Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-24 13:21:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1685381 - Update OTS to 8.1.2. r=jfkthame

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D100951
This commit is contained in:
Ryan VanderMeulen 2021-01-07 13:29:48 +00:00
parent d9cc5b36cb
commit edf21ccc44
8 changed files with 243 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gfx/ots/README.mozilla
View File

@ -2,7 +2,7 @@ This is the Sanitiser for OpenType project, from http://code.google.com/p/ots/.
Our reference repository is https://github.com/khaledhosny/ots/.
Current revision: d6d783c67b4aa604edd12dce0decc18a5c79906b (8.1.1)
Current revision: 5afd9e2b8abdd03ffeddb22e6094b4fb546cb39d (8.1.2)
Upstream files included: LICENSE, src/, include/, tests/*.cc

7
gfx/ots/src/glat.cc
View File

@ -207,9 +207,10 @@ bool OpenTypeGLAT_v3::Parse(const uint8_t* data, size_t length,
if (decompressed_size == 0) {
return DropGraphite("Decompressed size is set to 0");
}
// decompressed table must be <= 30MB
if (decompressed_size > 30 * 1024 * 1024) {
return DropGraphite("Decompressed size exceeds 30MB: %gMB",
// decompressed table must be <= OTS_MAX_DECOMPRESSED_TABLE_SIZE
if (decompressed_size > OTS_MAX_DECOMPRESSED_TABLE_SIZE) {
return DropGraphite("Decompressed size exceeds %gMB: %gMB",
OTS_MAX_DECOMPRESSED_TABLE_SIZE / (1024.0 * 1024.0),
decompressed_size / (1024.0 * 1024.0));
}
std::vector<uint8_t> decompressed(decompressed_size);

