commit ef9bdf6473e5ed6792707d14150c0b9c2b1f2433 Author: leigh123linux <leigh123linux(a)googlemail.com&gt; Date: Tue Sep 4 07:00:03 2018 +0100 Revert "delete old patches" This reverts commit cba583b308ac29f7961450d152e9fad94e5ab369. 0077-truetype-Fix-loading-of-named-instances.patch | 67 ++++++++++++++++++++++ ...uetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch | 45 +++++++++++++++ freetype-2.7.1-protect-flex-handling.patch | 47 +++++++++++++++ freetype-2.7.1-safety-guard.patch | 36 ++++++++++++ freetype-2.8-getvariation.patch | 39 +++++++++++++ freetype-2.8-loop-counter.patch | 36 ++++++++++++ freetype-2.8-pcf-encoding.patch | 58 +++++++++++++++++++ 7 files changed, 328 insertions(+) --- diff --git a/0077-truetype-Fix-loading-of-named-instances.patch b/0077-truetype-Fix-loading-of-named-instances.patch new file mode 100644 index 0000000..26fd0bc --- /dev/null +++ b/0077-truetype-Fix-loading-of-named-instances.patch @@ -0,0 +1,67 @@ +From 55bbb98f5c5a89230127d6b998a6e23e634b5d0e Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <behdad(a)behdad.org&gt; +Date: Tue, 1 Aug 2017 09:17:02 +0200 +Subject: [PATCH 077/132] [truetype] Fix loading of named instances. + +* src/truetype/ttgxvar.c (TT_Get_MM_Var): Preserve file position +while loading the `avar' table. +--- + ChangeLog | 7 +++++++ + include/freetype/ftmm.h | 2 +- + src/truetype/ttgxvar.c | 11 ++++++++++- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/include/freetype/ftmm.h b/include/freetype/ftmm.h +index c41b80ea6..1f48a4945 100644 +--- a/include/freetype/ftmm.h ++++ b/include/freetype/ftmm.h +@@ -178,7 +178,7 @@ FT_BEGIN_HEADER + /* strid :: The entry in `name' table identifying this instance. */ + /* */ + /* psid :: The entry in `name' table identifying a PostScript name */ +- /* for this instance. */ ++ /* for this instance. Value 0 indicates a missing entry. */ + /* */ + typedef struct FT_Var_Named_Style_ + { +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 68458362e..df42b3bfd 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -2139,8 +2139,16 @@ + goto Exit; + + if ( fvar_head.instanceCount && !face->blend->avar_loaded ) ++ { ++ FT_ULong offset = FT_STREAM_POS(); ++ ++ + ft_var_load_avar( face ); + ++ if ( FT_STREAM_SEEK( offset ) ) ++ goto Exit; ++ } ++ + ns = mmvar->namedstyle; + nsc = face->blend->normalized_stylecoords; + for ( i = 0; i < fvar_head.instanceCount; i++, ns++ ) +@@ -2157,6 +2165,7 @@ + for ( j = 0; j < fvar_head.axisCount; j++, c++ ) + *c = FT_GET_LONG(); + ++ /* valid psid values are 6 and [256;32767] */ + if ( usePsName ) + ns->psid = FT_GET_USHORT(); + +@@ -2174,7 +2183,7 @@ + SFNT_Service sfnt = (SFNT_Service)face->sfnt; + + FT_Int found, dummy1, dummy2; +- FT_UInt strid = 0xFFFFFFFFUL; ++ FT_UInt strid = ~0U; + + + /* the default instance is missing in array the */ +-- +2.13.5 + diff --git a/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch b/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch new file mode 100644 index 0000000..e492e58 --- /dev/null +++ b/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch @@ -0,0 +1,45 @@ +From 7e50824288fac5a36c2938fdb3e1c949ea53f982 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Tue, 1 Aug 2017 12:44:35 +0200 +Subject: [PATCH 079/132] * src/truetype/ttgxvar.c (TT_Get_MM_Var): Fix thinko. + +--- + ChangeLog | 4 ++++ + include/freetype/ftmm.h | 3 ++- + src/truetype/ttgxvar.c | 4 +++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/freetype/ftmm.h b/include/freetype/ftmm.h +index 1f48a4945..b1bc1ed82 100644 +--- a/include/freetype/ftmm.h ++++ b/include/freetype/ftmm.h +@@ -178,7 +178,8 @@ FT_BEGIN_HEADER + /* strid :: The entry in `name' table identifying this instance. */ + /* */ + /* psid :: The entry in `name' table identifying a PostScript name */ +- /* for this instance. Value 0 indicates a missing entry. */ ++ /* for this instance. Value 0xFFFF indicates a missing */ ++ /* entry. */ + /* */ + typedef struct FT_Var_Named_Style_ + { +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index df42b3bfd..5a87df139 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -2165,9 +2165,11 @@ + for ( j = 0; j < fvar_head.axisCount; j++, c++ ) + *c = FT_GET_LONG(); + +- /* valid psid values are 6 and [256;32767] */ ++ /* valid psid values are 6, [256;32767], and 0xFFFF */ + if ( usePsName ) + ns->psid = FT_GET_USHORT(); ++ else ++ ns->psid = 0xFFFF; + + ft_var_to_normalized( face, + fvar_head.axisCount, +-- +2.13.5 + diff --git a/freetype-2.7.1-protect-flex-handling.patch b/freetype-2.7.1-protect-flex-handling.patch new file mode 100644 index 0000000..01ff261 --- /dev/null +++ b/freetype-2.7.1-protect-flex-handling.patch @@ -0,0 +1,47 @@ +From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Fri, 24 Mar 2017 09:15:10 +0100 +Subject: [PATCH] [psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +<callothersubr>: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index af7b465e..7dd45135 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +2.12.2 + diff --git a/freetype-2.7.1-safety-guard.patch b/freetype-2.7.1-safety-guard.patch new file mode 100644 index 0000000..65ee149 --- /dev/null +++ b/freetype-2.7.1-safety-guard.patch @@ -0,0 +1,36 @@ +From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Sun, 26 Mar 2017 08:32:09 +0200 +Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety + guard. