cff.cc (39740B)
1 // Copyright (c) 2012-2017 The OTS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "cff.h" 6 7 #include <cstring> 8 #include <utility> 9 #include <vector> 10 11 #include "maxp.h" 12 #include "cff_charstring.h" 13 #include "variations.h" 14 15 // CFF - PostScript font program (Compact Font Format) table 16 // http://www.microsoft.com/typography/otspec/cff.htm 17 // http://www.microsoft.com/typography/otspec/cffspec.htm 18 19 #define TABLE_NAME "CFF" 20 21 namespace { 22 23 enum DICT_OPERAND_TYPE { 24 DICT_OPERAND_INTEGER, 25 DICT_OPERAND_REAL, 26 DICT_OPERATOR, 27 }; 28 29 enum DICT_DATA_TYPE { 30 DICT_DATA_TOPLEVEL, 31 DICT_DATA_FDARRAY, 32 DICT_DATA_PRIVATE, 33 }; 34 35 enum FONT_FORMAT { 36 FORMAT_UNKNOWN, 37 FORMAT_CID_KEYED, 38 FORMAT_OTHER, // Including synthetic fonts 39 }; 40 41 // see Appendix. A 42 const size_t kNStdString = 390; 43 44 typedef std::pair<int32_t, DICT_OPERAND_TYPE> Operand; 45 46 bool ReadOffset(ots::Buffer &table, uint8_t off_size, uint32_t *offset) { 47 if (off_size > 4) { 48 return OTS_FAILURE(); 49 } 50 51 uint32_t tmp32 = 0; 52 for (unsigned i = 0; i < off_size; ++i) { 53 uint8_t tmp8 = 0; 54 if (!table.ReadU8(&tmp8)) { 55 return OTS_FAILURE(); 56 } 57 tmp32 <<= 8; 58 tmp32 += tmp8; 59 } 60 *offset = tmp32; 61 return true; 62 } 63 64 bool ParseIndex(ots::Buffer &table, ots::CFFIndex &index, bool cff2 = false) { 65 index.off_size = 0; 66 index.offsets.clear(); 67 68 if (cff2) { 69 if (!table.ReadU32(&(index.count))) { 70 return OTS_FAILURE(); 71 } 72 } else { 73 uint16_t count; 74 if (!table.ReadU16(&count)) { 75 return OTS_FAILURE(); 76 } 77 index.count = count; 78 } 79 80 if (index.count == 0) { 81 // An empty INDEX. 82 index.offset_to_next = table.offset(); 83 return true; 84 } 85 86 if (!table.ReadU8(&(index.off_size))) { 87 return OTS_FAILURE(); 88 } 89 if (index.off_size < 1 || index.off_size > 4) { 90 return OTS_FAILURE(); 91 } 92 93 const size_t array_size = (index.count + 1) * index.off_size; 94 // less than ((64k + 1) * 4), thus does not overflow. 95 const size_t object_data_offset = table.offset() + array_size; 96 // does not overflow too, since offset() <= 1GB. 97 98 if (object_data_offset >= table.length()) { 99 return OTS_FAILURE(); 100 } 101 102 for (unsigned i = 0; i <= index.count; ++i) { // '<=' is not a typo. 103 uint32_t rel_offset = 0; 104 if (!ReadOffset(table, index.off_size, &rel_offset)) { 105 return OTS_FAILURE(); 106 } 107 if (rel_offset < 1) { 108 return OTS_FAILURE(); 109 } 110 if (i == 0 && rel_offset != 1) { 111 return OTS_FAILURE(); 112 } 113 114 if (rel_offset > table.length()) { 115 return OTS_FAILURE(); 116 } 117 118 // does not underflow. 119 if (object_data_offset > table.length() - (rel_offset - 1)) { 120 return OTS_FAILURE(); 121 } 122 123 index.offsets.push_back( 124 object_data_offset + (rel_offset - 1)); // less than length(), 1GB. 125 } 126 127 for (unsigned i = 1; i < index.offsets.size(); ++i) { 128 // We allow consecutive identical offsets here for zero-length strings. 129 // See http://crbug.com/69341 for more details. 130 if (index.offsets[i] < index.offsets[i - 1]) { 131 return OTS_FAILURE(); 132 } 133 } 134 135 index.offset_to_next = index.offsets.back(); 136 return true; 137 } 138 139 bool ParseNameData( 140 ots::Buffer *table, const ots::CFFIndex &index, std::string* out_name) { 141 uint8_t name[256] = {0}; 142 143 const size_t length = index.offsets[1] - index.offsets[0]; 144 // font names should be no longer than 127 characters. 145 if (length > 127) { 146 return OTS_FAILURE(); 147 } 148 149 table->set_offset(index.offsets[0]); 150 if (!table->Read(name, length)) { 151 return OTS_FAILURE(); 152 } 153 154 for (size_t i = 0; i < length; ++i) { 155 // setting the first byte to NUL is allowed. 156 if (i == 0 && name[i] == 0) continue; 157 // non-ASCII characters are not recommended (except the first character). 158 if (name[i] < 33 || name[i] > 126) { 159 return OTS_FAILURE(); 160 } 161 // [, ], ... are not allowed. 162 if (std::strchr("[](){}<>/% ", name[i])) { 163 return OTS_FAILURE(); 164 } 165 } 166 167 *out_name = reinterpret_cast<char *>(name); 168 return true; 169 } 170 171 bool CheckOffset(const Operand& operand, size_t table_length) { 172 if (operand.second != DICT_OPERAND_INTEGER) { 173 return OTS_FAILURE(); 174 } 175 if (operand.first >= static_cast<int32_t>(table_length) || operand.first < 0) { 176 return OTS_FAILURE(); 177 } 178 return true; 179 } 180 181 bool CheckSid(const Operand& operand, size_t sid_max) { 182 if (operand.second != DICT_OPERAND_INTEGER) { 183 return OTS_FAILURE(); 184 } 185 if (operand.first > static_cast<int32_t>(sid_max) || operand.first < 0) { 186 return OTS_FAILURE(); 187 } 188 return true; 189 } 190 191 bool ParseDictDataBcd(ots::Buffer &table, std::vector<Operand> &operands) { 192 bool read_decimal_point = false; 193 bool read_e = false; 194 195 uint8_t nibble = 0; 196 size_t count = 0; 197 while (true) { 198 if (!table.ReadU8(&nibble)) { 199 return OTS_FAILURE(); 200 } 201 if ((nibble & 0xf0) == 0xf0) { 202 if ((nibble & 0xf) == 0xf) { 203 // TODO(yusukes): would be better to store actual double value, 204 // rather than the dummy integer. 