/src/ots/src/cff_charstring.cc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright (c) 2010-2017 The OTS Authors. All rights reserved. |
2 | | // Use of this source code is governed by a BSD-style license that can be |
3 | | // found in the LICENSE file. |
4 | | |
5 | | // A parser for the Type 2 Charstring Format. |
6 | | // http://www.adobe.com/devnet/font/pdfs/5177.Type2.pdf |
7 | | |
8 | | #include "cff_charstring.h" |
9 | | |
10 | | #include <climits> |
11 | | #include <cstdio> |
12 | | #include <cstring> |
13 | | #include <stack> |
14 | | #include <string> |
15 | | #include <utility> |
16 | | |
17 | | #define TABLE_NAME "CFF" |
18 | | |
19 | | namespace { |
20 | | |
21 | | // Type 2 Charstring Implementation Limits. See Appendix. B in Adobe Technical |
22 | | // Note #5177. |
23 | | const int32_t kMaxSubrsCount = 65536; |
24 | | const size_t kMaxCharStringLength = 65535; |
25 | | const size_t kMaxNumberOfStemHints = 96; |
26 | | const size_t kMaxSubrNesting = 10; |
27 | | |
28 | | // |dummy_result| should be a huge positive integer so callsubr and callgsubr |
29 | | // will fail with the dummy value. |
30 | | const int32_t dummy_result = INT_MAX; |
31 | | |
32 | | bool ExecuteCharString(ots::OpenTypeCFF& cff, |
33 | | size_t call_depth, |
34 | | const ots::CFFIndex& global_subrs_index, |
35 | | const ots::CFFIndex& local_subrs_index, |
36 | | ots::Buffer *cff_table, |
37 | | ots::Buffer *char_string, |
38 | | std::stack<int32_t> *argument_stack, |
39 | | ots::CharStringContext& cs_ctx); |
40 | | |
41 | 9.56M | bool ArgumentStackOverflows(std::stack<int32_t> *argument_stack, bool cff2) { |
42 | 9.56M | if ((cff2 && argument_stack->size() > ots::kMaxCFF2ArgumentStack) || |
43 | 9.56M | (!cff2 && argument_stack->size() > ots::kMaxCFF1ArgumentStack)) { |
44 | 22 | return true; |
45 | 22 | } |
46 | 9.56M | return false; |
47 | 9.56M | } |
48 | | |
49 | | #ifdef DUMP_T2CHARSTRING |
50 | | // Converts |op| to a string and returns it. |
51 | | const char *CharStringOperatorToString(ots::CharStringOperator op) { |
52 | | switch (op) { |
53 | | case ots::kHStem: |
54 | | return "hstem"; |
55 | | case ots::kVStem: |
56 | | return "vstem"; |
57 | | case ots::kVMoveTo: |
58 | | return "vmoveto"; |
59 | | case ots::kRLineTo: |
60 | | return "rlineto"; |
61 | | case ots::kHLineTo: |
62 | | return "hlineto"; |
63 | | case ots::kVLineTo: |
64 | | return "vlineto"; |
65 | | case ots::kRRCurveTo: |
66 | | return "rrcurveto"; |
67 | | case ots::kCallSubr: |
68 | | return "callsubr"; |
69 | | case ots::kReturn: |
70 | | return "return"; |
71 | | case ots::kEndChar: |
72 | | return "endchar"; |
73 | | case ots::kVSIndex: |
74 | | return "vsindex"; |
75 | | case ots::kBlend: |
76 | | return "blend"; |
77 | | case ots::kHStemHm: |
78 | | return "hstemhm"; |
79 | | case ots::kHintMask: |
80 | | return "hintmask"; |
81 | | case ots::kCntrMask: |
82 | | return "cntrmask"; |
83 | | case ots::kRMoveTo: |
84 | | return "rmoveto"; |
85 | | case ots::kHMoveTo: |
86 | | return "hmoveto"; |
87 | | case ots::kVStemHm: |
88 | | return "vstemhm"; |
89 | | case ots::kRCurveLine: |
90 | | return "rcurveline"; |
91 | | case ots::kRLineCurve: |
92 | | return "rlinecurve"; |
93 | | case ots::kVVCurveTo: |
94 | | return "VVCurveTo"; |
95 | | case ots::kHHCurveTo: |
96 | | return "hhcurveto"; |
97 | | case ots::kCallGSubr: |
98 | | return "callgsubr"; |
99 | | case ots::kVHCurveTo: |
100 | | return "vhcurveto"; |
101 | | case ots::kHVCurveTo: |
102 | | return "HVCurveTo"; |
103 | | case ots::kDotSection: |
104 | | return "dotsection"; |
105 | | case ots::kAnd: |
106 | | return "and"; |
107 | | case ots::kOr: |
108 | | return "or"; |
109 | | case ots::kNot: |
110 | | return "not"; |
111 | | case ots::kAbs: |
112 | | return "abs"; |
113 | | case ots::kAdd: |
114 | | return "add"; |
115 | | case ots::kSub: |
116 | | return "sub"; |
117 | | case ots::kDiv: |
118 | | return "div"; |
119 | | case ots::kNeg: |
120 | | return "neg"; |
121 | | case ots::kEq: |
122 | | return "eq"; |
123 | | case ots::kDrop: |
124 | | return "drop"; |
125 | | case ots::kPut: |
126 | | return "put"; |
127 | | case ots::kGet: |
128 | | return "get"; |
129 | | case ots::kIfElse: |
130 | | return "ifelse"; |
131 | | case ots::kRandom: |
132 | | return "random"; |
133 | | case ots::kMul: |
134 | | return "mul"; |
135 | | case ots::kSqrt: |
136 | | return "sqrt"; |
137 | | case ots::kDup: |
138 | | return "dup"; |
139 | | case ots::kExch: |
140 | | return "exch"; |
141 | | case ots::kIndex: |
142 | | return "index"; |
143 | | case ots::kRoll: |
144 | | return "roll"; |
145 | | case ots::kHFlex: |
146 | | return "hflex"; |
147 | | case ots::kFlex: |
148 | | return "flex"; |
149 | | case ots::kHFlex1: |
150 | | return "hflex1"; |
