1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // This is the implementation of decompression of the proposed WOFF Ultra
6 // Condensed file format.
7
8 #include <cassert>
9 #include <cstdlib>
10 #include <vector>
11
12 #include <zlib.h>
13
14 #include "third_party/lzma_sdk/LzmaLib.h"
15
16 #include "opentype-sanitiser.h"
17 #include "ots-memory-stream.h"
18 #include "ots.h"
19 #include "woff2.h"
20
21 namespace {
22
23 // simple glyph flags
24 const int kGlyfOnCurve = 1 << 0;
25 const int kGlyfXShort = 1 << 1;
26 const int kGlyfYShort = 1 << 2;
27 const int kGlyfRepeat = 1 << 3;
28 const int kGlyfThisXIsSame = 1 << 4;
29 const int kGlyfThisYIsSame = 1 << 5;
30
31 // composite glyph flags
32 const int FLAG_ARG_1_AND_2_ARE_WORDS = 1 << 0;
33 const int FLAG_WE_HAVE_A_SCALE = 1 << 3;
34 const int FLAG_MORE_COMPONENTS = 1 << 5;
35 const int FLAG_WE_HAVE_AN_X_AND_Y_SCALE = 1 << 6;
36 const int FLAG_WE_HAVE_A_TWO_BY_TWO = 1 << 7;
37 const int FLAG_WE_HAVE_INSTRUCTIONS = 1 << 8;
38
39 const size_t kSfntHeaderSize = 12;
40 const size_t kSfntEntrySize = 16;
41 const size_t kCheckSumAdjustmentOffset = 8;
42
43 const size_t kEndPtsOfContoursOffset = 10;
44 const size_t kCompositeGlyphBegin = 10;
45
46 // Note that the byte order is big-endian, not the same as ots.cc
47 #define TAG(a, b, c, d) ((a << 24) | (b << 16) | (c << 8) | d)
48
49 const unsigned int kWoff2FlagsContinueStream = 1 << 4;
50 const unsigned int kWoff2FlagsTransform = 1 << 5;
51
52 const size_t kLzmaHeaderSize = 13;
53
54 // Compression type values common to both short and long formats
55 const uint32_t kCompressionTypeMask = 0xf;
56 const uint32_t kCompressionTypeNone = 0;
57 const uint32_t kCompressionTypeGzip = 1;
58 const uint32_t kCompressionTypeLzma = 2;
59
60 // This is a special value for the short format only, as described in
61 // "Design for compressed header format" in draft doc.
62 const uint32_t kShortFlagsContinue = 3;
63
64 const uint32_t kKnownTags[] = {
65 TAG('c', 'm', 'a', 'p'), // 0
66 TAG('h', 'e', 'a', 'd'), // 1
67 TAG('h', 'h', 'e', 'a'), // 2
68 TAG('h', 'm', 't', 'x'), // 3
69 TAG('m', 'a', 'x', 'p'), // 4
70 TAG('n', 'a', 'm', 'e'), // 5
71 TAG('O', 'S', '/', '2'), // 6
72 TAG('p', 'o', 's', 't'), // 7
73 TAG('c', 'v', 't', ' '), // 8
74 TAG('f', 'p', 'g', 'm'), // 9
75 TAG('g', 'l', 'y', 'f'), // 10
76 TAG('l', 'o', 'c', 'a'), // 11
77 TAG('p', 'r', 'e', 'p'), // 12
78 TAG('C', 'F', 'F', ' '), // 13
79 TAG('V', 'O', 'R', 'G'), // 14
80 TAG('E', 'B', 'D', 'T'), // 15
81 TAG('E', 'B', 'L', 'C'), // 16
82 TAG('g', 'a', 's', 'p'), // 17
83 TAG('h', 'd', 'm', 'x'), // 18
84 TAG('k', 'e', 'r', 'n'), // 19
85 TAG('L', 'T', 'S', 'H'), // 20
86 TAG('P', 'C', 'L', 'T'), // 21
87 TAG('V', 'D', 'M', 'X'), // 22
88 TAG('v', 'h', 'e', 'a'), // 23
89 TAG('v', 'm', 't', 'x'), // 24
90 TAG('B', 'A', 'S', 'E'), // 25
91 TAG('G', 'D', 'E', 'F'), // 26
92 TAG('G', 'P', 'O', 'S'), // 27
93 TAG('G', 'S', 'U', 'B'), // 28
94 };
95
96 struct Point {
97 int x;
98 int y;
99 bool on_curve;
100 };
101
102 struct Table {
103 uint32_t tag;
104 uint32_t flags;
105 uint32_t src_offset;
106 uint32_t src_length;
107
108 uint32_t transform_length;
109
110 uint32_t dst_offset;
111 uint32_t dst_length;
112
Table__anon32261cc20111::Table113 Table()
114 : tag(0),
115 flags(0),
116 src_offset(0),
117 src_length(0),
118 transform_length(0),
119 dst_offset(0),
120 dst_length(0) {}
121 };
122
123 // Based on section 6.1.1 of MicroType Express draft spec
Read255UShort(ots::Buffer * buf,unsigned int * value)124 bool Read255UShort(ots::Buffer* buf, unsigned int* value) {
125 static const int kWordCode = 253;
126 static const int kOneMoreByteCode2 = 254;
127 static const int kOneMoreByteCode1 = 255;
128 static const int kLowestUCode = 253;
129 uint8_t code = 0;
130 if (!buf->ReadU8(&code)) {
131 return OTS_FAILURE();
132 }
133 if (code == kWordCode) {
134 uint16_t result = 0;
135 if (!buf->ReadU16(&result)) {
136 return OTS_FAILURE();
137 }
138 *value = result;
139 return true;
140 } else if (code == kOneMoreByteCode1) {
141 uint8_t result = 0;
142 if (!buf->ReadU8(&result)) {
143 return OTS_FAILURE();
144 }
145 *value = result + kLowestUCode;
146 return true;
147 } else if (code == kOneMoreByteCode2) {
148 uint8_t result = 0;
149 if (!buf->ReadU8(&result)) {
150 return OTS_FAILURE();
151 }
152 *value = result + kLowestUCode * 2;
153 return true;
154 } else {
155 *value = code;
156 return true;
157 }
158 }
159
ReadBase128(ots::Buffer * buf,uint32_t * value)160 bool ReadBase128(ots::Buffer* buf, uint32_t* value) {
161 uint32_t result = 0;
162 for (size_t i = 0; i < 5; ++i) {
163 uint8_t code = 0;
164 if (!buf->ReadU8(&code)) {
165 return OTS_FAILURE();
166 }
167 // If any of the top seven bits are set then we're about to overflow.