205 operands.push_back(std::make_pair(0, DICT_OPERAND_REAL)); 206 return true; 207 } 208 return OTS_FAILURE(); 209 } 210 if ((nibble & 0x0f) == 0x0f) { 211 operands.push_back(std::make_pair(0, DICT_OPERAND_REAL)); 212 return true; 213 } 214 215 // check number format 216 uint8_t nibbles[2]; 217 nibbles[0] = (nibble & 0xf0) >> 8; 218 nibbles[1] = (nibble & 0x0f); 219 for (unsigned i = 0; i < 2; ++i) { 220 if (nibbles[i] == 0xd) { // reserved number 221 return OTS_FAILURE(); 222 } 223 if ((nibbles[i] == 0xe) && // minus 224 ((count > 0) || (i > 0))) { 225 return OTS_FAILURE(); // minus sign should be the first character. 226 } 227 if (nibbles[i] == 0xa) { // decimal point 228 if (!read_decimal_point) { 229 read_decimal_point = true; 230 } else { 231 return OTS_FAILURE(); // two or more points. 232 } 233 } 234 if ((nibbles[i] == 0xb) || // E+ 235 (nibbles[i] == 0xc)) { // E- 236 if (!read_e) { 237 read_e = true; 238 } else { 239 return OTS_FAILURE(); // two or more E's. 240 } 241 } 242 } 243 ++count; 244 } 245 } 246 247 bool ParseDictDataEscapedOperator(ots::Buffer &table, 248 std::vector<Operand> &operands) { 249 uint8_t op = 0; 250 if (!table.ReadU8(&op)) { 251 return OTS_FAILURE(); 252 } 253 254 if ((op <= 14) || 255 (op >= 17 && op <= 23) || 256 (op >= 30 && op <= 38)) { 257 operands.push_back(std::make_pair((12 << 8) + op, DICT_OPERATOR)); 258 return true; 259 } 260 261 // reserved area. 262 return OTS_FAILURE(); 263 } 264 265 bool ParseDictDataNumber(ots::Buffer &table, uint8_t b0, 266 std::vector<Operand> &operands) { 267 uint8_t b1 = 0; 268 uint8_t b2 = 0; 269 uint8_t b3 = 0; 270 uint8_t b4 = 0; 271 272 switch (b0) { 273 case 28: // shortint 274 if (!table.ReadU8(&b1) || 275 !table.ReadU8(&b2)) { 276 return OTS_FAILURE(); 277 } 278 //the two-byte value needs to be casted to int16_t in order to get the right sign 279 operands.push_back(std::make_pair( 280 static_cast<int16_t>((b1 << 8) + b2), DICT_OPERAND_INTEGER)); 281 return true; 282 283 case 29: // longint 284 if (!table.ReadU8(&b1) || 285 !table.ReadU8(&b2) || 286 !table.ReadU8(&b3) || 287 !table.ReadU8(&b4)) { 288 return OTS_FAILURE(); 289 } 290 operands.push_back(std::make_pair( 291 (b1 << 24) + (b2 << 16) + (b3 << 8) + b4, 292 DICT_OPERAND_INTEGER)); 293 return true; 294 295 case 30: // binary coded decimal 296 return ParseDictDataBcd(table, operands); 297 298 default: 299 break; 300 } 301 302 int32_t result; 303 if (b0 >=32 && b0 <=246) { 304 result = b0 - 139; 305 } else if (b0 >=247 && b0 <= 250) { 306 if (!table.ReadU8(&b1)) { 307 return OTS_FAILURE(); 308 } 309 result = (b0 - 247) * 256 + b1 + 108; 310 } else if (b0 >= 251 && b0 <= 254) { 311 if (!table.ReadU8(&b1)) { 312 return OTS_FAILURE(); 313 } 314 result = -(b0 - 251) * 256 + b1 - 108; 315 } else { 316 return OTS_FAILURE(); 317 } 318 319 operands.push_back(std::make_pair(result, DICT_OPERAND_INTEGER)); 320 return true; 321 } 322 323 bool ParseDictDataReadNext(ots::Buffer &table, 324 std::vector<Operand> &operands) { 325 uint8_t op = 0; 326 if (!table.ReadU8(&op)) { 327 return OTS_FAILURE(); 328 } 329 if (op <= 24) { 330 if (op == 12) { 331 return ParseDictDataEscapedOperator(table, operands); 332 } 333 operands.push_back(std::make_pair( 334 static_cast<int32_t>(op), DICT_OPERATOR)); 335 return true; 336 } else if (op <= 27 || op == 31 || op == 255) { 337 // reserved area. 338 return OTS_FAILURE(); 339 } 340 341 return ParseDictDataNumber(table, op, operands); 342 } 343 344 bool OperandsOverflow(std::vector<Operand>& operands, bool cff2) { 345 // An operator may be preceded by up to a maximum of 48 operands in CFF1 and 346 // 513 operands in CFF2. 