151 | | case ots::kFlex1: |
152 | | return "flex1"; |
153 | | } |
154 | | |
155 | | return "UNKNOWN"; |
156 | | } |
157 | | #endif |
158 | | |
159 | | // Read one or more bytes from the |char_string| buffer and stores the number |
160 | | // read on |out_number|. If the number read is an operator (ex 'vstem'), sets |
161 | | // true on |out_is_operator|. Returns true if the function read a number. |
162 | | bool ReadNextNumberFromCharString(ots::Buffer *char_string, |
163 | | int32_t *out_number, |
164 | 11.6M | bool *out_is_operator) { |
165 | 11.6M | uint8_t v = 0; |
166 | 11.6M | if (!char_string->ReadU8(&v)) { |
167 | 0 | return OTS_FAILURE(); |
168 | 0 | } |
169 | 11.6M | *out_is_operator = false; |
170 | | |
171 | | // The conversion algorithm is described in Adobe Technical Note #5177, page |
172 | | // 13, Table 1. |
173 | 11.6M | if (v <= 11) { |
174 | 957k | *out_number = v; |
175 | 957k | *out_is_operator = true; |
176 | 10.7M | } else if (v == 12) { |
177 | 2.15k | uint16_t result = (v << 8); |
178 | 2.15k | if (!char_string->ReadU8(&v)) { |
179 | 2 | return OTS_FAILURE(); |
180 | 2 | } |
181 | 2.15k | result += v; |
182 | 2.15k | *out_number = result; |
183 | 2.15k | *out_is_operator = true; |
184 | 10.7M | } else if (v <= 27) { |
185 | | // Special handling for v==19 and v==20 are implemented in |
186 | | // ExecuteCharStringOperator(). |
187 | 786k | *out_number = v; |
188 | 786k | *out_is_operator = true; |
189 | 9.92M | } else if (v == 28) { |
190 | 46.0k | if (!char_string->ReadU8(&v)) { |
191 | 3 | return OTS_FAILURE(); |
192 | 3 | } |
193 | 46.0k | uint16_t result = (v << 8); |
194 | 46.0k | if (!char_string->ReadU8(&v)) { |
195 | 1 | return OTS_FAILURE(); |
196 | 1 | } |
197 | 46.0k | result += v; |
198 | 46.0k | *out_number = result; |
199 | 9.87M | } else if (v <= 31) { |
200 | 355k | *out_number = v; |
201 | 355k | *out_is_operator = true; |
202 | 9.52M | } else if (v <= 246) { |
203 | 8.06M | *out_number = static_cast<int32_t>(v) - 139; |
204 | 8.06M | } else if (v <= 250) { |
205 | 791k | uint8_t w = 0; |
206 | 791k | if (!char_string->ReadU8(&w)) { |
207 | 2 | return OTS_FAILURE(); |
208 | 2 | } |
209 | 791k | *out_number = ((static_cast<int32_t>(v) - 247) * 256) + |
210 | 791k | static_cast<int32_t>(w) + 108; |
211 | 791k | } else if (v <= 254) { |
212 | 661k | uint8_t w = 0; |
213 | 661k | if (!char_string->ReadU8(&w)) { |
214 | 2 | return OTS_FAILURE(); |
215 | 2 | } |
216 | 661k | *out_number = -((static_cast<int32_t>(v) - 251) * 256) - |
217 | 661k | static_cast<int32_t>(w) - 108; |
218 | 661k | } else if (v == 255) { |
219 | | // TODO(yusukes): We should not skip the 4 bytes. Note that when v is 255, |
220 | | // we should treat the following 4-bytes as a 16.16 fixed-point number |
221 | | // rather than 32bit signed int. |
222 | 1.82k | if (!char_string->Skip(4)) { |
223 | 3 | return OTS_FAILURE(); |
224 | 3 | } |
225 | 1.82k | *out_number = dummy_result; |
226 | 1.82k | } else { |
227 | 0 | return OTS_FAILURE(); |
228 | 0 | } |
229 | | |
230 | 11.6M | return true; |
231 | 11.6M | } |
232 | | |
233 | 1.87M | bool ValidCFF2Operator(int32_t op) { |
234 | 1.87M | switch (op) { |
235 | 1 | case ots::kReturn: |
236 | 3 | case ots::kEndChar: |
237 | 4 | case ots::kAbs: |
238 | 5 | case ots::kAdd: |
239 | 7 | case ots::kSub: |
240 | 8 | case ots::kDiv: |
241 | 9 | case ots::kNeg: |
242 | 10 | case ots::kRandom: |
243 | 11 | case ots::kMul: |
244 | 12 | case ots::kSqrt: |
245 | 13 | case ots::kDrop: |
246 | 14 | case ots::kExch: |
247 | 15 | case ots::kIndex: |
248 | 16 | case ots::kRoll: |
249 | 17 | case ots::kDup: |
250 | 18 | case ots::kPut: |
251 | 19 | case ots::kGet: |
252 | 20 | case ots::kDotSection: |
253 | 21 | case ots::kAnd: |
254 | 23 | case ots::kOr: |
255 | 24 | case ots::kNot: |
256 | 25 | case ots::kEq: |
257 | 26 | case ots::kIfElse: |
258 | 26 | return false; |
259 | 1.87M | } |
260 | | |
261 | 1.87M | return true; |
262 | 1.87M | } |
263 | | |
264 | | // Executes |op| and updates |argument_stack|. Returns true if the execution |
265 | | // succeeds. If the |op| is kCallSubr or kCallGSubr, the function recursively |
266 | | // calls ExecuteCharString() function. The |cs_ctx| argument holds values that |
267 | | // need to persist through these calls (see CharStringContext for details) |
268 | | bool ExecuteCharStringOperator(ots::OpenTypeCFF& cff, |
269 | | int32_t op, |
270 | | size_t call_depth, |
271 | | const ots::CFFIndex& global_subrs_index, |
272 | | const ots::CFFIndex& local_subrs_index, |
273 | | ots::Buffer *cff_table, |
274 | | ots::Buffer *char_string, |
275 | | std::stack<int32_t> *argument_stack, |
276 | 2.10M | ots::CharStringContext& cs_ctx) { |
277 | 2.10M | ots::Font* font = cff.GetFont(); |