206
gfx/ots/src/glyf.cc
View File

@ -99,6 +99,12 @@ bool OpenTypeGLYF::ParseSimpleGlyph(Buffer &glyph,
num_flags = tmp_index + 1;
}
if (this->maxp->version_1 &&
num_flags > this->maxp->max_points) {
Warning("Number of contour points exceeds maxp maxPoints, adjusting limit.");
this->maxp->max_points = num_flags;
}
uint16_t bytecode_length = 0;
if (!glyph.ReadU16(&bytecode_length)) {
return Error("Can't read bytecode length");
@ -144,7 +150,9 @@ bool OpenTypeGLYF::ParseSimpleGlyph(Buffer &glyph,
#define WE_HAVE_A_TWO_BY_TWO (1u << 7)
#define WE_HAVE_INSTRUCTIONS (1u << 8)
bool OpenTypeGLYF::ParseCompositeGlyph(Buffer &glyph) {
bool OpenTypeGLYF::ParseCompositeGlyph(
Buffer &glyph,
ComponentPointCount* component_point_count) {
uint16_t flags = 0;
uint16_t gid = 0;
do {
@ -193,6 +201,10 @@ bool OpenTypeGLYF::ParseCompositeGlyph(Buffer &glyph) {
return Error("Can't read transform");
}
}
// Push inital components on stack at level 1
// to traverse them in parent function.
component_point_count->gid_stack.push_back({gid, 1});
} while (flags & MORE_COMPONENTS);
if (flags & WE_HAVE_INSTRUCTIONS) {
@ -243,29 +255,16 @@ bool OpenTypeGLYF::Parse(const uint8_t *data, size_t length) {
uint32_t current_offset = 0;
for (unsigned i = 0; i < num_glyphs; ++i) {
const unsigned gly_offset = offsets[i];
// The LOCA parser checks that these values are monotonic
const unsigned gly_length = offsets[i + 1] - offsets[i];
if (!gly_length) {
// this glyph has no outline (e.g. the space charactor)
Buffer glyph(GetGlyphBufferSection(data, length, offsets, i));
if (!glyph.buffer())
return false;
if (!glyph.length()) {
resulting_offsets[i] = current_offset;
continue;
}
if (gly_offset >= length) {
return Error("Glyph %d offset %d too high %ld", i, gly_offset, length);
}
// Since these are unsigned types, the compiler is not allowed to assume
// that they never overflow.
if (gly_offset + gly_length < gly_offset) {
return Error("Glyph %d length (%d < 0)!", i, gly_length);
}
if (gly_offset + gly_length > length) {
return Error("Glyph %d length %d too high", i, gly_length);
}
Buffer glyph(data + gly_offset, gly_length);
int16_t num_contours, xmin, ymin, xmax, ymax;
if (!glyph.ReadS16(&num_contours) ||
!glyph.ReadS16(&xmin) ||
@ -302,9 +301,57 @@ bool OpenTypeGLYF::Parse(const uint8_t *data, size_t length) {
return Error("Failed to parse glyph %d", i);
}
} else {
if (!ParseCompositeGlyph(glyph)) {
ComponentPointCount component_point_count;
if (!ParseCompositeGlyph(glyph, &component_point_count)) {
return Error("Failed to parse glyph %d", i);
}
// Check maxComponentDepth and validate maxComponentPoints.
// ParseCompositeGlyph placed the first set of component glyphs on the
// component_point_count.gid_stack, which we start to process below. If a
// nested glyph is in turn a component glyph, additional glyphs are placed
// on the stack.
while (component_point_count.gid_stack.size()) {
GidAtLevel stack_top_gid = component_point_count.gid_stack.back();
component_point_count.gid_stack.pop_back();
Buffer points_count_glyph(GetGlyphBufferSection(
data,
length,
offsets,
stack_top_gid.gid));
if (!points_count_glyph.buffer())
return false;
if (!points_count_glyph.length())
continue;
if (!TraverseComponentsCountingPoints(points_count_glyph,
i,
stack_top_gid.level,
&component_point_count)) {
return Error("Error validating component points and depth.");
}
if (component_point_count.accumulated_component_points >
std::numeric_limits<uint16_t>::max()) {
return Error("Illegal composite points value "
"exceeding 0xFFFF for base glyph %d.", i);
} else if (this->maxp->version_1 &&
component_point_count.accumulated_component_points >
this->maxp->max_c_points) {
Warning("Number of composite points in glyph %d exceeds "
"maxp maxCompositePoints: %d vs %d, adjusting limit.",
i,
component_point_count.accumulated_component_points,
this->maxp->max_c_points
);
this->maxp->max_c_points =
component_point_count.accumulated_component_points;
}
}
}
size_t new_size = glyph.offset();
@ -344,6 +391,123 @@ bool OpenTypeGLYF::Parse(const uint8_t *data, size_t length) {
return true;
}
bool OpenTypeGLYF::TraverseComponentsCountingPoints(
Buffer &glyph,
uint16_t base_glyph_id,
uint32_t level,
ComponentPointCount* component_point_count) {
int16_t num_contours;
if (!glyph.ReadS16(&num_contours) ||
!glyph.Skip(8)) {
return Error("Can't read glyph header.");
}
if (num_contours <= -2) {
return Error("Bad number of contours %d in glyph.", num_contours);
}
if (num_contours == 0)
return true;
// FontTools counts a component level for each traversed recursion. We start
// counting at level 0. If we reach a level that's deeper than
// maxComponentDepth, we expand maxComponentDepth unless it's larger than
// the maximum possible depth.
if (level > std::numeric_limits<uint16_t>::max()) {
return Error("Illegal component depth exceeding 0xFFFF in base glyph id %d.",
base_glyph_id);
} else if (this->maxp->version_1 &&
level > this->maxp->max_c_depth) {
this->maxp->max_c_depth = level;
Warning("Component depth exceeds maxp maxComponentDepth "
"in glyph %d, adjust limit to %d.",
base_glyph_id, level);
}
if (num_contours > 0) {
uint16_t num_points = 0;
for (int i = 0; i < num_contours; ++i) {
// Simple glyph, add contour points.
uint16_t tmp_index = 0;
if (!glyph.ReadU16(&tmp_index)) {
return Error("Can't read contour index %d", i);
}
num_points = tmp_index + 1;
}
component_point_count->accumulated_component_points += num_points;
return true;
} else {
assert(num_contours == -1);
// Composite glyph, add gid's to stack.
uint16_t flags = 0;
uint16_t gid = 0;
do {
if (!glyph.ReadU16(&flags) || !glyph.ReadU16(&gid)) {
return Error("Can't read composite glyph flags or glyphIndex");
}
size_t skip_bytes = 0;
skip_bytes += flags & ARG_1_AND_2_ARE_WORDS ? 4 : 2;
if (flags & WE_HAVE_A_SCALE) {
skip_bytes += 2;
} else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
skip_bytes += 4;
} else if (flags & WE_HAVE_A_TWO_BY_TWO) {
skip_bytes += 8;
}
if (!glyph.Skip(skip_bytes)) {
return Error("Failed to parse component glyph.");
}
if (gid >= this->maxp->num_glyphs) {
return Error("Invalid glyph id used in composite glyph: %d", gid);
}
component_point_count->gid_stack.push_back({gid, level + 1u});
} while (flags & MORE_COMPONENTS);
return true;
}
}
Buffer OpenTypeGLYF::GetGlyphBufferSection(
const uint8_t *data,
size_t length,
const std::vector<uint32_t>& loca_offsets,
unsigned glyph_id) {
Buffer null_buffer(nullptr, 0);
const unsigned gly_offset = loca_offsets[glyph_id];
// The LOCA parser checks that these values are monotonic
const unsigned gly_length = loca_offsets[glyph_id + 1] - loca_offsets[glyph_id];
if (!gly_length) {
// this glyph has no outline (e.g. the space character)
return Buffer(data + gly_offset, 0);
}
if (gly_offset >= length) {
Error("Glyph %d offset %d too high %ld", glyph_id, gly_offset, length);
return null_buffer;
}
// Since these are unsigned types, the compiler is not allowed to assume
// that they never overflow.
if (gly_offset + gly_length < gly_offset) {
Error("Glyph %d length (%d < 0)!", glyph_id, gly_length);
return null_buffer;
}
if (gly_offset + gly_length > length) {
Error("Glyph %d length %d too high", glyph_id, gly_length);
return null_buffer;
}
return Buffer(data + gly_offset, gly_length);
}
bool OpenTypeGLYF::Serialize(OTSStream *out) {
for (unsigned i = 0; i < this->iov.size(); ++i) {
if (!out->Write(this->iov[i].first, this->iov[i].second)) {