347 if ((cff2 && operands.size() > ots::kMaxCFF2ArgumentStack) || 348 (!cff2 && operands.size() > ots::kMaxCFF1ArgumentStack)) { 349 return true; 350 } 351 return false; 352 } 353 354 bool ParseDictDataReadOperands(ots::Buffer& dict, 355 std::vector<Operand>& operands, 356 bool cff2) { 357 if (!ParseDictDataReadNext(dict, operands)) { 358 return OTS_FAILURE(); 359 } 360 if (operands.empty()) { 361 return OTS_FAILURE(); 362 } 363 if (OperandsOverflow(operands, cff2)) { 364 return OTS_FAILURE(); 365 } 366 return true; 367 } 368 369 bool ValidCFF2DictOp(int32_t op, DICT_DATA_TYPE type) { 370 if (type == DICT_DATA_TOPLEVEL) { 371 switch (op) { 372 case (12 << 8) + 7: // FontMatrix 373 case 17: // CharStrings 374 case (12 << 8) + 36: // FDArray 375 case (12 << 8) + 37: // FDSelect 376 case 24: // vstore 377 return true; 378 default: 379 return false; 380 } 381 } else if (type == DICT_DATA_FDARRAY) { 382 if (op == 18) // Private DICT 383 return true; 384 } else if (type == DICT_DATA_PRIVATE) { 385 switch (op) { 386 case (12 << 8) + 14: // ForceBold 387 case (12 << 8) + 19: // initialRandomSeed 388 case 20: // defaultWidthX 389 case 21: // nominalWidthX 390 return false; 391 default: 392 return true; 393 } 394 } 395 396 return false; 397 } 398 399 bool ParsePrivateDictData( 400 ots::Buffer &table, size_t offset, size_t dict_length, 401 DICT_DATA_TYPE type, ots::OpenTypeCFF *out_cff) { 402 ots::Buffer dict(table.buffer() + offset, dict_length); 403 std::vector<Operand> operands; 404 bool cff2 = (out_cff->major == 2); 405 bool blend_seen = false; 406 int32_t vsindex = 0; 407 408 // Since a Private DICT for FDArray might not have a Local Subr (e.g. Hiragino 409 // Kaku Gothic Std W8), we create an empty Local Subr here to match the size 410 // of FDArray the size of |local_subrs_per_font|. 411 // For CFF2, |vsindex_per_font| gets a similar treatment. 412 if (type == DICT_DATA_FDARRAY) { 413 out_cff->local_subrs_per_font.push_back(new ots::CFFIndex); 414 if (cff2) { 415 out_cff->vsindex_per_font.push_back(vsindex); 416 } 417 } 418 419 while (dict.offset() < dict.length()) { 420 if (!ParseDictDataReadOperands(dict, operands, cff2)) { 421 return OTS_FAILURE(); 422 } 423 if (operands.back().second != DICT_OPERATOR) { 424 continue; 425 } 426 427 // got operator 428 const int32_t op = operands.back().first; 429 operands.pop_back(); 430 431 if (cff2 && !ValidCFF2DictOp(op, DICT_DATA_PRIVATE)) { 432 return OTS_FAILURE(); 433 } 434 435 bool clear_operands = true; 436 switch (op) { 437 // hints 438 case 6: // BlueValues 439 case 7: // OtherBlues 440 case 8: // FamilyBlues 441 case 9: // FamilyOtherBlues 442 if ((operands.size() % 2) != 0) { 443 return OTS_FAILURE(); 444 } 445 break; 446 447 // array 448 case (12 << 8) + 12: // StemSnapH (delta) 449 case (12 << 8) + 13: // StemSnapV (delta) 450 if (operands.empty()) { 451 return OTS_FAILURE(); 452 } 453 break; 454 455 // number 456 case 10: // StdHW 457 case 11: // StdVW 458 case 20: // defaultWidthX 459 case 21: // nominalWidthX 460 case (12 << 8) + 9: // BlueScale 461 case (12 << 8) + 10: // BlueShift 462 case (12 << 8) + 11: // BlueFuzz 463 case (12 << 8) + 17: // LanguageGroup 464 case (12 << 8) + 18: // ExpansionFactor 465 case (12 << 8) + 19: // initialRandomSeed 466 if (operands.size() != 1) { 467 return OTS_FAILURE(); 468 } 469 break; 470 471 // Local Subrs INDEX, offset(self) 472 case 19: { 473 if (operands.size() != 1) { 474 return OTS_FAILURE(); 475 } 476 if (operands.back().second != DICT_OPERAND_INTEGER) { 477 return OTS_FAILURE(); 478 } 479 // In theory a negative operand could occur here, if the Local Subrs 480 // were stored before the Private dict, but this does not seem to be 481 // well supported by implementations, and mishandling of a negative 482 // offset (e.g. by using unsigned offset arithmetic) might become a 483 // vector for exploitation. AFAIK no major font creation tool will 484 // generate such an offset, so to be on the safe side, we don't allow 485 // it here. 486 if (operands.back().first >= 1024 * 1024 * 1024 || operands.back().first < 0) { 487 return OTS_FAILURE(); 488 } 489 if (operands.back().first + offset >= table.length()) { 490 return OTS_FAILURE(); 491 } 492 // parse "16. Local Subrs INDEX" 493 table.set_offset(operands.back().first + offset); 494 ots::CFFIndex *local_subrs_index = NULL; 495 if (type == DICT_DATA_FDARRAY) { 496 if (out_cff->local_subrs_per_font.empty()) { 497 return OTS_FAILURE(); // not reached. 498 } 499 local_subrs_index = out_cff->local_subrs_per_font.back(); 500 } else { // type == DICT_DATA_TOPLEVEL 501 if (out_cff->local_subrs) { 502 return OTS_FAILURE(); // two or more local_subrs? 