168 if (result & 0xe0000000U) {
169 return OTS_FAILURE();
170 }
171 result = (result << 7) | (code & 0x7f);
172 if ((code & 0x80) == 0) {
173 *value = result;
174 return true;
175 }
176 }
177 // Make sure not to exceed the size bound
178 return OTS_FAILURE();
179 }
180
181 // Caller must ensure that buffer overrun won't happen.
182 // TODO(ksakamaoto): Consider creating 'writer' version of the Buffer class
183 // and use it across the code.
StoreU32(uint8_t * dst,size_t offset,uint32_t x)184 size_t StoreU32(uint8_t* dst, size_t offset, uint32_t x) {
185 dst[offset] = x >> 24;
186 dst[offset + 1] = x >> 16;
187 dst[offset + 2] = x >> 8;
188 dst[offset + 3] = x;
189 return offset + 4;
190 }
191
Store16(uint8_t * dst,size_t offset,int x)192 size_t Store16(uint8_t* dst, size_t offset, int x) {
193 dst[offset] = x >> 8;
194 dst[offset + 1] = x;
195 return offset + 2;
196 }
197
WithSign(int flag,int baseval)198 int WithSign(int flag, int baseval) {
199 assert(0 <= baseval && baseval < 65536);
200 return (flag & 1) ? baseval : -baseval;
201 }
202
TripletDecode(const uint8_t * flags_in,const uint8_t * in,size_t in_size,unsigned int n_points,std::vector<Point> * result,size_t * in_bytes_consumed)203 bool TripletDecode(const uint8_t* flags_in, const uint8_t* in, size_t in_size,
204 unsigned int n_points, std::vector<Point>* result,
205 size_t* in_bytes_consumed) {
206 int x = 0;
207 int y = 0;
208
209 // Early return if |in| buffer is too small. Each point consumes 1-4 bytes.
210 if (n_points > in_size) {
211 return OTS_FAILURE();
212 }
213 unsigned int triplet_index = 0;
214
215 for (unsigned int i = 0; i < n_points; ++i) {
216 uint8_t flag = flags_in[i];
217 bool on_curve = !(flag >> 7);
218 flag &= 0x7f;
219 unsigned int n_data_bytes;
220 if (flag < 84) {
221 n_data_bytes = 1;
222 } else if (flag < 120) {
223 n_data_bytes = 2;
224 } else if (flag < 124) {
225 n_data_bytes = 3;
226 } else {
227 n_data_bytes = 4;
228 }
229 if (triplet_index + n_data_bytes > in_size ||
230 triplet_index + n_data_bytes < triplet_index) {
231 return OTS_FAILURE();
232 }
233 int dx, dy;
234 if (flag < 10) {
235 dx = 0;
236 dy = WithSign(flag, ((flag & 14) << 7) + in[triplet_index]);
237 } else if (flag < 20) {
238 dx = WithSign(flag, (((flag - 10) & 14) << 7) + in[triplet_index]);
239 dy = 0;
240 } else if (flag < 84) {
241 int b0 = flag - 20;
242 int b1 = in[triplet_index];
243 dx = WithSign(flag, 1 + (b0 & 0x30) + (b1 >> 4));
244 dy = WithSign(flag >> 1, 1 + ((b0 & 0x0c) << 2) + (b1 & 0x0f));
245 } else if (flag < 120) {
246 int b0 = flag - 84;
247 dx = WithSign(flag, 1 + ((b0 / 12) << 8) + in[triplet_index]);
248 dy = WithSign(flag >> 1,
249 1 + (((b0 % 12) >> 2) << 8) + in[triplet_index + 1]);
250 } else if (flag < 124) {
251 int b2 = in[triplet_index + 1];
252 dx = WithSign(flag, (in[triplet_index] << 4) + (b2 >> 4));
253 dy = WithSign(flag >> 1, ((b2 & 0x0f) << 8) + in[triplet_index + 2]);
254 } else {
255 dx = WithSign(flag, (in[triplet_index] << 8) + in[triplet_index + 1]);
256 dy = WithSign(flag >> 1,
257 (in[triplet_index + 2] << 8) + in[triplet_index + 3]);
258 }
259 triplet_index += n_data_bytes;
260 // Possible overflow but coordinate values are not security sensitive
261 x += dx;
262 y += dy;
263 result->push_back(Point());
264 Point& back = result->back();
265 back.x = x;
266 back.y = y;
267 back.on_curve = on_curve;
268 }
269 *in_bytes_consumed = triplet_index;
270 return true;
271 }
272
273 // This function stores just the point data. On entry, dst points to the
274 // beginning of a simple glyph. Returns true on success.