278 | 2.10M | const size_t stack_size = argument_stack->size(); |
279 | | |
280 | 2.10M | if (cs_ctx.cff2 && !ValidCFF2Operator(op)) { |
281 | 26 | return OTS_FAILURE(); |
282 | 26 | } |
283 | | |
284 | 2.10M | switch (op) { |
285 | 382k | case ots::kCallSubr: |
286 | 398k | case ots::kCallGSubr: { |
287 | 398k | const ots::CFFIndex& subrs_index = |
288 | 398k | (op == ots::kCallSubr ? local_subrs_index : global_subrs_index); |
289 | | |
290 | 398k | if (stack_size < 1) { |
291 | 5 | return OTS_FAILURE(); |
292 | 5 | } |
293 | 398k | int32_t subr_number = argument_stack->top(); |
294 | 398k | argument_stack->pop(); |
295 | 398k | if (subr_number == dummy_result) { |
296 | | // For safety, we allow subr calls only with immediate subr numbers for |
297 | | // now. For example, we allow "123 callgsubr", but does not allow "100 12 |
298 | | // add callgsubr". Please note that arithmetic and conditional operators |
299 | | // always push the |dummy_result| in this implementation. |
300 | 3 | return OTS_FAILURE(); |
301 | 3 | } |
302 | | |
303 | | // See Adobe Technical Note #5176 (CFF), "16. Local/GlobalSubrs INDEXes." |
304 | 398k | int32_t bias = 32768; |
305 | 398k | if (subrs_index.count < 1240) { |
306 | 112k | bias = 107; |
307 | 285k | } else if (subrs_index.count < 33900) { |
308 | 285k | bias = 1131; |
309 | 285k | } |
310 | 398k | subr_number += bias; |
311 | | |
312 | | // Sanity checks of |subr_number|. |
313 | 398k | if (subr_number < 0) { |
314 | 3 | return OTS_FAILURE(); |
315 | 3 | } |
316 | 398k | if (subr_number >= kMaxSubrsCount) { |
317 | 1 | return OTS_FAILURE(); |
318 | 1 | } |
319 | 398k | if (subrs_index.offsets.size() <= static_cast<size_t>(subr_number + 1)) { |
320 | 13 | return OTS_FAILURE(); // The number is out-of-bounds. |
321 | 13 | } |
322 | | |
323 | | // Prepare ots::Buffer where we're going to jump. |
324 | 398k | const size_t length = |
325 | 398k | subrs_index.offsets[subr_number + 1] - subrs_index.offsets[subr_number]; |
326 | 398k | if (length > kMaxCharStringLength) { |
327 | 0 | return OTS_FAILURE(); |
328 | 0 | } |
329 | 398k | const size_t offset = subrs_index.offsets[subr_number]; |
330 | 398k | cff_table->set_offset(offset); |
331 | 398k | if (!cff_table->Skip(length)) { |
332 | 0 | return OTS_FAILURE(); |
333 | 0 | } |
334 | 398k | ots::Buffer char_string_to_jump(cff_table->buffer() + offset, length); |
335 | | |
336 | 398k | return ExecuteCharString(cff, |
337 | 398k | call_depth + 1, |
338 | 398k | global_subrs_index, |
339 | 398k | local_subrs_index, |
340 | 398k | cff_table, |
341 | 398k | &char_string_to_jump, |
342 | 398k | argument_stack, |
343 | 398k | cs_ctx); |
344 | 398k | } |
345 | | |
346 | 37.9k | case ots::kReturn: |
347 | 37.9k | return true; |
348 | | |
349 | 13.4k | case ots::kEndChar: |
350 | 13.4k | cs_ctx.endchar_seen = true; |
351 | 13.4k | cs_ctx.width_seen = true; // just in case. |
352 | 13.4k | return true; |
353 | | |
354 | 528 | case ots::kVSIndex: { |
355 | 528 | if (!cs_ctx.cff2) { |
356 | 2 | return OTS_FAILURE(); |
357 | 2 | } |
358 | 526 | if (stack_size != 1) { |
359 | 2 | return OTS_FAILURE(); |
360 | 2 | } |
361 | 524 | if (cs_ctx.blend_seen || cs_ctx.vsindex_seen) { |
362 | 2 | return OTS_FAILURE(); |
363 | 2 | } |
364 | 522 | if (argument_stack->top() < 0 || |
365 | 522 | argument_stack->top() >= (int32_t)cff.region_index_count.size()) { |
366 | 7 | return OTS_FAILURE(); |
367 | 7 | } |
368 | 515 | cs_ctx.vsindex_seen = true; |
369 | 515 | cs_ctx.vsindex = argument_stack->top(); |
370 | 1.03k | while (!argument_stack->empty()) |
371 | 515 | argument_stack->pop(); |
372 | 515 | return true; |
373 | 522 | } |
374 | | |
375 | 242k | case ots::kBlend: { |
376 | 242k | if (!cs_ctx.cff2) { |
377 | 2 | return OTS_FAILURE(); |
378 | 2 | } |
379 | 242k | if (stack_size < 1) { |
380 | 1 | return OTS_FAILURE(); |
381 | 1 | } |
382 | 242k | if (cs_ctx.vsindex >= (int32_t)cff.region_index_count.size()) { |
383 | 1 | return OTS_FAILURE(); |
384 | 1 | } |
385 | 242k | uint16_t k = cff.region_index_count.at(cs_ctx.vsindex); |
386 | 242k | uint16_t n = argument_stack->top(); |
387 | 242k | if (stack_size < n * (k + 1u) + 1u) { |
388 | 17 | return OTS_FAILURE(); |
389 | 17 | } |
390 | | |
391 | | // Keep the 1st n operands on the stack for the next operator to use and |
392 | | // pop the rest. There can be multiple consecutive blend operators, so this |
393 | | // makes sure the operands of all of them are kept on the stack. |
394 | 2.08M | while (argument_stack->size() > stack_size - ((n * k) + 1)) |
395 | 1.84M | argument_stack->pop(); |
396 | 242k | cs_ctx.blend_seen = true; |
397 | 242k | return true; |
398 | 242k | } |
399 | | |
400 | 803 | case ots::kHStem: |
401 | 1.56k | case ots::kVStem: |