503 } 504 local_subrs_index = new ots::CFFIndex; 505 out_cff->local_subrs = local_subrs_index; 506 } 507 if (!ParseIndex(table, *local_subrs_index, cff2)) { 508 return OTS_FAILURE(); 509 } 510 break; 511 } 512 513 // boolean 514 case (12 << 8) + 14: // ForceBold 515 if (operands.size() != 1) { 516 return OTS_FAILURE(); 517 } 518 if (operands.back().second != DICT_OPERAND_INTEGER) { 519 return OTS_FAILURE(); 520 } 521 if (operands.back().first >= 2 || operands.back().first < 0) { 522 return OTS_FAILURE(); 523 } 524 break; 525 526 case 22: { // vsindex 527 if (!cff2) { 528 return OTS_FAILURE(); 529 } 530 if (operands.size() != 1) { 531 return OTS_FAILURE(); 532 } 533 if (operands.back().second != DICT_OPERAND_INTEGER) { 534 return OTS_FAILURE(); 535 } 536 if (blend_seen) { 537 return OTS_FAILURE(); 538 } 539 vsindex = operands.back().first; 540 if (vsindex < 0 || 541 vsindex >= static_cast<int32_t>(out_cff->region_index_count.size())) { 542 return OTS_FAILURE(); 543 } 544 out_cff->vsindex_per_font.back() = vsindex; 545 break; 546 } 547 548 case 23: { // blend 549 if (!cff2) { 550 return OTS_FAILURE(); 551 } 552 if (operands.size() < 1) { 553 return OTS_FAILURE(); 554 } 555 if (vsindex >= static_cast<int32_t>(out_cff->region_index_count.size())) { 556 return OTS_FAILURE(); 557 } 558 uint16_t k = out_cff->region_index_count.at(vsindex); 559 560 if (operands.back().first > static_cast<uint16_t>(0xffff) || operands.back().first < 0){ 561 return OTS_FAILURE(); 562 } 563 uint16_t n = static_cast<uint16_t>(operands.back().first); 564 if (operands.size() < n * (k + 1) + 1) { 565 return OTS_FAILURE(); 566 } 567 size_t operands_size = operands.size(); 568 // Keep the 1st n operands on the stack for the next operator to use 569 // and pop the rest. There can be multiple consecutive blend operator, 570 // so this makes sure the operands of all of them are kept on the 571 // stack. 572 while (operands.size() > operands_size - ((n * k) + 1)) 573 operands.pop_back(); 574 clear_operands = false; 575 blend_seen = true; 576 break; 577 } 578 579 default: 580 return OTS_FAILURE(); 581 } 582 if (clear_operands) { 583 operands.clear(); 584 } 585 } 586 587 return true; 588 } 589 590 bool ParseVariationStore(ots::OpenTypeCFF& out_cff, ots::Buffer& table) { 591 uint16_t length; 592 593 if (!table.ReadU16(&length)) { 594 return OTS_FAILURE(); 595 } 596 597 // Empty VariationStore is allowed. 598 if (!length) { 599 return true; 600 } 601 602 if (length > table.remaining()) { 603 return OTS_FAILURE(); 604 } 605 606 if (!ParseItemVariationStore(out_cff.GetFont(), 607 table.buffer() + table.offset(), length, 608 &(out_cff.region_index_count))) { 609 return OTS_FAILURE(); 610 } 611 612 return true; 613 } 614 615 bool ParseDictData(ots::Buffer& table, ots::Buffer& dict, 616 uint16_t glyphs, size_t sid_max, DICT_DATA_TYPE type, 617 ots::OpenTypeCFF *out_cff); 618 619 bool ParseDictData(ots::Buffer& table, const ots::CFFIndex &index, 620 uint16_t glyphs, size_t sid_max, DICT_DATA_TYPE type, 621 ots::OpenTypeCFF *out_cff) { 622 for (unsigned i = 1; i < index.offsets.size(); ++i) { 623 size_t dict_length = index.offsets[i] - index.offsets[i - 1]; 624 ots::Buffer dict(table.buffer() + index.offsets[i - 1], dict_length); 625 626 if (!ParseDictData(table, dict, glyphs, sid_max, type, out_cff)) { 627 return OTS_FAILURE(); 628 } 629 } 630 return true; 631 } 632 633 bool ParseDictData(ots::Buffer& table, ots::Buffer& dict, 634 uint16_t glyphs, size_t sid_max, DICT_DATA_TYPE type, 635 ots::OpenTypeCFF *out_cff) { 636 bool cff2 = (out_cff->major == 2); 637 std::vector<Operand> operands; 638 639 FONT_FORMAT font_format = FORMAT_UNKNOWN; 640 bool have_ros = false; 641 bool have_charstrings = false; 642 bool have_vstore = false; 643 size_t charset_offset = 0; 644 bool have_private = false; 645 646 if (cff2) { 647 // Parse VariationStore first, since it might be referenced in other places 648 // (e.g. FDArray) that might be parsed after it. 649 size_t dict_offset = dict.offset(); 650 while (dict.offset() < dict.length()) { 651 if (!ParseDictDataReadOperands(dict, operands, cff2)) { 652 return OTS_FAILURE(); 653 } 654 if (operands.back().second != DICT_OPERATOR) continue; 655 656 // got operator 657 const int32_t op = operands.back().first; 658 operands.pop_back(); 659 660 if (op == 18 && type == DICT_DATA_FDARRAY) { 661 have_private = true; 662 } 663 664 if (op == 24) { // vstore 665 if (type != DICT_DATA_TOPLEVEL) { 666 return OTS_FAILURE(); 667 } 668 if (operands.size() != 1) { 669 return OTS_FAILURE(); 670 } 671 if (!CheckOffset(operands.back(), table.length())) { 672 return OTS_FAILURE(); 673 } 674 // parse "VariationStore Data Contents" 675 table.set_offset(operands.back().first); 676 if (!ParseVariationStore(*out_cff, table)) { 677 return OTS_FAILURE(); 678 } 679 break; 680 } 681 operands.clear(); 682 } 683 operands.clear(); 684 dict.set_offset(dict_offset); 685 686 if (type == DICT_DATA_FDARRAY && !have_private) { 687 return OTS_FAILURE(); // CFF2 FD must have PrivateDICT entry (even if 0, 0) 688 } 689 690 } 691 692 while (dict.offset() < dict.length()) { 693 if (!ParseDictDataReadOperands(dict, operands, cff2)) { 694 return OTS_FAILURE(); 695 } 696 if (operands.back().second != DICT_OPERATOR) continue; 697 698 // got operator 699 const int32_t op = operands.back().first; 700 operands.pop_back(); 701 702 if (cff2 && !ValidCFF2DictOp(op, type)) { 703 return OTS_FAILURE(); 704 } 705 706 switch (op) { 707 // SID 708 case 0: // version 709 case 1: // Notice 710 case 2: // Copyright 711 case 3: // FullName 712 case 4: // FamilyName 713 case (12 << 8) + 0: // Copyright 714 case (12 << 8) + 21: // PostScript 715 case (12 << 8) + 22: // BaseFontName 716 case (12 << 8) + 38: // FontName 717 if (operands.size() != 1) { 718 return OTS_FAILURE(); 719 } 720 if (!CheckSid(operands.back(), sid_max)) { 721 return OTS_FAILURE(); 722 } 723 break; 724 725 // array 726 case 5: // FontBBox 727 case 14: // XUID 728 case (12 << 8) + 7: // FontMatrix 729 case (12 << 8) + 23: // BaseFontBlend (delta) 730 if (operands.empty()) { 731 return OTS_FAILURE(); 732 } 733 break; 734 735 // number 736 case 13: // UniqueID 737 case (12 << 8) + 2: // ItalicAngle 738 case (12 << 8) + 3: // UnderlinePosition 739 case (12 << 8) + 4: // UnderlineThickness 740 case (12 << 8) + 5: // PaintType 741 case (12 << 8) + 8: // StrokeWidth 742 case (12 << 8) + 20: // SyntheticBase 743 if (operands.size() != 1) { 744 return OTS_FAILURE(); 745 } 746 break; 747 case (12 << 8) + 31: // CIDFontVersion 748 case (12 << 8) + 32: // CIDFontRevision 749 case (12 << 8) + 33: // CIDFontType 750 case (12 << 8) + 34: // CIDCount 751 case (12 << 8) + 35: // UIDBase 752 if (operands.size() != 1) { 753 return OTS_FAILURE(); 754 } 755 if (font_format != FORMAT_CID_KEYED) { 756 return OTS_FAILURE(); 757 } 758 break; 759 case (12 << 8) + 6: // CharstringType 760 if (operands.size() != 1) { 761 return OTS_FAILURE(); 762 } 763 if(operands.back().second != DICT_OPERAND_INTEGER) { 764 return OTS_FAILURE(); 765 } 766 if (operands.back().first != 2) { 767 // We only support the "Type 2 Charstring Format." 768 // TODO(yusukes): Support Type 1 format? Is that still in use? 769 return OTS_FAILURE(); 770 } 771 break; 772 773 // boolean 774 case (12 << 8) + 1: // isFixedPitch 775 if (operands.size() != 1) { 776 return OTS_FAILURE(); 777 } 778 if (operands.back().second != DICT_OPERAND_INTEGER) { 779 return OTS_FAILURE(); 780 } 781 if (operands.back().first >= 2 || operands.back().first < 0) { 782 return OTS_FAILURE(); 783 } 784 break; 785 786 // offset(0) 787 case 15: // charset 788 if (operands.size() != 1) { 789 return OTS_FAILURE(); 790 } 791 if (operands.back().first <= 2 && operands.back().first >= 0) { 792 // predefined charset, ISOAdobe, Expert or ExpertSubset, is used. 793 break; 794 } 795 if (!CheckOffset(operands.back(), table.length())) { 796 return OTS_FAILURE(); 797 } 798 if (charset_offset) { 799 return OTS_FAILURE(); // multiple charset tables? 800 } 801 charset_offset = operands.back().first; 802 break; 803 804 case 16: { // Encoding 805 if (operands.size() != 1) { 806 return OTS_FAILURE(); 807 } 808 if (operands.back().first <= 1 && operands.back().first >= 0) { 809 break; // predefined encoding, "Standard" or "Expert", is used. 810 } 811 if (!CheckOffset(operands.back(), table.length())) { 812 return OTS_FAILURE(); 813 } 814 815 table.set_offset(operands.back().first); 816 uint8_t format = 0; 817 if (!table.ReadU8(&format)) { 818 return OTS_FAILURE(); 819 } 820 if (format & 0x80) { 821 // supplemental encoding is not supported at the moment. 822 return OTS_FAILURE(); 823 } 824 // TODO(yusukes): support & parse supplemental encoding tables. 825 break; 826 } 827 828 case 17: { // CharStrings 829 if (type != DICT_DATA_TOPLEVEL) { 830 return OTS_FAILURE(); 831 } 832 if (operands.size() != 1) { 833 return OTS_FAILURE(); 834 } 835 if (!CheckOffset(operands.back(), table.length())) { 836 return OTS_FAILURE(); 837 } 838 // parse "14. CharStrings INDEX" 839 table.set_offset(operands.back().first); 840 ots::CFFIndex *charstring_index = out_cff->charstrings_index; 841 if (!ParseIndex(table, *charstring_index, cff2)) { 842 return OTS_FAILURE(); 843 } 844 if (charstring_index->count < 2) { 845 return OTS_FAILURE(); 846 } 847 if (have_charstrings) { 848 return OTS_FAILURE(); // multiple charstring tables? 849 } 850 have_charstrings = true; 851 if (charstring_index->count != glyphs) { 852 return OTS_FAILURE(); // CFF and maxp have different number of glyphs? 853 } 854 break; 855 } 856 857 case 24: { // vstore 858 if (!cff2) { 859 return OTS_FAILURE(); 860 } 861 if (have_vstore) { 862 return OTS_FAILURE(); // multiple vstore tables? 863 } 864 have_vstore = true; 865 // parsed above. 