StorePoints(const std::vector<Point> & points,unsigned int n_contours,unsigned int instruction_length,uint8_t * dst,size_t dst_size,size_t * glyph_size)275 bool StorePoints(const std::vector<Point>& points,
276 unsigned int n_contours, unsigned int instruction_length,
277 uint8_t* dst, size_t dst_size, size_t* glyph_size) {
278 // I believe that n_contours < 65536, in which case this is safe. However, a
279 // comment and/or an assert would be good.
280 unsigned int flag_offset = kEndPtsOfContoursOffset + 2 * n_contours + 2 +
281 instruction_length;
282 int last_flag = -1;
283 int repeat_count = 0;
284 int last_x = 0;
285 int last_y = 0;
286 unsigned int x_bytes = 0;
287 unsigned int y_bytes = 0;
288
289 for (size_t i = 0; i < points.size(); ++i) {
290 const Point& point = points.at(i);
291 int flag = point.on_curve ? kGlyfOnCurve : 0;
292 int dx = point.x - last_x;
293 int dy = point.y - last_y;
294 if (dx == 0) {
295 flag |= kGlyfThisXIsSame;
296 } else if (dx > -256 && dx < 256) {
297 flag |= kGlyfXShort | (dx > 0 ? kGlyfThisXIsSame : 0);
298 x_bytes += 1;
299 } else {
300 x_bytes += 2;
301 }
302 if (dy == 0) {
303 flag |= kGlyfThisYIsSame;
304 } else if (dy > -256 && dy < 256) {
305 flag |= kGlyfYShort | (dy > 0 ? kGlyfThisYIsSame : 0);
306 y_bytes += 1;
307 } else {
308 y_bytes += 2;
309 }
310
311 if (flag == last_flag && repeat_count != 255) {
312 dst[flag_offset - 1] |= kGlyfRepeat;
313 repeat_count++;
314 } else {
315 if (repeat_count != 0) {
316 if (flag_offset >= dst_size) {
317 return OTS_FAILURE();
318 }
319 dst[flag_offset++] = repeat_count;
320 }
321 if (flag_offset >= dst_size) {
322 return OTS_FAILURE();
323 }
324 dst[flag_offset++] = flag;
325 repeat_count = 0;
326 }
327 last_x = point.x;
328 last_y = point.y;
329 last_flag = flag;
330 }
331
332 if (repeat_count != 0) {
333 if (flag_offset >= dst_size) {
334 return OTS_FAILURE();
335 }
336 dst[flag_offset++] = repeat_count;
337 }
338 unsigned int xy_bytes = x_bytes + y_bytes;
339 if (xy_bytes < x_bytes ||
340 flag_offset + xy_bytes < flag_offset ||
341 flag_offset + xy_bytes > dst_size) {
342 return OTS_FAILURE();
343 }
344
345 int x_offset = flag_offset;
346 int y_offset = flag_offset + x_bytes;
347 last_x = 0;
348 last_y = 0;
349 for (size_t i = 0; i < points.size(); ++i) {
350 int dx = points.at(i).x - last_x;
351 if (dx == 0) {
352 // pass
353 } else if (dx > -256 && dx < 256) {
354 dst[x_offset++] = std::abs(dx);
355 } else {
356 // will always fit for valid input, but overflow is harmless
357 x_offset = Store16(dst, x_offset, dx);
358 }
359 last_x += dx;
360 int dy = points.at(i).y - last_y;
361 if (dy == 0) {
362 // pass
363 } else if (dy > -256 && dy < 256) {
364 dst[y_offset++] = std::abs(dy);
365 } else {
366 y_offset = Store16(dst, y_offset, dy);
367 }
368 last_y += dy;
369 }
370 *glyph_size = y_offset;
371 return true;
372 }
373
374 // Compute the bounding box of the coordinates, and store into a glyf buffer.
375 // A precondition is that there are at least 10 bytes available.
ComputeBbox(const std::vector<Point> & points,uint8_t * dst)376 void ComputeBbox(const std::vector<Point>& points, uint8_t* dst) {
377 int x_min = 0;
378 int y_min = 0;
379 int x_max = 0;
380 int y_max = 0;
381
382 for (size_t i = 0; i < points.size(); ++i) {
383 int x = points.at(i).x;
384 int y = points.at(i).y;
385 if (i == 0 || x < x_min) x_min = x;
386 if (i == 0 || x > x_max) x_max = x;
387 if (i == 0 || y < y_min) y_min = y;
388 if (i == 0 || y > y_max) y_max = y;
389 }
390 size_t offset = 2;
391 offset = Store16(dst, offset, x_min);
392 offset = Store16(dst, offset, y_min);
393 offset = Store16(dst, offset, x_max);
394 offset = Store16(dst, offset, y_max);
395 }
396
397 // Process entire bbox stream. This is done as a separate pass to allow for
398 // composite bbox computations (an optional more aggressive transform).
