1 /**************************************************************************** 2 * 3 * gxvtrak.c 4 * 5 * TrueTypeGX/AAT trak table validation (body). 6 * 7 * Copyright 2004-2018 by 8 * suzuki toshiya, Masatake YAMATO, Red Hat K.K., 9 * David Turner, Robert Wilhelm, and Werner Lemberg. 10 * 11 * This file is part of the FreeType project, and may only be used, 12 * modified, and distributed under the terms of the FreeType project 13 * license, LICENSE.TXT. By continuing to use, modify, or distribute 14 * this file you indicate that you have read the license and 15 * understand and accept it fully. 16 * 17 */ 18 19 /**************************************************************************** 20 * 21 * gxvalid is derived from both gxlayout module and otvalid module. 22 * Development of gxlayout is supported by the Information-technology 23 * Promotion Agency(IPA), Japan. 24 * 25 */ 26 27 28 #include "gxvalid.h" 29 #include "gxvcommn.h" 30 31 32 /************************************************************************** 33 * 34 * The macro FT_COMPONENT is used in trace mode. It is an implicit 35 * parameter of the FT_TRACE() and FT_ERROR() macros, used to print/log 36 * messages during execution. 37 */ 38 #undef FT_COMPONENT 39 #define FT_COMPONENT trace_gxvtrak 40 41 42 /*************************************************************************/ 43 /*************************************************************************/ 44 /***** *****/ 45 /***** Data and Types *****/ 46 /***** *****/ 47 /*************************************************************************/ 48 /*************************************************************************/ 49 50 /* 51 * referred track table format specification: 52 * https://developer.apple.com/fonts/TrueType-Reference-Manual/RM06/Chap6trak.html 53 * last update was 1996. 54 * ---------------------------------------------- 55 * [MINIMUM HEADER]: GXV_TRAK_SIZE_MIN 56 * version (fixed: 32bit) = 0x00010000 57 * format (uint16: 16bit) = 0 is only defined (1996) 58 * horizOffset (uint16: 16bit) 59 * vertOffset (uint16: 16bit) 60 * reserved (uint16: 16bit) = 0 61 * ---------------------------------------------- 62 * [VARIABLE BODY]: 63 * horizData 64 * header ( 2 + 2 + 4 65 * trackTable + nTracks * ( 4 + 2 + 2 ) 66 * sizeTable + nSizes * 4 ) 67 * ---------------------------------------------- 68 * vertData 69 * header ( 2 + 2 + 4 70 * trackTable + nTracks * ( 4 + 2 + 2 ) 71 * sizeTable + nSizes * 4 ) 72 * ---------------------------------------------- 73 */ 74 typedef struct GXV_trak_DataRec_ 75 { 76 FT_UShort trackValueOffset_min; 77 FT_UShort trackValueOffset_max; 78 79 } GXV_trak_DataRec, *GXV_trak_Data; 80 81 82 #define GXV_TRAK_DATA( FIELD ) GXV_TABLE_DATA( trak, FIELD ) 83 84 85 /*************************************************************************/ 86 /*************************************************************************/ 87 /***** *****/ 88 /***** UTILITY FUNCTIONS *****/ 89 /***** *****/ 90 /*************************************************************************/ 91 /*************************************************************************/ 92 93 static void gxv_trak_trackTable_validate(FT_Bytes table,FT_Bytes limit,FT_UShort nTracks,GXV_Validator gxvalid)94 gxv_trak_trackTable_validate( FT_Bytes table, 95 FT_Bytes limit, 96 FT_UShort nTracks, 97 GXV_Validator gxvalid ) 98 { 99 FT_Bytes p = table; 100 101 FT_Fixed track, t; 102 FT_UShort nameIndex; 103 FT_UShort offset; 104 FT_UShort i, j; 105 106 107 GXV_NAME_ENTER( "trackTable" ); 108 109 GXV_TRAK_DATA( trackValueOffset_min ) = 0xFFFFU; 110 GXV_TRAK_DATA( trackValueOffset_max ) = 0x0000; 111 112 GXV_LIMIT_CHECK( nTracks * ( 4 + 2 + 2 ) ); 113 114 for ( i = 0; i < nTracks; i++ ) 115 { 116 p = table + i * ( 4 + 2 + 2 ); 117 track = FT_NEXT_LONG( p ); 118 nameIndex = FT_NEXT_USHORT( p ); 119 offset = FT_NEXT_USHORT( p ); 120 121 if ( offset < GXV_TRAK_DATA( trackValueOffset_min ) ) 122 GXV_TRAK_DATA( trackValueOffset_min ) = offset; 123 if ( offset > GXV_TRAK_DATA( trackValueOffset_max ) ) 124 GXV_TRAK_DATA( trackValueOffset_max ) = offset; 125 126 gxv_sfntName_validate( nameIndex, 256, 32767, gxvalid ); 127 128 for ( j = i; j < nTracks; j++ ) 129 { 130 p = table + j * ( 4 + 2 + 2 ); 131 t = FT_NEXT_LONG( p ); 132 if ( t == track ) 133 GXV_TRACE(( "duplicated entries found for track value 0x%x\n", 134 track )); 135 } 136 } 137 