866 break; 867 } 868 869 case (12 << 8) + 36: { // FDArray 870 if (type != DICT_DATA_TOPLEVEL) { 871 return OTS_FAILURE(); 872 } 873 if (operands.size() != 1) { 874 return OTS_FAILURE(); 875 } 876 if (!CheckOffset(operands.back(), table.length())) { 877 return OTS_FAILURE(); 878 } 879 880 // parse Font DICT INDEX. 881 table.set_offset(operands.back().first); 882 ots::CFFIndex sub_dict_index; 883 if (!ParseIndex(table, sub_dict_index, cff2)) { 884 return OTS_FAILURE(); 885 } 886 if (!ParseDictData(table, sub_dict_index, 887 glyphs, sid_max, DICT_DATA_FDARRAY, 888 out_cff)) { 889 return OTS_FAILURE(); 890 } 891 if (out_cff->font_dict_length != 0) { 892 return OTS_FAILURE(); // two or more FDArray found. 893 } 894 out_cff->font_dict_length = sub_dict_index.count; 895 break; 896 } 897 898 case (12 << 8) + 37: { // FDSelect 899 if (type != DICT_DATA_TOPLEVEL) { 900 return OTS_FAILURE(); 901 } 902 if (operands.size() != 1) { 903 return OTS_FAILURE(); 904 } 905 if (!CheckOffset(operands.back(), table.length())) { 906 return OTS_FAILURE(); 907 } 908 909 // parse FDSelect data structure 910 table.set_offset(operands.back().first); 911 uint8_t format = 0; 912 if (!table.ReadU8(&format)) { 913 return OTS_FAILURE(); 914 } 915 if (format == 0) { 916 for (uint16_t j = 0; j < glyphs; ++j) { 917 uint8_t fd_index = 0; 918 if (!table.ReadU8(&fd_index)) { 919 return OTS_FAILURE(); 920 } 921 (out_cff->fd_select)[j] = fd_index; 922 } 923 } else if (format == 3) { 924 uint16_t n_ranges = 0; 925 if (!table.ReadU16(&n_ranges)) { 926 return OTS_FAILURE(); 927 } 928 if (n_ranges == 0) { 929 return OTS_FAILURE(); 930 } 931 932 uint16_t last_gid = 0; 933 uint8_t fd_index = 0; 934 for (unsigned j = 0; j < n_ranges; ++j) { 935 uint16_t first = 0; // GID 936 if (!table.ReadU16(&first)) { 937 return OTS_FAILURE(); 938 } 939 940 // Sanity checks. 941 if ((j == 0) && (first != 0)) { 942 return OTS_FAILURE(); 943 } 944 if ((j != 0) && (last_gid >= first)) { 945 return OTS_FAILURE(); // not increasing order. 946 } 947 if (first >= glyphs) { 948 return OTS_FAILURE(); // invalid gid. 949 } 950 951 // Copy the mapping to |out_cff->fd_select|. 952 if (j != 0) { 953 for (auto k = last_gid; k < first; ++k) { 954 if (!out_cff->fd_select.insert( 955 std::make_pair(k, fd_index)).second) { 956 return OTS_FAILURE(); 957 } 958 } 959 } 960 961 if (!table.ReadU8(&fd_index)) { 962 return OTS_FAILURE(); 963 } 964 last_gid = first; 965 } 966 uint16_t sentinel = 0; 967 if (!table.ReadU16(&sentinel)) { 968 return OTS_FAILURE(); 969 } 970 if (last_gid >= sentinel) { 971 return OTS_FAILURE(); 972 } 973 if (sentinel > glyphs) { 974 return OTS_FAILURE(); // invalid gid. 975 } 976 for (auto k = last_gid; k < sentinel; ++k) { 977 if (!out_cff->fd_select.insert( 978 std::make_pair(k, fd_index)).second) { 979 return OTS_FAILURE(); 980 } 981 } 982 } else if (cff2 && format == 4) { 983 uint32_t n_ranges = 0; 984 if (!table.ReadU32(&n_ranges)) { 985 return OTS_FAILURE(); 986 } 987 if (n_ranges == 0) { 988 return OTS_FAILURE(); 989 } 990 991 uint32_t last_gid = 0; 992 uint16_t fd_index = 0; 993 for (unsigned j = 0; j < n_ranges; ++j) { 994 uint32_t first = 0; // GID 995 if (!table.ReadU32(&first)) { 996 return OTS_FAILURE(); 997 } 998 999 // Sanity checks. 1000 if ((j == 0) && (first != 0)) { 1001 return OTS_FAILURE(); 1002 } 1003 if ((j != 0) && (last_gid >= first)) { 1004 return OTS_FAILURE(); // not increasing order. 1005 } 1006 if (first >= glyphs) { 1007 return OTS_FAILURE(); // invalid gid. 1008 } 1009 1010 // Copy the mapping to |out_cff->fd_select|. 1011 if (j != 0) { 1012 for (auto k = last_gid; k < first; ++k) { 1013 if (!out_cff->fd_select.insert( 1014 std::make_pair(k, fd_index)).second) { 1015 return OTS_FAILURE(); 1016 } 1017 } 1018 } 1019 1020 if (!table.ReadU16(&fd_index)) { 1021 return OTS_FAILURE(); 1022 } 1023 last_gid = first; 1024 } 1025 uint32_t sentinel = 0; 1026 if (!table.ReadU32(&sentinel)) { 1027 return OTS_FAILURE(); 1028 } 1029 if (last_gid >= sentinel) { 1030 return OTS_FAILURE(); 1031 } 1032 if (sentinel > glyphs) { 1033 return OTS_FAILURE(); // invalid gid. 1034 } 1035 for (auto k = last_gid; k < sentinel; ++k) { 1036 if (!out_cff->fd_select.insert( 1037 std::make_pair(k, fd_index)).second) { 1038 return OTS_FAILURE(); 1039 } 1040 } 1041 } else { 1042 // unknown format 1043 return OTS_FAILURE(); 1044 } 1045 break; 1046 } 1047 1048 // Private DICT (2 * number) 1049 case 18: { 1050 if (operands.size() != 2) { 1051 return OTS_FAILURE(); 1052 } 1053 if (operands.back().second != DICT_OPERAND_INTEGER) { 1054 return OTS_FAILURE(); 1055 } 1056 const int32_t private_offset = operands.back().first; 1057 operands.pop_back(); 1058 if (operands.back().second != DICT_OPERAND_INTEGER) { 1059 return OTS_FAILURE(); 1060 } 1061 const int32_t private_length = operands.back().first; 1062 