ProcessBboxStream(ots::Buffer * bbox_stream,unsigned int n_glyphs,const std::vector<uint32_t> & loca_values,uint8_t * glyf_buf,size_t glyf_buf_length)399 bool ProcessBboxStream(ots::Buffer* bbox_stream, unsigned int n_glyphs,
400 const std::vector<uint32_t>& loca_values, uint8_t* glyf_buf,
401 size_t glyf_buf_length) {
402 const uint8_t* buf = bbox_stream->buffer();
403 if (n_glyphs >= 65536 || loca_values.size() != n_glyphs + 1) {
404 return OTS_FAILURE();
405 }
406 // Safe because n_glyphs is bounded
407 unsigned int bitmap_length = ((n_glyphs + 31) >> 5) << 2;
408 if (!bbox_stream->Skip(bitmap_length)) {
409 return OTS_FAILURE();
410 }
411 for (unsigned int i = 0; i < n_glyphs; ++i) {
412 if (buf[i >> 3] & (0x80 >> (i & 7))) {
413 uint32_t loca_offset = loca_values.at(i);
414 if (loca_values.at(i + 1) - loca_offset < kEndPtsOfContoursOffset) {
415 return OTS_FAILURE();
416 }
417 if (glyf_buf_length < 2 + 10 ||
418 loca_offset > glyf_buf_length - 2 - 10) {
419 return OTS_FAILURE();
420 }
421 if (!bbox_stream->Read(glyf_buf + loca_offset + 2, 8)) {
422 return OTS_FAILURE();
423 }
424 }
425 }
426 return true;
427 }
428
ProcessComposite(ots::Buffer * composite_stream,uint8_t * dst,size_t dst_size,size_t * glyph_size,bool * have_instructions)429 bool ProcessComposite(ots::Buffer* composite_stream, uint8_t* dst,
430 size_t dst_size, size_t* glyph_size, bool* have_instructions) {
431 size_t start_offset = composite_stream->offset();
432 bool we_have_instructions = false;
433
434 uint16_t flags = FLAG_MORE_COMPONENTS;
435 while (flags & FLAG_MORE_COMPONENTS) {
436 if (!composite_stream->ReadU16(&flags)) {
437 return OTS_FAILURE();
438 }
439 we_have_instructions |= (flags & FLAG_WE_HAVE_INSTRUCTIONS) != 0;
440 size_t arg_size = 2; // glyph index
441 if (flags & FLAG_ARG_1_AND_2_ARE_WORDS) {
442 arg_size += 4;
443 } else {
444 arg_size += 2;
445 }
446 if (flags & FLAG_WE_HAVE_A_SCALE) {
447 arg_size += 2;
448 } else if (flags & FLAG_WE_HAVE_AN_X_AND_Y_SCALE) {
449 arg_size += 4;
450 } else if (flags & FLAG_WE_HAVE_A_TWO_BY_TWO) {
451 arg_size += 8;
452 }
453 if (!composite_stream->Skip(arg_size)) {
454 return OTS_FAILURE();
455 }
456 }
457 size_t composite_glyph_size = composite_stream->offset() - start_offset;
458 if (composite_glyph_size + kCompositeGlyphBegin > dst_size) {
459 return OTS_FAILURE();
460 }
461 Store16(dst, 0, 0xffff); // nContours = -1 for composite glyph
462 std::memcpy(dst + kCompositeGlyphBegin,
463 composite_stream->buffer() + start_offset,
464 composite_glyph_size);
465 *glyph_size = kCompositeGlyphBegin + composite_glyph_size;
466 *have_instructions = we_have_instructions;
467 return true;
468 }
469
470 // Build TrueType loca table
StoreLoca(const std::vector<uint32_t> & loca_values,int index_format,uint8_t * dst,size_t dst_size)471 bool StoreLoca(const std::vector<uint32_t>& loca_values, int index_format,
472 uint8_t* dst, size_t dst_size) {
473 const uint64_t loca_size = loca_values.size();
474 const uint64_t offset_size = index_format ? 4 : 2;
475 if ((loca_size << 2) >> 2 != loca_size) {
476 return OTS_FAILURE();
477 }
478 // No integer overflow here (loca_size <= 2^16).