138 gxvalid->subtable_length = (FT_ULong)( p - table ); 139 GXV_EXIT; 140 } 141 142 143 static void gxv_trak_trackData_validate(FT_Bytes table,FT_Bytes limit,GXV_Validator gxvalid)144 gxv_trak_trackData_validate( FT_Bytes table, 145 FT_Bytes limit, 146 GXV_Validator gxvalid ) 147 { 148 FT_Bytes p = table; 149 FT_UShort nTracks; 150 FT_UShort nSizes; 151 FT_ULong sizeTableOffset; 152 153 GXV_ODTECT( 4, odtect ); 154 155 156 GXV_ODTECT_INIT( odtect ); 157 GXV_NAME_ENTER( "trackData" ); 158 159 /* read the header of trackData */ 160 GXV_LIMIT_CHECK( 2 + 2 + 4 ); 161 nTracks = FT_NEXT_USHORT( p ); 162 nSizes = FT_NEXT_USHORT( p ); 163 sizeTableOffset = FT_NEXT_ULONG( p ); 164 165 gxv_odtect_add_range( table, (FT_ULong)( p - table ), 166 "trackData header", odtect ); 167 168 /* validate trackTable */ 169 gxv_trak_trackTable_validate( p, limit, nTracks, gxvalid ); 170 gxv_odtect_add_range( p, gxvalid->subtable_length, 171 "trackTable", odtect ); 172 173 /* sizeTable is array of FT_Fixed, don't check contents */ 174 p = gxvalid->root->base + sizeTableOffset; 175 GXV_LIMIT_CHECK( nSizes * 4 ); 176 gxv_odtect_add_range( p, nSizes * 4, "sizeTable", odtect ); 177 178 /* validate trackValueOffet */ 179 p = gxvalid->root->base + GXV_TRAK_DATA( trackValueOffset_min ); 180 if ( limit - p < nTracks * nSizes * 2 ) 181 GXV_TRACE(( "too short trackValue array\n" )); 182 183 p = gxvalid->root->base + GXV_TRAK_DATA( trackValueOffset_max ); 184 GXV_LIMIT_CHECK( nSizes * 2 ); 185 186 gxv_odtect_add_range( gxvalid->root->base 187 + GXV_TRAK_DATA( trackValueOffset_min ), 188 GXV_TRAK_DATA( trackValueOffset_max ) 189 - GXV_TRAK_DATA( trackValueOffset_min ) 190 + nSizes * 2, 191 "trackValue array", odtect ); 192 193 gxv_odtect_validate( odtect, gxvalid ); 194 195 GXV_EXIT; 196 } 197 198 199 /*************************************************************************/ 200 /*************************************************************************/ 201 /***** *****/ 202 /***** trak TABLE *****/ 203 /***** *****/ 204 /*************************************************************************/ 205 /*************************************************************************/ 206 207 FT_LOCAL_DEF( void ) gxv_trak_validate(FT_Bytes table,FT_Face face,FT_Validator ftvalid)208 gxv_trak_validate( FT_Bytes table, 209 FT_Face face, 210 FT_Validator ftvalid ) 211 { 212 FT_Bytes p = table; 213 FT_Bytes limit = 0; 214 215 GXV_ValidatorRec gxvalidrec; 216 GXV_Validator gxvalid = &gxvalidrec; 217 GXV_trak_DataRec trakrec; 218 GXV_trak_Data trak = &trakrec; 219 220 FT_ULong version; 221 FT_UShort format; 222 FT_UShort horizOffset; 223 FT_UShort vertOffset; 224 FT_UShort reserved; 225 226 227 GXV_ODTECT( 3, odtect ); 228 229 GXV_ODTECT_INIT( odtect ); 230 gxvalid->root = ftvalid; 231 gxvalid->table_data = trak; 232 gxvalid->face = face; 233 234 limit = gxvalid->root->limit; 235 236 FT_TRACE3(( "validating `trak' table\n" )); 237 GXV_INIT; 238 239 GXV_LIMIT_CHECK( 4 + 2 + 2 + 2 + 2 ); 240 version = FT_NEXT_ULONG( p ); 241 format = FT_NEXT_USHORT( p ); 242 horizOffset = FT_NEXT_USHORT( p ); 243 vertOffset = FT_NEXT_USHORT( p ); 244 reserved = FT_NEXT_USHORT( p ); 245 246 GXV_TRACE(( " (version = 0x%08x)\n", version )); 247 GXV_TRACE(( " (format = 0x%04x)\n", format )); 248 GXV_TRACE(( " (horizOffset = 0x%04x)\n", horizOffset )); 249 GXV_TRACE(( " (vertOffset = 0x%04x)\n", vertOffset )); 250 GXV_TRACE(( " (reserved = 0x%04x)\n", reserved )); 251 252 /* Version 1.0 (always:1996) */ 253 if ( version != 0x00010000UL ) 254 FT_INVALID_FORMAT; 255 256 /* format 0 (always:1996) */ 257 if ( format != 0x0000 ) 258 FT_INVALID_FORMAT; 259 260 GXV_32BIT_ALIGNMENT_VALIDATE( horizOffset ); 261 GXV_32BIT_ALIGNMENT_VALIDATE( vertOffset ); 262 263 /* Reserved Fixed Value (always) */ 264 if ( reserved != 0x0000 ) 265 FT_INVALID_DATA; 266 267 /* validate trackData */ 268 if ( 0 < horizOffset ) 269 { 270 gxv_trak_trackData_validate( table + horizOffset, limit, gxvalid ); 271 gxv_odtect_add_range( table + horizOffset, gxvalid->subtable_length, 272 "horizJustData", odtect ); 273 } 274 275 if ( 0 < vertOffset ) 276 { 277 gxv_trak_trackData_validate( table + vertOffset, limit, gxvalid ); 278 gxv_odtect_add_range( table + vertOffset, gxvalid->subtable_length, 279 "vertJustData", odtect ); 280 } 281 282 gxv_odtect_validate( odtect, gxvalid ); 283 284 FT_TRACE4(( "\n" )); 285 } 286 287 288 /* END */ 289