402 | 2.53k | case ots::kHStemHm: |
403 | 2.57k | case ots::kVStemHm: { |
404 | 2.57k | bool successful = false; |
405 | 2.57k | if (stack_size < 2) { |
406 | 16 | return OTS_FAILURE(); |
407 | 16 | } |
408 | 2.55k | if ((stack_size % 2) == 0) { |
409 | 1.63k | successful = true; |
410 | 1.63k | } else if ((!(cs_ctx.width_seen)) && (((stack_size - 1) % 2) == 0)) { |
411 | | // The -1 is for "width" argument. For details, see Adobe Technical Note |
412 | | // #5177, page 16, note 4. |
413 | 912 | successful = true; |
414 | 912 | } |
415 | 2.55k | cs_ctx.num_stems += (stack_size / 2); |
416 | 2.55k | if ((cs_ctx.num_stems) > kMaxNumberOfStemHints) { |
417 | 3 | return OTS_FAILURE(); |
418 | 3 | } |
419 | 20.7k | while (!argument_stack->empty()) |
420 | 18.2k | argument_stack->pop(); |
421 | 2.55k | cs_ctx.width_seen = true; // always set true since "w" might be 0 byte. |
422 | 2.55k | return successful ? true : OTS_FAILURE(); |
423 | 2.55k | } |
424 | | |
425 | 211k | case ots::kRMoveTo: { |
426 | 211k | bool successful = false; |
427 | 211k | if (stack_size == 2) { |
428 | 202k | successful = true; |
429 | 202k | } else if ((!(cs_ctx.width_seen)) && (stack_size - 1 == 2)) { |
430 | 9.21k | successful = true; |
431 | 9.21k | } |
432 | 643k | while (!argument_stack->empty()) |
433 | 431k | argument_stack->pop(); |
434 | 211k | cs_ctx.width_seen = true; |
435 | 211k | return successful ? true : OTS_FAILURE(); |
436 | 2.55k | } |
437 | | |
438 | 7.05k | case ots::kVMoveTo: |
439 | 30.8k | case ots::kHMoveTo: { |
440 | 30.8k | bool successful = false; |
441 | 30.8k | if (stack_size == 1) { |
442 | 29.0k | successful = true; |
443 | 29.0k | } else if ((!(cs_ctx.width_seen)) && (stack_size - 1 == 1)) { |
444 | 1.74k | successful = true; |
445 | 1.74k | } |
446 | 63.4k | while (!argument_stack->empty()) |
447 | 32.6k | argument_stack->pop(); |
448 | 30.8k | cs_ctx.width_seen = true; |
449 | 30.8k | return successful ? true : OTS_FAILURE(); |
450 | 7.05k | } |
451 | | |
452 | 3.27k | case ots::kHintMask: |
453 | 3.45k | case ots::kCntrMask: { |
454 | 3.45k | bool successful = false; |
455 | 3.45k | if (stack_size == 0) { |
456 | 2.33k | successful = true; |
457 | 2.33k | } else if ((!(cs_ctx.width_seen)) && (stack_size == 1)) { |
458 | | // A number for "width" is found. |
459 | 2 | successful = true; |
460 | 1.11k | } else if ((!(cs_ctx.width_seen)) || // in this case, any sizes are ok. |
461 | 1.11k | ((stack_size % 2) == 0)) { |
462 | | // The numbers are vstem definition. |
463 | | // See Adobe Technical Note #5177, page 24, hintmask. |
464 | 1.11k | cs_ctx.num_stems += (stack_size / 2); |
465 | 1.11k | if ((cs_ctx.num_stems) > kMaxNumberOfStemHints) { |
466 | 2 | return OTS_FAILURE(); |
467 | 2 | } |
468 | 1.10k | successful = true; |
469 | 1.10k | } |
470 | 3.44k | if (!successful) { |
471 | 7 | return OTS_FAILURE(); |
472 | 7 | } |
473 | | |
474 | 3.44k | if ((cs_ctx.num_stems) == 0) { |
475 | 2 | return OTS_FAILURE(); |
476 | 2 | } |
477 | 3.43k | const size_t mask_bytes = (cs_ctx.num_stems + 7) / 8; |
478 | 3.43k | if (!char_string->Skip(mask_bytes)) { |
479 | 4 | return OTS_FAILURE(); |
480 | 4 | } |
481 | 10.8k | while (!argument_stack->empty()) |
482 | 7.43k | argument_stack->pop(); |
483 | 3.43k | cs_ctx.width_seen = true; |
484 | 3.43k | return true; |
485 | 3.43k | } |
486 | | |
487 | 150k | case ots::kRLineTo: |
488 | 150k | if (!(cs_ctx.width_seen)) { |
489 | | // The first stack-clearing operator should be one of hstem, hstemhm, |
490 | | // vstem, vstemhm, cntrmask, hintmask, hmoveto, vmoveto, rmoveto, or |
491 | | // endchar. For details, see Adobe Technical Note #5177, page 16, note 4. |
492 | 1 | return OTS_FAILURE(); |
493 | 1 | } |
494 | 150k | if (stack_size < 2) { |
495 | 2 | return OTS_FAILURE(); |
496 | 2 | } |
497 | 150k | if ((stack_size % 2) != 0) { |
498 | 2 | return OTS_FAILURE(); |
499 | 2 | } |
500 | 726k | while (!argument_stack->empty()) |
501 | 575k | argument_stack->pop(); |
502 | 150k | return true; |
503 | | |
504 | 157k | case ots::kHLineTo: |
505 | 246k | case ots::kVLineTo: |
506 | 246k | if (!(cs_ctx.width_seen)) { |
507 | 1 | return OTS_FAILURE(); |
508 | 1 | } |
509 | 246k | if (stack_size < 1) { |
510 | 2 | return OTS_FAILURE(); |
511 | 2 | } |
512 | 619k | while (!argument_stack->empty()) |
513 | 372k | argument_stack->pop(); |
514 | 246k | return true; |
515 | | |
516 | 131k | case ots::kRRCurveTo: |
517 | 131k | if (!(cs_ctx.width_seen)) { |
518 | 1 | return OTS_FAILURE(); |
519 | 1 | } |
520 | 131k | if (stack_size < 6) { |
521 | 1 | return OTS_FAILURE(); |
522 | 1 | } |
523 | 131k | if ((stack_size % 6) != 0) { |
524 | 4 | return OTS_FAILURE(); |
525 | 4 | } |
526 | 2.05M | while (!argument_stack->empty()) |