479 if (offset_size * loca_size > dst_size) {
480 return OTS_FAILURE();
481 }
482 size_t offset = 0;
483 for (size_t i = 0; i < loca_values.size(); ++i) {
484 uint32_t value = loca_values.at(i);
485 if (index_format) {
486 offset = StoreU32(dst, offset, value);
487 } else {
488 offset = Store16(dst, offset, value >> 1);
489 }
490 }
491 return true;
492 }
493
494 // Reconstruct entire glyf table based on transformed original
ReconstructGlyf(const uint8_t * data,size_t data_size,uint8_t * dst,size_t dst_size,uint8_t * loca_buf,size_t loca_size)495 bool ReconstructGlyf(const uint8_t* data, size_t data_size,
496 uint8_t* dst, size_t dst_size,
497 uint8_t* loca_buf, size_t loca_size) {
498 static const int kNumSubStreams = 7;
499 ots::Buffer file(data, data_size);
500 uint32_t version;
501 std::vector<std::pair<const uint8_t*, size_t> > substreams(kNumSubStreams);
502
503 if (!file.ReadU32(&version)) {
504 return OTS_FAILURE();
505 }
506 uint16_t num_glyphs;
507 uint16_t index_format;
508 if (!file.ReadU16(&num_glyphs) ||
509 !file.ReadU16(&index_format)) {
510 return OTS_FAILURE();
511 }
512 unsigned int offset = (2 + kNumSubStreams) * 4;
513 if (offset > data_size) {
514 return OTS_FAILURE();
515 }
516 // Invariant from here on: data_size >= offset
517 for (int i = 0; i < kNumSubStreams; ++i) {
518 uint32_t substream_size;
519 if (!file.ReadU32(&substream_size)) {
520 return OTS_FAILURE();
521 }
522 if (substream_size > data_size - offset) {
523 return OTS_FAILURE();
524 }
525 substreams.at(i) = std::make_pair(data + offset, substream_size);
526 offset += substream_size;
527 }
528 ots::Buffer n_contour_stream(substreams.at(0).first, substreams.at(0).second);
529 ots::Buffer n_points_stream(substreams.at(1).first, substreams.at(1).second);
530 ots::Buffer flag_stream(substreams.at(2).first, substreams.at(2).second);
531 ots::Buffer glyph_stream(substreams.at(3).first, substreams.at(3).second);
532 ots::Buffer composite_stream(substreams.at(4).first, substreams.at(4).second);
533 ots::Buffer bbox_stream(substreams.at(5).first, substreams.at(5).second);
534 ots::Buffer instruction_stream(substreams.at(6).first,
535 substreams.at(6).second);
536
537 std::vector<uint32_t> loca_values;
538 loca_values.reserve(num_glyphs + 1);
539 std::vector<unsigned int> n_points_vec;
540 std::vector<Point> points;
541 uint32_t loca_offset = 0;
542 for (unsigned int i = 0; i < num_glyphs; ++i) {
543 size_t glyph_size = 0;
544 uint16_t n_contours = 0;
545 if (!n_contour_stream.ReadU16(&n_contours)) {
546 return OTS_FAILURE();
547 }
548 uint8_t* glyf_dst = dst + loca_offset;
549 size_t glyf_dst_size = dst_size - loca_offset;
550 if (n_contours == 0xffff) {
551 // composite glyph
552 bool have_instructions = false;
553 unsigned int instruction_size = 0;
554 if (!ProcessComposite(&composite_stream, glyf_dst, glyf_dst_size,
555 &glyph_size, &have_instructions)) {
556 return OTS_FAILURE();
557 }
558 if (have_instructions) {
559 if (!Read255UShort(&glyph_stream, &instruction_size)) {
560 return OTS_FAILURE();
561 }
562 // No integer overflow here (instruction_size < 2^16).
563 if (instruction_size + 2 > glyf_dst_size - glyph_size) {
564 return OTS_FAILURE();
565 }
566 Store16(glyf_dst, glyph_size, instruction_size);
567 if (!instruction_stream.Read(glyf_dst + glyph_size + 2,
568 instruction_size)) {
569 return OTS_FAILURE();
570 }
571 glyph_size += instruction_size + 2;
572 }
573 } else if (n_contours > 0) {
574 // simple glyph
575 n_points_vec.clear();
576 points.clear();
577 unsigned int total_n_points = 0;
578 unsigned int n_points_contour;
579 for (unsigned int j = 0; j < n_contours; ++j) {
580 if (!Read255UShort(&n_points_stream, &n_points_contour)) {
581 return OTS_FAILURE();
582 }
583 n_points_vec.push_back(n_points_contour);
584 if (total_n_points + n_points_contour < total_n_points) {
585 return OTS_FAILURE();
586 }
587 total_n_points += n_points_contour;
588 }
589 unsigned int flag_size = total_n_points;
590 if (flag_size > flag_stream.length() - flag_stream.offset()) {
591 return OTS_FAILURE();
592 }
593 const uint8_t* flags_buf = flag_stream.buffer() + flag_stream.offset();
594 const uint8_t* triplet_buf = glyph_stream.buffer() +
595 glyph_stream.offset();
596 size_t triplet_size = glyph_stream.length() - glyph_stream.offset();
597 size_t triplet_bytes_consumed = 0;
598 if (!TripletDecode(flags_buf, triplet_buf, triplet_size, total_n_points,
599 &points, &triplet_bytes_consumed)) {
600 return OTS_FAILURE();
601 }
602 const uint32_t header_and_endpts_contours_size =
603 kEndPtsOfContoursOffset + 2 * n_contours;
604 if (glyf_dst_size < header_and_endpts_contours_size) {
605 return OTS_FAILURE();
606 }
607 Store16(glyf_dst, 0, n_contours);
608 ComputeBbox(points, glyf_dst);
609 size_t offset = kEndPtsOfContoursOffset;
610 int end_point = -1;
611 for (unsigned int contour_ix = 0; contour_ix < n_contours; ++contour_ix) {
612 end_point += n_points_vec.at(contour_ix);
613 if (end_point >= 65536) {
614 return OTS_FAILURE();
615 }
616 offset = Store16(glyf_dst, offset, end_point);
617 }
618 if (!flag_stream.Skip(flag_size)) {
619 return OTS_FAILURE();
620 }
621 if (!glyph_stream.Skip(triplet_bytes_consumed)) {
622 return OTS_FAILURE();
623 }
624 unsigned int instruction_size;
625 if (!Read255UShort(&glyph_stream, &instruction_size)) {
626 return OTS_FAILURE();
627 }
628 // No integer overflow here (instruction_size < 2^16).
