@ + free (E); + E = NULL; - if (unlikely (E != NULL)) { - free(E); ( - E = NULL; | - E = 0; ) ... - } @@ expression E; @@ + free (E); - if (unlikely (E != NULL)) { - free (E); - }
* cff-subset: Do not use garbage valuesAndrea Canciani2011-07-291-4/+4
| | | | | | The code incorrectly initialized the fields of the data structure, which are about to be overwritten, instead of the temporary variables which are used to compute them.
* Add support for subsetting bare CFF fontsAdrian Johnson2011-07-211-110/+467
| | | | | | | | | | | | | This avoids fallback when using poppler cairo for printing PDFs with CFF fonts. The current CFF subsetting only works with Opentype/CFF fonts. CFF fonts inside PDF files are usually embedded as a bare CFF font without the Opentype wrapper. Making the CFF subset work with bare CFF fonts requires doing a bit of extra work to extract the fontname, font bbox, and glyph widths from the CFF data instead of using the Opentype tables.
* clip: Rudimentary support for clip-polygon extractionChris Wilson2011-07-191-7/+7
| | | | | | | Step 1, fix the failings sighted recently by tracking clip-boxes as an explicit property of the clipping and of composition. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
* cff-subset: Fix /guillemotright SID encodingAdrian Johnson2011-07-181-1/+1
|
* cff: Fix heap corruptionAdrian Johnson2011-03-131-4/+11
| | | | | | caused by holding a pointer into a cairo_array after a realloc https://bugs.freedesktop.org/show_bug.cgi?id=35161
* CFF Subsetting: Subset subroutinesAdrian Johnson2010-11-301-16/+329
| | | | | | | | | | | | | | | | | | | | | | | | | | | Go through each Charstring looking for the local and global subroutines called. To avoid modifying the Charstrings [1], the unused subroutines are reduced to a single byte return op [2] leaving the remaining subroutines in their original array index position. Results of testing with some CFF fonts with a 26 glyph [a-z] subset: Font Subset size: Before After ------------------------------------------------------- LinBiolinum_Re-0.6.4.otf 48,423 8,295 LinBiolinum_It-0.5.1.otf 88,942 11,501 LinBiolinum_Sl-0.4.9.otf 89,231 11,505 LinLibertine_Re-4.7.5.otf 51,125 8,654 LinLibetine_It-4.2.6.otf 59,333 9,632 Inconsolata.otf 13,826 8,407 [1] Further reductions could be obtained by stripping out unused subroutines and renumbering the remaining subroutines but is more complicated due to the encoding used for subroutine numbers that is both variable length and a function of the size of the subroutine array. [2] Poppler and Fontforge do not seem to like zero length unused subroutines.
* CFF subset: fix bug with euro glyph in fallback fontsAdrian Johnson2010-11-281-2/+5
|
* CFF subset: fix subsetting of Euro glyphAdrian Johnson2010-11-281-13/+38
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=31878
* array: Silence warningsAndrea Canciani2010-11-261-1/+1
| | | | | | | | 493aaf0f15bfedc88371ffab07d862a400b0da38 made all cairo_array functions use unsigned int for indexes and sizes. This commit fixes the compiler warnings about those values being compared to signed int's.
* Check is_synthetic() font backend exists before calling itAdrian Johnson2010-11-231-1/+1
|
* Use fallback font for synthetic fontsAdrian Johnson2010-11-231-0/+4
| | | | | | If the font has been synthesized we can't use the native subsetters as the outlines won't be the same. Instead force the use of the fallback subsetters so the synthesized outlines will used to generate the font.
View Lorry Controller Status