28
gfx/ots/src/glyf.h
View File

@ -23,12 +23,38 @@ class OpenTypeGLYF : public Table {
bool Serialize(OTSStream *out);
private:
struct GidAtLevel {
uint16_t gid;
uint32_t level;
};
struct ComponentPointCount {
ComponentPointCount() : accumulated_component_points(0) {};
uint32_t accumulated_component_points;
std::vector<GidAtLevel> gid_stack;
};
bool ParseFlagsForSimpleGlyph(Buffer &glyph,
uint32_t num_flags,
uint32_t *flag_index,
uint32_t *coordinates_length);
bool ParseSimpleGlyph(Buffer &glyph, int16_t num_contours);
bool ParseCompositeGlyph(Buffer &glyph);
bool ParseCompositeGlyph(
Buffer &glyph,
ComponentPointCount* component_point_count);
bool TraverseComponentsCountingPoints(
Buffer& glyph,
uint16_t base_glyph_id,
uint32_t level,
ComponentPointCount* component_point_count);
Buffer GetGlyphBufferSection(
const uint8_t *data,
size_t length,
const std::vector<uint32_t>& loca_offsets,
unsigned glyph_id);
OpenTypeMAXP* maxp;

8
gfx/ots/src/metrics.cc
View File

@ -35,11 +35,11 @@ bool OpenTypeMetricsHeader::Parse(const uint8_t *data, size_t length) {
}
if (this->ascent < 0) {
Warning("bad ascent: %d", this->ascent);
Warning("Negative ascent, setting to 0: %d", this->ascent);
this->ascent = 0;
}
if (this->linegap < 0) {
Warning("bad linegap: %d", this->linegap);
Warning("Negative linegap, setting to: %d", this->linegap);
this->linegap = 0;
}
@ -52,7 +52,7 @@ bool OpenTypeMetricsHeader::Parse(const uint8_t *data, size_t length) {
// if the font is non-slanted, caret_offset should be zero.
if (!(head->mac_style & 2) &&
(this->caret_offset != 0)) {
Warning("bad caret offset: %d", this->caret_offset);
Warning("Non-zero caretOffset but head.macStyle italic bit is not set, setting to caretOffset to 0: %d", this->caret_offset);
this->caret_offset = 0;
}
@ -66,7 +66,7 @@ bool OpenTypeMetricsHeader::Parse(const uint8_t *data, size_t length) {
return Error("Failed to read metricDataFormat");
}
if (data_format) {
return Error("Bad metricDataFormat: %d", data_format);
return Error("Unsupported metricDataFormat: %d", data_format);
}
if (!table.ReadU16(&this->num_metrics)) {