629 if (glyf_dst_size - header_and_endpts_contours_size <
630 instruction_size + 2) {
631 return OTS_FAILURE();
632 }
633 uint8_t* instruction_dst = glyf_dst + header_and_endpts_contours_size;
634 Store16(instruction_dst, 0, instruction_size);
635 if (!instruction_stream.Read(instruction_dst + 2, instruction_size)) {
636 return OTS_FAILURE();
637 }
638 if (!StorePoints(points, n_contours, instruction_size,
639 glyf_dst, glyf_dst_size, &glyph_size)) {
640 return OTS_FAILURE();
641 }
642 } else {
643 glyph_size = 0;
644 }
645 loca_values.push_back(loca_offset);
646 if (glyph_size + 3 < glyph_size) {
647 return OTS_FAILURE();
648 }
649 glyph_size = ots::Round2(glyph_size);
650 if (glyph_size > dst_size - loca_offset) {
651 // This shouldn't happen, but this test defensively maintains the
652 // invariant that loca_offset <= dst_size.
653 return OTS_FAILURE();
654 }
655 loca_offset += glyph_size;
656 }
657 loca_values.push_back(loca_offset);
658 assert(loca_values.size() == static_cast<size_t>(num_glyphs + 1));
659 if (!ProcessBboxStream(&bbox_stream, num_glyphs, loca_values,
660 dst, dst_size)) {
661 return OTS_FAILURE();
662 }
663 return StoreLoca(loca_values, index_format, loca_buf, loca_size);
664 }
665
666 // This is linear search, but could be changed to binary because we
667 // do have a guarantee that the tables are sorted by tag. But the total
668 // cpu time is expected to be very small in any case.
FindTable(const std::vector<Table> & tables,uint32_t tag)669 const Table* FindTable(const std::vector<Table>& tables, uint32_t tag) {
670 size_t n_tables = tables.size();
671 for (size_t i = 0; i < n_tables; ++i) {
672 if (tables.at(i).tag == tag) {
673 return &tables.at(i);
674 }
675 }
676 return NULL;
677 }
678
ReconstructTransformed(const std::vector<Table> & tables,uint32_t tag,const uint8_t * transformed_buf,size_t transformed_size,uint8_t * dst,size_t dst_length)679 bool ReconstructTransformed(const std::vector<Table>& tables, uint32_t tag,
680 const uint8_t* transformed_buf, size_t transformed_size,
681 uint8_t* dst, size_t dst_length) {
682 if (tag == TAG('g', 'l', 'y', 'f')) {
683 const Table* glyf_table = FindTable(tables, tag);
684 const Table* loca_table = FindTable(tables, TAG('l', 'o', 'c', 'a'));
685 if (glyf_table == NULL || loca_table == NULL) {
686 return OTS_FAILURE();
687 }
688 if (static_cast<uint64_t>(glyf_table->dst_offset) + glyf_table->dst_length >
689 dst_length) {
690 return OTS_FAILURE();
691 }
692 if (static_cast<uint64_t>(loca_table->dst_offset) + loca_table->dst_length >
693 dst_length) {
694 return OTS_FAILURE();
695 }
696 return ReconstructGlyf(transformed_buf, transformed_size,
697 dst + glyf_table->dst_offset, glyf_table->dst_length,
698 dst + loca_table->dst_offset, loca_table->dst_length);
699 } else if (tag == TAG('l', 'o', 'c', 'a')) {
700 // processing was already done by glyf table, but validate
701 if (!FindTable(tables, TAG('g', 'l', 'y', 'f'))) {
702 return OTS_FAILURE();
703 }
704 } else {
705 // transform for the tag is not known
706 return OTS_FAILURE();
707 }
708 return true;
709 }
710
ComputeChecksum(const uint8_t * buf,size_t size)711 uint32_t ComputeChecksum(const uint8_t* buf, size_t size) {
712 uint32_t checksum = 0;
713 for (size_t i = 0; i < size; i += 4) {
714 // We assume the addition is mod 2^32, which is valid because unsigned
715 checksum += (buf[i] << 24) | (buf[i + 1] << 16) |
716 (buf[i + 2] << 8) | buf[i + 3];
717 }
718 return checksum;
719 }
720
FixChecksums(const std::vector<Table> & tables,uint8_t * dst)721 bool FixChecksums(const std::vector<Table>& tables, uint8_t* dst) {
722 const Table* head_table = FindTable(tables, TAG('h', 'e', 'a', 'd'));
723 if (head_table == NULL ||
724 head_table->dst_length < kCheckSumAdjustmentOffset + 4) {
725 return OTS_FAILURE();
726 }
727 size_t adjustment_offset = head_table->dst_offset + kCheckSumAdjustmentOffset;