527 | 1.92M | argument_stack->pop(); |
528 | 131k | return true; |
529 | | |
530 | 36.0k | case ots::kRCurveLine: |
531 | 36.0k | if (!(cs_ctx.width_seen)) { |
532 | 1 | return OTS_FAILURE(); |
533 | 1 | } |
534 | 36.0k | if (stack_size < 8) { |
535 | 6 | return OTS_FAILURE(); |
536 | 6 | } |
537 | 36.0k | if (((stack_size - 2) % 6) != 0) { |
538 | 7 | return OTS_FAILURE(); |
539 | 7 | } |
540 | 423k | while (!argument_stack->empty()) |
541 | 387k | argument_stack->pop(); |
542 | 36.0k | return true; |
543 | | |
544 | 30.3k | case ots::kRLineCurve: |
545 | 30.3k | if (!(cs_ctx.width_seen)) { |
546 | 1 | return OTS_FAILURE(); |
547 | 1 | } |
548 | 30.3k | if (stack_size < 8) { |
549 | 2 | return OTS_FAILURE(); |
550 | 2 | } |
551 | 30.3k | if (((stack_size - 6) % 2) != 0) { |
552 | 3 | return OTS_FAILURE(); |
553 | 3 | } |
554 | 300k | while (!argument_stack->empty()) |
555 | 269k | argument_stack->pop(); |
556 | 30.3k | return true; |
557 | | |
558 | 112k | case ots::kVVCurveTo: |
559 | 112k | if (!(cs_ctx.width_seen)) { |
560 | 2 | return OTS_FAILURE(); |
561 | 2 | } |
562 | 112k | if (stack_size < 4) { |
563 | 2 | return OTS_FAILURE(); |
564 | 2 | } |
565 | 112k | if (((stack_size % 4) != 0) && |
566 | 112k | (((stack_size - 1) % 4) != 0)) { |
567 | 3 | return OTS_FAILURE(); |
568 | 3 | } |
569 | 678k | while (!argument_stack->empty()) |
570 | 565k | argument_stack->pop(); |
571 | 112k | return true; |
572 | | |
573 | 111k | case ots::kHHCurveTo: { |
574 | 111k | bool successful = false; |
575 | 111k | if (!(cs_ctx.width_seen)) { |
576 | 1 | return OTS_FAILURE(); |
577 | 1 | } |
578 | 111k | if (stack_size < 4) { |
579 | 2 | return OTS_FAILURE(); |
580 | 2 | } |
581 | 111k | if ((stack_size % 4) == 0) { |
582 | | // {dxa dxb dyb dxc}+ |
583 | 9.45k | successful = true; |
584 | 102k | } else if (((stack_size - 1) % 4) == 0) { |
585 | | // dy1? {dxa dxb dyb dxc}+ |
586 | 102k | successful = true; |
587 | 102k | } |
588 | 690k | while (!argument_stack->empty()) |
589 | 578k | argument_stack->pop(); |
590 | 111k | return successful ? true : OTS_FAILURE(); |
591 | 111k | } |
592 | | |
593 | 175k | case ots::kVHCurveTo: |
594 | 339k | case ots::kHVCurveTo: { |
595 | 339k | bool successful = false; |
596 | 339k | if (!(cs_ctx.width_seen)) { |
597 | 2 | return OTS_FAILURE(); |
598 | 2 | } |
599 | 339k | if (stack_size < 4) { |
600 | 5 | return OTS_FAILURE(); |
601 | 5 | } |
602 | 339k | if (((stack_size - 4) % 8) == 0) { |
603 | | // dx1 dx2 dy2 dy3 {dya dxb dyb dxc dxd dxe dye dyf}* |
604 | 81.2k | successful = true; |
605 | 257k | } else if ((stack_size >= 5) && |
606 | 257k | ((stack_size - 5) % 8) == 0) { |
607 | | // dx1 dx2 dy2 dy3 {dya dxb dyb dxc dxd dxe dye dyf}* dxf |
608 | 179k | successful = true; |
609 | 179k | } else if ((stack_size >= 8) && |
610 | 78.8k | ((stack_size - 8) % 8) == 0) { |
611 | | // {dxa dxb dyb dyc dyd dxe dye dxf}+ |
612 | 54.4k | successful = true; |
613 | 54.4k | } else if ((stack_size >= 9) && |
614 | 24.4k | ((stack_size - 9) % 8) == 0) { |
615 | | // {dxa dxb dyb dyc dyd dxe dye dxf}+ dyf? |
616 | 24.4k | successful = true; |
617 | 24.4k | } |
618 | 2.49M | while (!argument_stack->empty()) |
619 | 2.15M | argument_stack->pop(); |
620 | 339k | return successful ? true : OTS_FAILURE(); |
621 | 339k | } |
622 | | |
623 | 23 | case ots::kDotSection: |
624 | | // Deprecated operator but harmless, we probably should drop it some how. |
625 | 23 | if (stack_size != 0) { |
626 | 1 | return OTS_FAILURE(); |
627 | 1 | } |
628 | 22 | return true; |
629 | | |
630 | 68 | case ots::kAnd: |
631 | 122 | case ots::kOr: |
632 | 260 | case ots::kEq: |
633 | 328 | case ots::kAdd: |
634 | 374 | case ots::kSub: |
635 | 374 | if (stack_size < 2) { |
636 | 1 | return OTS_FAILURE(); |
637 | 1 | } |
638 | 373 | argument_stack->pop(); |
639 | 373 | argument_stack->pop(); |
640 | 373 | argument_stack->push(dummy_result); |
641 | | // TODO(yusukes): Implement this. We should push a real value for all |
642 | | // arithmetic and conditional operations. |
643 | 373 | return true; |
644 | | |
645 | 85 | case ots::kNot: |
646 | 138 | case ots::kAbs: |
647 | 193 | case ots::kNeg: |
648 | 193 | if (stack_size < 1) { |
649 | 1 | return OTS_FAILURE(); |
650 | 1 | } |
651 | 192 | argument_stack->pop(); |
652 | 192 | argument_stack->push(dummy_result); |
653 | | // TODO(yusukes): Implement this. We should push a real value for all |
654 | | // arithmetic and conditional operations. |
655 | 192 | return true; |
656 | | |
657 | 475 | case ots::kDiv: |
658 | | // TODO(yusukes): Should detect div-by-zero errors. |
659 | 475 | if (stack_size < 2) { |
660 | 1 | return OTS_FAILURE(); |
661 | 1 | } |
662 | 474 | argument_stack->pop(); |
663 | 474 | argument_stack->pop(); |