if (private_offset > static_cast<int32_t>(table.length())) { 1063 return OTS_FAILURE(); 1064 } 1065 if (private_length >= static_cast<int32_t>(table.length()) || private_length < 0) { 1066 return OTS_FAILURE(); 1067 } 1068 if (private_length + private_offset > static_cast<int32_t>(table.length()) || private_length + private_offset < 0) { 1069 return OTS_FAILURE(); 1070 } 1071 // parse "15. Private DICT data" 1072 if (!ParsePrivateDictData(table, private_offset, private_length, 1073 type, out_cff)) { 1074 return OTS_FAILURE(); 1075 } 1076 break; 1077 } 1078 1079 // ROS 1080 case (12 << 8) + 30: 1081 if (font_format != FORMAT_UNKNOWN) { 1082 return OTS_FAILURE(); 1083 } 1084 font_format = FORMAT_CID_KEYED; 1085 if (operands.size() != 3) { 1086 return OTS_FAILURE(); 1087 } 1088 // check SIDs 1089 operands.pop_back(); // ignore the first number. 1090 if (!CheckSid(operands.back(), sid_max)) { 1091 return OTS_FAILURE(); 1092 } 1093 operands.pop_back(); 1094 if (!CheckSid(operands.back(), sid_max)) { 1095 return OTS_FAILURE(); 1096 } 1097 if (have_ros) { 1098 return OTS_FAILURE(); // multiple ROS tables? 1099 } 1100 have_ros = true; 1101 break; 1102 1103 default: 1104 return OTS_FAILURE(); 1105 } 1106 operands.clear(); 1107 1108 if (font_format == FORMAT_UNKNOWN) { 1109 font_format = FORMAT_OTHER; 1110 } 1111 } 1112 1113 // parse "13. Charsets" 1114 if (charset_offset) { 1115 table.set_offset(charset_offset); 1116 uint8_t format = 0; 1117 if (!table.ReadU8(&format)) { 1118 return OTS_FAILURE(); 1119 } 1120 switch (format) { 1121 case 0: 1122 for (uint16_t j = 1 /* .notdef is omitted */; j < glyphs; ++j) { 1123 uint16_t sid = 0; 1124 if (!table.ReadU16(&sid)) { 1125 return OTS_FAILURE(); 1126 } 1127 if (!have_ros && (sid > sid_max)) { 1128 return OTS_FAILURE(); 1129 } 1130 // TODO(yusukes): check CIDs when have_ros is true. 1131 } 1132 break; 1133 1134 case 1: 1135 case 2: { 1136 uint32_t total = 1; // .notdef is omitted. 1137 while (total < glyphs) { 1138 uint16_t sid = 0; 1139 if (!table.ReadU16(&sid)) { 1140 return OTS_FAILURE(); 1141 } 1142 if (!have_ros && (sid > sid_max)) { 1143 return OTS_FAILURE(); 1144 } 1145 // TODO(yusukes): check CIDs when have_ros is true. 1146 1147 if (format == 1) { 1148 uint8_t left = 0; 1149 if (!table.ReadU8(&left)) { 1150 return OTS_FAILURE(); 1151 } 1152 total += (left + 1); 1153 } else { 1154 uint16_t left = 0; 1155 if (!table.ReadU16(&left)) { 1156 return OTS_FAILURE(); 1157 } 1158 total += (left + 1); 1159 } 1160 } 1161 break; 1162 } 1163 1164 default: 1165 return OTS_FAILURE(); 1166 } 1167 } 1168 return true; 1169 } 1170 1171 } // namespace 1172 1173 namespace ots { 1174 1175 bool OpenTypeCFF::ValidateFDSelect(uint16_t num_glyphs) { 1176 for (const auto& fd_select : this->fd_select) { 1177 if (fd_select.first >= num_glyphs) { 1178 return Error("Invalid glyph index in FDSelect: %d >= %d\n", 1179 fd_select.first, num_glyphs); 1180 } 1181 if (fd_select.second >= this->font_dict_length) { 1182 return Error("Invalid FD index: %d >= %d\n", 1183 fd_select.second, this->font_dict_length); 1184 } 1185 } 1186 return true; 1187 } 1188 1189 bool OpenTypeCFF::Parse(const uint8_t *data, size_t length) { 1190 Buffer table(data, length); 1191 1192 Font *font = GetFont(); 1193 1194 this->m_data = data; 1195 this->m_length = length; 1196 1197 // parse "6. Header" in the Adobe Compact Font Format Specification 1198 uint8_t major = 0; 1199 uint8_t minor = 0; 1200 uint8_t hdr_size = 0; 1201 uint8_t off_size = 0; 1202 if (!table.ReadU8(&major) || 1203 !table.ReadU8(&minor) || 1204 !table.ReadU8(&hdr_size) || 1205 !table.ReadU8(&off_size)) { 1206 return Error("Failed to read table header"); 1207 } 1208 1209 if (off_size < 1 || off_size > 4) { 1210 return Error("Bad offSize: %d", off_size); 1211 } 1212 1213 if (major != 1 || minor != 0) { 1214 return Error("Unsupported table version: %d.%d", major, minor); 1215 } 1216 1217 this->major = major; 1218 1219 if (hdr_size != 4 || hdr_size >= length) { 1220 return Error("Bad hdrSize: %d", hdr_size); 1221 } 1222 1223 // parse "7. Name INDEX" 1224 table.set_offset(hdr_size); 1225 CFFIndex name_index; 1226 if (!ParseIndex(table, name_index)) { 1227 return Error("Failed to parse Name INDEX"); 1228 } 1229 if (name_index.count != 1 || name_index.offsets.size() != 2) { 1230 return Error("Name INDEX must contain only one entry, not %d", 1231 name_index.count); 1232 } 1233 if (!ParseNameData(&table, name_index, &(this->name))) { 1234 return Error("Failed to parse Name INDEX data"); 1235 } 1236 1237 // parse "8. Top DICT INDEX" 1238 table.set_offset(name_index.offset_to_next); 1239 CFFIndex top_dict_index; 1240 if (!ParseIndex(table, top_dict_index)) { 