728 if (adjustment_offset < head_table->dst_offset) {
729 return OTS_FAILURE();
730 }
731 StoreU32(dst, adjustment_offset, 0);
732 size_t n_tables = tables.size();
733 uint32_t file_checksum = 0;
734 for (size_t i = 0; i < n_tables; ++i) {
735 const Table* table = &tables.at(i);
736 size_t table_length = table->dst_length;
737 uint8_t* table_data = dst + table->dst_offset;
738 uint32_t checksum = ComputeChecksum(table_data, table_length);
739 StoreU32(dst, kSfntHeaderSize + i * kSfntEntrySize + 4, checksum);
740 file_checksum += checksum; // The addition is mod 2^32
741 }
742 file_checksum += ComputeChecksum(dst,
743 kSfntHeaderSize + kSfntEntrySize * n_tables);
744 uint32_t checksum_adjustment = 0xb1b0afba - file_checksum;
745 StoreU32(dst, adjustment_offset, checksum_adjustment);
746 return true;
747 }
748
Woff2Uncompress(uint8_t * dst_buf,size_t dst_size,const uint8_t * src_buf,size_t src_size,uint32_t compression_type)749 bool Woff2Uncompress(uint8_t* dst_buf, size_t dst_size,
750 const uint8_t* src_buf, size_t src_size, uint32_t compression_type) {
751 if (compression_type == kCompressionTypeGzip) {
752 uLongf uncompressed_length = dst_size;
753 int r = uncompress(reinterpret_cast<Bytef *>(dst_buf), &uncompressed_length,
754 src_buf, src_size);
755 if (r != Z_OK || uncompressed_length != dst_size) {
756 return OTS_FAILURE();
757 }
758 return true;
759 } else if (compression_type == kCompressionTypeLzma) {
760 if (src_size < kLzmaHeaderSize) {
761 // Make sure we have at least a full Lzma header
762 return OTS_FAILURE();
763 }
764 // TODO: check that size matches (or elide size?)
765 size_t uncompressed_size = dst_size;
766 size_t compressed_size = src_size;
767 int result = LzmaUncompress(dst_buf, &dst_size,
768 src_buf + kLzmaHeaderSize, &compressed_size,
769 src_buf, LZMA_PROPS_SIZE);
770 if (result != SZ_OK || uncompressed_size != dst_size) {
771 return OTS_FAILURE();
772 }
773 return true;
774 }
775 // Unknown compression type
776 return OTS_FAILURE();
777 }
778
ReadShortDirectory(ots::Buffer * file,std::vector<Table> * tables,size_t num_tables)779 bool ReadShortDirectory(ots::Buffer* file, std::vector<Table>* tables,
780 size_t num_tables) {
781 uint32_t last_compression_type = 0;
782 for (size_t i = 0; i < num_tables; ++i) {
783 Table* table = &tables->at(i);
784 uint8_t flag_byte;
785 if (!file->ReadU8(&flag_byte)) {
786 return OTS_FAILURE();
787 }
788 uint32_t tag;
789 if ((flag_byte & 0x1f) == 0x1f) {
790 if (!file->ReadU32(&tag)) {
791 return OTS_FAILURE();
792 }
793 } else {
794 if ((flag_byte & 0x1f) >= arraysize(kKnownTags)) {
795 return OTS_FAILURE();
796 }
797 tag = kKnownTags[flag_byte & 0x1f];
798 }
799 uint32_t flags = flag_byte >> 6;
800 if (flags == kShortFlagsContinue) {
801 flags = last_compression_type | kWoff2FlagsContinueStream;
802 } else {
803 if (flags == kCompressionTypeNone ||
804 flags == kCompressionTypeGzip ||
805 flags == kCompressionTypeLzma) {
806 last_compression_type = flags;
807 } else {
808 return OTS_FAILURE();
809 }
810 }
811 if ((flag_byte & 0x20) != 0) {
812 flags |= kWoff2FlagsTransform;
813 }
814 uint32_t dst_length;
815 if (!ReadBase128(file, &dst_length)) {
816 return OTS_FAILURE();
817 }
818 uint32_t transform_length = dst_length;
819 if ((flags & kWoff2FlagsTransform) != 0) {
820 if (!ReadBase128(file, &transform_length)) {
821 return OTS_FAILURE();
822 }
823 }
824 uint32_t src_length = transform_length;
825 if ((flag_byte >> 6) == 1 || (flag_byte >> 6) == 2) {
826 if (!ReadBase128(file, &src_length)) {
827 return OTS_FAILURE();
828 }
829 } else if (static_cast<uint32_t>(flag_byte >> 6) == kShortFlagsContinue) {
830 // The compressed data for this table is in a previuos table, so we set
831 // the src_length to zero.
832 src_length = 0;
833 }
834 // Disallow huge numbers (> 1GB) for sanity.