664 | 474 | argument_stack->push(dummy_result); |
665 | | // TODO(yusukes): Implement this. We should push a real value for all |
666 | | // arithmetic and conditional operations. |
667 | 474 | return true; |
668 | | |
669 | 125 | case ots::kDrop: |
670 | 125 | if (stack_size < 1) { |
671 | 1 | return OTS_FAILURE(); |
672 | 1 | } |
673 | 124 | argument_stack->pop(); |
674 | 124 | return true; |
675 | | |
676 | 1 | case ots::kPut: |
677 | 3 | case ots::kGet: |
678 | 4 | case ots::kIndex: |
679 | | // For now, just call OTS_FAILURE since there is no way to check whether the |
680 | | // index argument, |i|, is out-of-bounds or not. Fortunately, no OpenType |
681 | | // fonts I have (except malicious ones!) use the operators. |
682 | | // TODO(yusukes): Implement them in a secure way. |
683 | 4 | return OTS_FAILURE(); |
684 | | |
685 | 1 | case ots::kRoll: |
686 | | // Likewise, just call OTS_FAILURE for kRoll since there is no way to check |
687 | | // whether |N| is smaller than the current stack depth or not. |
688 | | // TODO(yusukes): Implement them in a secure way. |
689 | 1 | return OTS_FAILURE(); |
690 | | |
691 | 1 | case ots::kRandom: |
692 | | // For now, we don't handle the 'random' operator since the operator makes |
693 | | // it hard to analyze hinting code statically. |
694 | 1 | return OTS_FAILURE(); |
695 | | |
696 | 174 | case ots::kIfElse: |
697 | 174 | if (stack_size < 4) { |
698 | 4 | return OTS_FAILURE(); |
699 | 4 | } |
700 | 170 | argument_stack->pop(); |
701 | 170 | argument_stack->pop(); |
702 | 170 | argument_stack->pop(); |
703 | 170 | argument_stack->pop(); |
704 | 170 | argument_stack->push(dummy_result); |
705 | | // TODO(yusukes): Implement this. We should push a real value for all |
706 | | // arithmetic and conditional operations. |
707 | 170 | return true; |
708 | | |
709 | 175 | case ots::kMul: |
710 | | // TODO(yusukes): Should detect overflows. |
711 | 175 | if (stack_size < 2) { |
712 | 1 | return OTS_FAILURE(); |
713 | 1 | } |
714 | 174 | argument_stack->pop(); |
715 | 174 | argument_stack->pop(); |
716 | 174 | argument_stack->push(dummy_result); |
717 | | // TODO(yusukes): Implement this. We should push a real value for all |
718 | | // arithmetic and conditional operations. |
719 | 174 | return true; |
720 | | |
721 | 99 | case ots::kSqrt: |
722 | | // TODO(yusukes): Should check if the argument is negative. |
723 | 99 | if (stack_size < 1) { |
724 | 1 | return OTS_FAILURE(); |
725 | 1 | } |
726 | 98 | argument_stack->pop(); |
727 | 98 | argument_stack->push(dummy_result); |
728 | | // TODO(yusukes): Implement this. We should push a real value for all |
729 | | // arithmetic and conditional operations. |
730 | 98 | return true; |
731 | | |
732 | 75 | case ots::kDup: |
733 | 75 | if (stack_size < 1) { |
734 | 1 | return OTS_FAILURE(); |
735 | 1 | } |
736 | 74 | argument_stack->pop(); |
737 | 74 | argument_stack->push(dummy_result); |
738 | 74 | argument_stack->push(dummy_result); |
739 | 74 | if (ArgumentStackOverflows(argument_stack, cs_ctx.cff2)) { |
740 | 1 | return OTS_FAILURE(); |
741 | 1 | } |
742 | | // TODO(yusukes): Implement this. We should push a real value for all |
743 | | // arithmetic and conditional operations. |
744 | 73 | return true; |
745 | | |
746 | 305 | case ots::kExch: |
747 | 305 | if (stack_size < 2) { |
748 | 2 | return OTS_FAILURE(); |
749 | 2 | } |
750 | 303 | argument_stack->pop(); |
751 | 303 | argument_stack->pop(); |
752 | 303 | argument_stack->push(dummy_result); |
753 | 303 | argument_stack->push(dummy_result); |
754 | | // TODO(yusukes): Implement this. We should push a real value for all |
755 | | // arithmetic and conditional operations. |
756 | 303 | return true; |
757 | | |
758 | 30 | case ots::kHFlex: |
759 | 30 | if (!(cs_ctx.width_seen)) { |
760 | 1 | return OTS_FAILURE(); |
761 | 1 | } |
762 | 29 | if (stack_size != 7) { |
763 | 1 | return OTS_FAILURE(); |
764 | 1 | } |
765 | 224 | while (!argument_stack->empty()) |
766 | 196 | argument_stack->pop(); |
767 | 28 | return true; |
768 | | |
769 | 29 | case ots::kFlex: |
770 | 29 | if (!(cs_ctx.width_seen)) { |
771 | 1 | return OTS_FAILURE(); |
772 | 1 | } |
773 | 28 | if (stack_size != 13) { |
774 | 1 | return OTS_FAILURE(); |
775 | 1 | } |
776 | 378 | while (!argument_stack->empty()) |
777 | 351 | argument_stack->pop(); |
778 | 27 | return true; |
779 | | |
780 | 14 | case ots::kHFlex1: |
781 | 14 | if (!(cs_ctx.width_seen)) { |
782 | 1 | return OTS_FAILURE(); |
783 | 1 | } |
784 | 13 | if (stack_size != 9) { |
785 | 2 | return OTS_FAILURE(); |
786 | 2 | } |
787 | 110 | while (!argument_stack->empty()) |
788 | 99 | argument_stack->pop(); |
789 | 11 | return true; |
790 | | |
791 | 15 | case ots::kFlex1: |
792 | 15 | if (!(cs_ctx.width_seen)) { |