24
gfx/ots/src/ots.cc
View File

@ -514,9 +514,10 @@ bool ProcessWOFF2(ots::FontFile *header,
if (decompressed_size == 0) {
return OTS_FAILURE_MSG_HDR("Size of decompressed WOFF 2.0 is set to 0");
}
// decompressed font must be <= 30MB
if (decompressed_size > 30 * 1024 * 1024) {
return OTS_FAILURE_MSG_HDR("Size of decompressed WOFF 2.0 font exceeds 30MB");
// decompressed font must be <= OTS_MAX_DECOMPRESSED_FILE_SIZE
if (decompressed_size > OTS_MAX_DECOMPRESSED_FILE_SIZE) {
return OTS_FAILURE_MSG_HDR("Size of decompressed WOFF 2.0 font exceeds %gMB",
OTS_MAX_DECOMPRESSED_FILE_SIZE / (1024.0 * 1024.0));
}
std::string buf(decompressed_size, 0);
@ -630,12 +631,14 @@ bool ProcessGeneric(ots::FontFile *header,
if (tables[i].uncompressed_length > tables[i].length) {
// We'll probably be decompressing this table.
// disallow all tables which uncompress to > 30 MB
if (tables[i].uncompressed_length > 30 * 1024 * 1024) {
return OTS_FAILURE_MSG_TAG("uncompressed length exceeds 30MB", tables[i].tag);
// disallow all tables which decompress to > OTS_MAX_DECOMPRESSED_TABLE_SIZE
if (tables[i].uncompressed_length > OTS_MAX_DECOMPRESSED_TABLE_SIZE) {
return OTS_FAILURE_MSG_HDR("%c%c%c%c: decompressed table length exceeds %gMB",
OTS_UNTAG(tables[i].tag),
OTS_MAX_DECOMPRESSED_TABLE_SIZE / (1024.0 * 1024.0));
}
if (uncompressed_sum + tables[i].uncompressed_length < uncompressed_sum) {
return OTS_FAILURE_MSG_TAG("overflow of uncompressed sum", tables[i].tag);
return OTS_FAILURE_MSG_TAG("overflow of decompressed sum", tables[i].tag);
}
uncompressed_sum += tables[i].uncompressed_length;
@ -652,9 +655,10 @@ bool ProcessGeneric(ots::FontFile *header,
}
}
// All decompressed tables uncompressed must be <= 30MB.
if (uncompressed_sum > 30 * 1024 * 1024) {
return OTS_FAILURE_MSG_HDR("uncompressed sum exceeds 30MB");
// All decompressed tables decompressed must be <= OTS_MAX_DECOMPRESSED_FILE_SIZE.
if (uncompressed_sum > OTS_MAX_DECOMPRESSED_FILE_SIZE) {
return OTS_FAILURE_MSG_HDR("decompressed sum exceeds %gMB",
OTS_MAX_DECOMPRESSED_FILE_SIZE / (1024.0 * 1024.0));
}
// check that the tables are not overlapping.

4
gfx/ots/src/ots.h
View File

@ -232,6 +232,10 @@ bool IsValidVersionTag(uint32_t tag);
#define OTS_TAG_VVAR OTS_TAG('V','V','A','R')
#define OTS_TAG_STAT OTS_TAG('S','T','A','T')
// See https://github.com/khaledhosny/ots/issues/219
#define OTS_MAX_DECOMPRESSED_FILE_SIZE 300 * 1024 * 1024
#define OTS_MAX_DECOMPRESSED_TABLE_SIZE 150 * 1024 * 1024
struct Font;
struct FontFile;
struct TableEntry;

7
gfx/ots/src/silf.cc
View File

@ -42,9 +42,10 @@ bool OpenTypeSILF::Parse(const uint8_t* data, size_t length,
if (decompressed_size == 0) {
return DropGraphite("Decompressed size is set to 0");
}
// decompressed table must be <= 30MB
if (decompressed_size > 30 * 1024 * 1024) {
return DropGraphite("Decompressed size exceeds 30MB: %gMB",
// decompressed table must be <= OTS_MAX_DECOMPRESSED_TABLE_SIZE
if (decompressed_size > OTS_MAX_DECOMPRESSED_TABLE_SIZE) {
return DropGraphite("Decompressed size exceeds %gMB: %gMB",
OTS_MAX_DECOMPRESSED_TABLE_SIZE / (1024.0 * 1024.0),
decompressed_size / (1024.0 * 1024.0));
}
std::vector<uint8_t> decompressed(decompressed_size);