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 +--- + ChangeLog | 8 ++++++++ + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index d18e821a..0baf8368 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +2.12.2 + diff --git a/freetype-2.8-getvariation.patch b/freetype-2.8-getvariation.patch new file mode 100644 index 0000000..7e0ecf9 --- /dev/null +++ b/freetype-2.8-getvariation.patch @@ -0,0 +1,39 @@ +From 29c759284e305ec428703c9a5831d0b1fc3497ef Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Sat, 27 Jan 2018 14:43:43 +0100 +Subject: [PATCH] * src/truetype/ttinterp.c (Ins_GETVARIATION): Avoid NULL + reference. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736 +--- + src/truetype/ttinterp.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c +index d855aaaa9..551f14a2e 100644 +--- a/src/truetype/ttinterp.c ++++ b/src/truetype/ttinterp.c +@@ -7470,8 +7470,16 @@ + return; + } + +- for ( i = 0; i < num_axes; i++ ) +- args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */ ++ if ( coords ) ++ { ++ for ( i = 0; i < num_axes; i++ ) ++ args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */ ++ } ++ else ++ { ++ for ( i = 0; i < num_axes; i++ ) ++ args[i] = 0; ++ } + } + + +-- +2.14.3 + diff --git a/freetype-2.8-loop-counter.patch b/freetype-2.8-loop-counter.patch new file mode 100644 index 0000000..61e9052 --- /dev/null +++ b/freetype-2.8-loop-counter.patch @@ -0,0 +1,36 @@ +From 8d435c463d22f6de35015b244d6f9bb433beb7e6 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Thu, 1 Jun 2017 07:09:44 +0200 +Subject: [PATCH] * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter + again. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Marek Kašík <mkasik(a)redhat.com&gt;. + +The problematic font that exceeds the old limit is Padauk-Bold, +version 3.002, containing bytecode generated by a buggy version of +ttfautohint. +--- + ChangeLog | 10 ++++++++++ + src/truetype/ttinterp.c | 3 +-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c +index 0c48c256..775d1104 100644 +--- a/src/truetype/ttinterp.c ++++ b/src/truetype/ttinterp.c +@@ -7649,8 +7649,7 @@ + FT_MAX( 50, + exc->cvtSize / 10 ); + else +- exc->loopcall_counter_max = FT_MAX( 100, +- 10 * exc->cvtSize ); ++ exc->loopcall_counter_max = 300 + 8 * exc->cvtSize; + + /* as a protection against an unreasonable number of CVT entries */ + /* we assume at most 100 control values per glyph for the counter */ +-- +2.13.0 + diff --git a/freetype-2.8-pcf-encoding.patch b/freetype-2.8-pcf-encoding.patch new file mode 100644 index 0000000..fd1c706 --- /dev/null +++ b/freetype-2.8-pcf-encoding.patch @@ -0,0 +1,58 @@ +From 082f2faf5007812bac6a1f783c7dcc6f49d761fe Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Wed, 24 May 2017 07:40:46 +0200 +Subject: [PATCH] [bdf, pcf] Support ISO646.1991-IRV character encoding (aka + ASCII). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Marek Kašík <mkasik(a)redhat.com&gt;, cf. + + https://bugzilla.redhat.com/show_bug.cgi?id=1451795 + +* src/bdf/bdfdrivr.c (BDF_Face_Init), src/pcf/pcfdrivr.c +(PCF_Face_Init): Implement it. +--- + ChangeLog | 11 +++++++++++ + src/bdf/bdfdrivr.c | 6 +++++- + src/pcf/pcfdrivr.c | 6 +++++- + 3 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/src/bdf/bdfdrivr.c b/src/bdf/bdfdrivr.c +index a2242be0..c0a5a5c5 100644 +--- a/src/bdf/bdfdrivr.c ++++ b/src/bdf/bdfdrivr.c +@@ -545,7 +545,11 @@ THE SOFTWARE. + if ( !ft_strcmp( s, "10646" ) || + ( !ft_strcmp( s, "8859" ) && + !ft_strcmp( face->charset_encoding, "1" ) ) ) +- unicode_charmap = 1; ++ unicode_charmap = 1; ++ /* another name for ASCII */ ++ else if ( !ft_strcmp( s, "646.1991" ) && ++ !ft_strcmp( face->charset_encoding, "IRV" ) ) ++ unicode_charmap = 1; + } + + { +diff --git a/src/pcf/pcfdrivr.c b/src/pcf/pcfdrivr.c +index 9f4d36d1..50530941 100644 +--- a/src/pcf/pcfdrivr.c ++++ b/src/pcf/pcfdrivr.c +@@ -387,7 +387,11 @@ THE SOFTWARE. + if ( !ft_strcmp( s, "10646" ) || + ( !ft_strcmp( s, "8859" ) && + !ft_strcmp( face->charset_encoding, "1" ) ) ) +- unicode_charmap = 1; ++ unicode_charmap = 1; ++ /* another name for ASCII */ ++ else if ( !ft_strcmp( s, "646.1991" ) && ++ !ft_strcmp( face->charset_encoding, "IRV" ) ) ++ unicode_charmap = 1; + } + } + +-- +2.13.0 +