793 | 1 | return OTS_FAILURE(); |
794 | 1 | } |
795 | 14 | if (stack_size != 11) { |
796 | 1 | return OTS_FAILURE(); |
797 | 1 | } |
798 | 156 | while (!argument_stack->empty()) |
799 | 143 | argument_stack->pop(); |
800 | 13 | return true; |
801 | 2.10M | } |
802 | | |
803 | 58 | return OTS_FAILURE_MSG("Undefined operator: %d (0x%x)", op, op); |
804 | 2.10M | } |
805 | | |
806 | | // Executes |char_string| and updates |argument_stack|. |
807 | | // |
808 | | // cff: parent OpenTypeCFF reference |
809 | | // call_depth: The current call depth. Initial value is zero. |
810 | | // global_subrs_index: Global subroutines. |
811 | | // local_subrs_index: Local subroutines for the current glyph. |
812 | | // cff_table: A whole CFF table which contains all global and local subroutines. |
813 | | // char_string: A charstring we'll execute. |char_string| can be a main routine |
814 | | // in CharString INDEX, or a subroutine in GlobalSubr/LocalSubr. |
815 | | // argument_stack: The stack which an operator in |char_string| operates. |
816 | | // cs_ctx: a CharStringContext holding values to persist across subrs, etc. |
817 | | // endchar_seen: true is set if |char_string| contains 'endchar'. |
818 | | // width_seen: true is set if |char_string| contains 'width' byte (which |
819 | | // is 0 or 1 byte) or if cff2 |
820 | | // num_stems: total number of hstems and vstems processed so far. |
821 | | // cff2: true if this is a CFF2 table |
822 | | // blend_seen: initially false; set to true if 'blend' operator encountered. |
823 | | // vsindex_seen: initially false; set to true if 'vsindex' encountered. |
824 | | // vsindex: initially = PrivateDICT's vsindex; may be changed by 'vsindex' |
825 | | // operator in CharString |
826 | | bool ExecuteCharString(ots::OpenTypeCFF& cff, |
827 | | size_t call_depth, |
828 | | const ots::CFFIndex& global_subrs_index, |
829 | | const ots::CFFIndex& local_subrs_index, |
830 | | ots::Buffer *cff_table, |
831 | | ots::Buffer *char_string, |
832 | | std::stack<int32_t> *argument_stack, |
833 | 575k | ots::CharStringContext& cs_ctx) { |
834 | 575k | if (call_depth > kMaxSubrNesting) { |
835 | 26 | return OTS_FAILURE(); |
836 | 26 | } |
837 | 575k | cs_ctx.endchar_seen = false; |
838 | | |
839 | 575k | const size_t length = char_string->length(); |
840 | 12.1M | while (char_string->offset() < length) { |
841 | 11.6M | int32_t operator_or_operand = 0; |
842 | 11.6M | bool is_operator = false; |
843 | 11.6M | if (!ReadNextNumberFromCharString(char_string, |
844 | 11.6M | &operator_or_operand, |
845 | 11.6M | &is_operator)) { |
846 | 13 | return OTS_FAILURE(); |
847 | 13 | } |
848 | | |
849 | | #ifdef DUMP_T2CHARSTRING |
850 | | /* |
851 | | You can dump all operators and operands (except mask bytes for hintmask |
852 | | and cntrmask) by the following code: |
853 | | */ |
854 | | |
855 | | if (!is_operator) { |
856 | | std::fprintf(stderr, "%d ", operator_or_operand); |
857 | | } else { |
858 | | std::fprintf(stderr, "%s\n", |
859 | | CharStringOperatorToString( |
860 | | ots::CharStringOperator(operator_or_operand)) |
861 | | ); |
862 | | } |
863 | | #endif |
864 | | |
865 | 11.6M | if (!is_operator) { |
866 | 9.56M | argument_stack->push(operator_or_operand); |
867 | 9.56M | if (ArgumentStackOverflows(argument_stack, cs_ctx.cff2)) { |
868 | 21 | return OTS_FAILURE(); |
869 | 21 | } |
870 | 9.56M | continue; |
871 | 9.56M | } |
872 | | |
873 | | // An operator is found. Execute it. |
874 | 2.10M | if (!ExecuteCharStringOperator(cff, |
875 | 2.10M | operator_or_operand, |
876 | 2.10M | call_depth, |
877 | 2.10M | global_subrs_index, |
878 | 2.10M | local_subrs_index, |
879 | 2.10M | cff_table, |
880 | 2.10M | char_string, |
881 | 2.10M | argument_stack, |
882 | 2.10M | cs_ctx)) { |
883 | 916 | return OTS_FAILURE(); |
884 | 916 | } |
885 | 2.10M | if (cs_ctx.endchar_seen) { |
886 | 19.6k | return true; |
887 | 19.6k | } |
888 | 2.08M | if (operator_or_operand == ots::kReturn) { |
889 | 37.9k | return true; |
890 | 37.9k | } |
891 | 2.08M | } |
892 | | |
893 | | // No endchar operator is found (CFF1 only) |
894 | 517k | if (cs_ctx.cff2) |
895 | 517k | return true; |
896 | 11 | return OTS_FAILURE(); |
897 | 517k | } |
898 | | |
899 | | // Selects a set of subroutines for |glyph_index| from |cff| and sets it on |
900 | | // |out_local_subrs_to_use|. Returns true on success. |
901 | | bool SelectLocalSubr(const ots::OpenTypeCFF& cff, |
902 | | uint16_t glyph_index, // 0-origin |
903 | 177k | const ots::CFFIndex **out_local_subrs_to_use) { |
904 | 177k | bool cff2 = (cff.major == 2); |
905 | 177k | *out_local_subrs_to_use = NULL; |
906 | | |
907 | | // First, find local subrs from |local_subrs_per_font|. |
908 | 177k | if ((cff.fd_select.size() > 0) && |