1241 return Error("Failed to parse Top DICT INDEX"); 1242 } 1243 if (top_dict_index.count != 1) { 1244 return Error("Top DICT INDEX must contain only one entry, not %d", 1245 top_dict_index.count); 1246 } 1247 1248 // parse "10. String INDEX" 1249 table.set_offset(top_dict_index.offset_to_next); 1250 CFFIndex string_index; 1251 if (!ParseIndex(table, string_index)) { 1252 return Error("Failed to parse String INDEX"); 1253 } 1254 if (string_index.count >= 65000 - kNStdString) { 1255 return Error("Too many entries in String INDEX: %d", string_index.count); 1256 } 1257 1258 OpenTypeMAXP *maxp = static_cast<OpenTypeMAXP*>( 1259 font->GetTypedTable(OTS_TAG_MAXP)); 1260 if (!maxp) { 1261 return Error("Required maxp table missing"); 1262 } 1263 const uint16_t num_glyphs = maxp->num_glyphs; 1264 const size_t sid_max = string_index.count + kNStdString; 1265 // string_index.count == 0 is allowed. 1266 1267 // parse "9. Top DICT Data" 1268 this->charstrings_index = new ots::CFFIndex; 1269 if (!ParseDictData(table, top_dict_index, 1270 num_glyphs, sid_max, 1271 DICT_DATA_TOPLEVEL, this)) { 1272 return Error("Failed to parse Top DICT Data"); 1273 } 1274 1275 // parse "16. Global Subrs INDEX" 1276 table.set_offset(string_index.offset_to_next); 1277 CFFIndex global_subrs_index; 1278 if (!ParseIndex(table, global_subrs_index)) { 1279 return Error("Failed to parse Global Subrs INDEX"); 1280 } 1281 1282 // Check if all fd and glyph indices in FDSelect are valid. 1283 if (!ValidateFDSelect(num_glyphs)) { 1284 return Error("Failed to validate FDSelect"); 1285 } 1286 1287 // Check if all charstrings (font hinting code for each glyph) are valid. 1288 if (!ValidateCFFCharStrings(*this, global_subrs_index, &table)) { 1289 return Error("Failed validating CharStrings INDEX"); 1290 } 1291 1292 return true; 1293 } 1294 1295 bool OpenTypeCFF::Serialize(OTSStream *out) { 1296 if (!out->Write(this->m_data, this->m_length)) { 1297 return Error("Failed to write table"); 1298 } 1299 return true; 1300 } 1301 1302 OpenTypeCFF::~OpenTypeCFF() { 1303 for (size_t i = 0; i < this->local_subrs_per_font.size(); ++i) { 1304 delete (this->local_subrs_per_font)[i]; 1305 } 1306 delete this->charstrings_index; 1307 delete this->local_subrs; 1308 } 1309 1310 bool OpenTypeCFF2::Parse(const uint8_t *data, size_t length) { 1311 Buffer table(data, length); 1312 1313 Font *font = GetFont(); 1314 1315 this->m_data = data; 1316 this->m_length = length; 1317 1318 // parse "6. Header" 1319 uint8_t major = 0; 1320 uint8_t minor = 0; 1321 uint8_t hdr_size = 0; 1322 uint16_t top_dict_size = 0; 1323 if (!table.ReadU8(&major) || 1324 !table.ReadU8(&minor) || 1325 !table.ReadU8(&hdr_size) || 1326 !table.ReadU16(&top_dict_size)) { 1327 return Error("Failed to read table header"); 1328 } 1329 1330 if (major != 2 || minor != 0) { 1331 return Error("Unsupported table version: %d.%d", major, minor); 1332 } 1333 1334 this->major = major; 1335 1336 if (hdr_size >= length) { 1337 return Error("Bad hdrSize: %d", hdr_size); 1338 } 1339 1340 if (top_dict_size == 0 || hdr_size + top_dict_size > length) { 1341 return Error("Bad topDictLength: %d", top_dict_size); 1342 } 1343 1344 OpenTypeMAXP *maxp = static_cast<OpenTypeMAXP*>( 1345 font->GetTypedTable(OTS_TAG_MAXP)); 1346 if (!maxp) { 1347 return Error("Required maxp table missing"); 1348 } 1349 const uint16_t num_glyphs = maxp->num_glyphs; 1350 const size_t sid_max = kNStdString; 1351 1352 // parse "7. Top DICT Data" 1353 ots::Buffer top_dict(data + hdr_size, top_dict_size); 1354 table.set_offset(hdr_size); 1355 this->charstrings_index = new ots::CFFIndex; 1356 if (!ParseDictData(table, top_dict, 1357 num_glyphs, sid_max, 1358 DICT_DATA_TOPLEVEL, this)) { 1359 return Error("Failed to parse Top DICT Data"); 1360 } 1361 1362 // parse "9. Global Subrs INDEX" 1363 table.set_offset(hdr_size + top_dict_size); 1364 CFFIndex global_subrs_index; 1365 if (!ParseIndex(table, global_subrs_index, true)) { 1366 return Error("Failed to parse Global Subrs INDEX"); 1367 } 1368 1369 // Check if all fd and glyph indices in FDSelect are valid. 1370 if (!ValidateFDSelect(num_glyphs)) { 1371 return Error("Failed to validate FDSelect"); 1372 } 1373 1374 // Check if all charstrings (font hinting code for each glyph) are valid. 1375 if (!ValidateCFFCharStrings(*this, global_subrs_index, &table)) { 1376 return Error("Failed validating CharStrings INDEX"); 1377 } 1378 1379 return true; 1380 } 1381 1382 bool OpenTypeCFF2::Serialize(OTSStream *out) { 1383 if (!out->Write(this->m_data, this->m_length)) { 1384 return Error("Failed to write table"); 1385 } 1386 return true; 1387 } 1388 1389 } // namespace ots 1390 1391 #undef TABLE_NAME