909 | 177k | (!cff.local_subrs_per_font.empty())) { |
910 | | // Look up FDArray index for the glyph. |
911 | 652 | const auto& iter = cff.fd_select.find(glyph_index); |
912 | 652 | if (iter == cff.fd_select.end()) { |
913 | 2 | return OTS_FAILURE(); |
914 | 2 | } |
915 | 650 | const auto fd_index = iter->second; |
916 | 650 | if (fd_index >= cff.local_subrs_per_font.size()) { |
917 | 2 | return OTS_FAILURE(); |
918 | 2 | } |
919 | 648 | *out_local_subrs_to_use = cff.local_subrs_per_font.at(fd_index); |
920 | 176k | } else if (cff.local_subrs) { |
921 | | // Second, try to use |local_subrs|. Most Latin fonts don't have FDSelect |
922 | | // entries. If The font has a local subrs index associated with the Top |
923 | | // DICT (not FDArrays), use it. |
924 | 12.6k | *out_local_subrs_to_use = cff.local_subrs; |
925 | 164k | } else if (cff2 && cff.local_subrs_per_font.size() == 1) { |
926 | 163k | *out_local_subrs_to_use = cff.local_subrs_per_font.at(0); |
927 | 163k | } else { |
928 | | // Just return NULL. |
929 | 558 | *out_local_subrs_to_use = NULL; |
930 | 558 | } |
931 | | |
932 | 177k | return true; |
933 | 177k | } |
934 | | |
935 | | } // namespace |
936 | | |
937 | | namespace ots { |
938 | | |
939 | | bool ValidateCFFCharStrings( |
940 | | ots::OpenTypeCFF& cff, |
941 | | const CFFIndex& global_subrs_index, |
942 | 598 | Buffer* cff_table) { |
943 | 598 | const CFFIndex& char_strings_index = *(cff.charstrings_index); |
944 | 598 | if (char_strings_index.offsets.size() == 0) { |
945 | 5 | return OTS_FAILURE(); // no charstring. |
946 | 5 | } |
947 | | |
948 | | // For each glyph, validate the corresponding charstring. |
949 | 177k | for (unsigned i = 1; i < char_strings_index.offsets.size(); ++i) { |
950 | | // Prepare a Buffer object, |char_string|, which contains the charstring |
951 | | // for the |i|-th glyph. |
952 | 177k | const size_t length = |
953 | 177k | char_strings_index.offsets[i] - char_strings_index.offsets[i - 1]; |
954 | 177k | if (length > kMaxCharStringLength) { |
955 | 0 | return OTS_FAILURE(); |
956 | 0 | } |
957 | 177k | const size_t offset = char_strings_index.offsets[i - 1]; |
958 | 177k | cff_table->set_offset(offset); |
959 | 177k | if (!cff_table->Skip(length)) { |
960 | 0 | return OTS_FAILURE(); |
961 | 0 | } |
962 | 177k | Buffer char_string(cff_table->buffer() + offset, length); |
963 | | |
964 | | // Get a local subrs for the glyph. |
965 | 177k | const unsigned glyph_index = i - 1; // index in the map is 0-origin. |
966 | 177k | const CFFIndex *local_subrs_to_use = NULL; |
967 | 177k | if (!SelectLocalSubr(cff, |
968 | 177k | glyph_index, |
969 | 177k | &local_subrs_to_use)) { |
970 | 4 | return OTS_FAILURE(); |
971 | 4 | } |
972 | | // If |local_subrs_to_use| is still NULL, use an empty one. |
973 | 177k | CFFIndex default_empty_subrs; |
974 | 177k | if (!local_subrs_to_use){ |
975 | 558 | local_subrs_to_use = &default_empty_subrs; |
976 | 558 | } |
977 | | |
978 | | // Check a charstring for the |i|-th glyph. |
979 | 177k | std::stack<int32_t> argument_stack; |
980 | | // Context to store values that must persist across subrs, etc. |
981 | 177k | CharStringContext cs_ctx; |
982 | 177k | cs_ctx.cff2 = (cff.major == 2); |
983 | | // CFF2 CharString has no value for width, so we start with true here to |
984 | | // error out if width is found. |
985 | 177k | cs_ctx.width_seen = cs_ctx.cff2; |
986 | | // CFF2 CharStrings' default vsindex comes from the associated PrivateDICT |
987 | 177k | if (cs_ctx.cff2) { |
988 | 163k | const auto& iter = cff.fd_select.find(glyph_index); |
989 | 163k | auto fd_index = 0; |
990 | 163k | if (iter != cff.fd_select.end()) { |
991 | 163 | fd_index = iter->second; |
992 | 163 | } |
993 | 163k | if (fd_index >= (int32_t)cff.vsindex_per_font.size()) { |
994 | | // shouldn't get this far with a font in this condition, but just in case |
995 | 1 | return OTS_FAILURE(); // fd_index out-of-range |
996 | 1 | } |
997 | 163k | cs_ctx.vsindex = cff.vsindex_per_font.at(fd_index); |
998 | 163k | } |
999 | | |
1000 | | #ifdef DUMP_T2CHARSTRING |
1001 | | fprintf(stderr, "\n---- CharString %*d ----\n", 5, glyph_index); |
1002 | | #endif |
1003 | | |
1004 | 177k | if (!ExecuteCharString(cff, |
1005 | 177k | 0 /* initial call_depth is zero */, |
1006 | 177k | global_subrs_index, *local_subrs_to_use, |
1007 | 177k | cff_table, &char_string, &argument_stack, |
1008 | 177k | cs_ctx)) { |
1009 | 380 | return OTS_FAILURE(); |
1010 | 380 | } |
1011 | 176k | if (!cs_ctx.cff2 && !cs_ctx.endchar_seen) { |
1012 | 4 | return OTS_FAILURE(); |
1013 | 4 | } |
1014 | 176k | } |
1015 | 204 | return true; |
1016 | 593 | } |
1017 | | |
1018 | | } // namespace ots |
1019 | | |
1020 | | #undef TABLE_NAME |