835 if (src_length > 1024 * 1024 * 1024 ||
836 transform_length > 1024 * 1024 * 1024 ||
837 dst_length > 1024 * 1024 * 1024) {
838 return OTS_FAILURE();
839 }
840
841 table->tag = tag;
842 table->flags = flags;
843 table->src_length = src_length;
844 table->transform_length = transform_length;
845 table->dst_length = dst_length;
846 }
847 return true;
848 }
849
850 } // namespace
851
852 namespace ots {
853
ComputeWOFF2FinalSize(const uint8_t * data,size_t length)854 size_t ComputeWOFF2FinalSize(const uint8_t* data, size_t length) {
855 ots::Buffer file(data, length);
856 uint32_t total_length;
857
858 if (!file.Skip(16) ||
859 !file.ReadU32(&total_length)) {
860 return 0;
861 }
862 return total_length;
863 }
864
ConvertWOFF2ToTTF(uint8_t * result,size_t result_length,const uint8_t * data,size_t length)865 bool ConvertWOFF2ToTTF(uint8_t* result, size_t result_length,
866 const uint8_t* data, size_t length) {
867 static const uint32_t kWoff2Signature = 0x774f4632; // "wOF2"
868 ots::Buffer file(data, length);
869
870 uint32_t signature;
871 uint32_t flavor;
872 if (!file.ReadU32(&signature) || signature != kWoff2Signature ||
873 !file.ReadU32(&flavor)) {
874 return OTS_FAILURE();
875 }
876
877 if (!IsValidVersionTag(ntohl(flavor))) {
878 return OTS_FAILURE();
879 }
880
881 uint32_t reported_length;
882 if (!file.ReadU32(&reported_length) || length != reported_length) {
883 return OTS_FAILURE();
884 }
885 uint16_t num_tables;
886 if (!file.ReadU16(&num_tables) || !num_tables) {
887 return OTS_FAILURE();
888 }
889 // We don't care about these fields of the header:
890 // uint16_t reserved
891 // uint32_t total_sfnt_size
892 // uint16_t major_version, minor_version
893 // uint32_t meta_offset, meta_length, meta_orig_length
894 // uint32_t priv_offset, priv_length
895 if (!file.Skip(30)) {
896 return OTS_FAILURE();
897 }
898 std::vector<Table> tables(num_tables);
899 if (!ReadShortDirectory(&file, &tables, num_tables)) {
900 return OTS_FAILURE();
901 }
902 uint64_t src_offset = file.offset();
903 uint64_t dst_offset = kSfntHeaderSize +
904 kSfntEntrySize * static_cast<uint64_t>(num_tables);
905 uint64_t uncompressed_sum = 0;
906 for (uint16_t i = 0; i < num_tables; ++i) {
907 Table* table = &tables.at(i);
908 table->src_offset = src_offset;
909 src_offset += table->src_length;
910 if (src_offset > std::numeric_limits<uint32_t>::max()) {
911 return OTS_FAILURE();
912 }
913 src_offset = ots::Round4(src_offset);
914 table->dst_offset = dst_offset;
915 dst_offset += table->dst_length;
916 if (dst_offset > std::numeric_limits<uint32_t>::max()) {
917 return OTS_FAILURE();
918 }
919 dst_offset = ots::Round4(dst_offset);
920 if ((table->flags & kCompressionTypeMask) != kCompressionTypeNone) {
921 uncompressed_sum += table->src_length;
922 if (uncompressed_sum > std::numeric_limits<uint32_t>::max()) {
923 return OTS_FAILURE();
924 }
925 }
926 }
927 // Enforce same 30M limit on uncompressed tables as OTS
928 if (uncompressed_sum > 30 * 1024 * 1024) {
929 return OTS_FAILURE();
930 }
931 if (src_offset > length || dst_offset > result_length) {
932 return OTS_FAILURE();
933 }
934
935 const uint32_t sfnt_header_and_table_directory_size = 12 + 16 * num_tables;
936 if (sfnt_header_and_table_directory_size > result_length) {
937 return OTS_FAILURE();
938 }
939
940 // Start building the font
941 size_t offset = 0;
942 offset = StoreU32(result, offset, flavor);
943 offset = Store16(result, offset, num_tables);
944 unsigned max_pow2 = 0;
945 while (1u << (max_pow2 + 1) <= num_tables) {
946 max_pow2++;
947 }
948 const uint16_t output_search_range = (1u << max_pow2) << 4;
949 offset = Store16(result, offset, output_search_range);
950 offset = Store16(result, offset, max_pow2);
951 offset = Store16(result, offset, (num_tables << 4) - output_search_range);
952 for (uint16_t i = 0; i < num_tables; ++i) {
953 const Table* table = &tables.at(i);
954 offset = StoreU32(result, offset, table->tag);
955 offset = StoreU32(result, offset, 0); // checksum, to fill in later
956 offset = StoreU32(result, offset, table->dst_offset);
957 offset = StoreU32(result, offset, table->dst_length);
958 }
959 std::vector<uint8_t> uncompressed_buf;
960 bool continue_valid = false;
961 const uint8_t* transform_buf = NULL;
962 for (uint16_t i = 0; i < num_tables; ++i) {
963 const Table* table = &tables.at(i);
964 uint32_t flags = table->flags;
965 const uint8_t* src_buf = data + table->src_offset;
966 uint32_t compression_type = flags & kCompressionTypeMask;
967 size_t transform_length = table->transform_length;
968 if ((flags & kWoff2FlagsContinueStream) != 0) {
969 if (!continue_valid) {
970 return OTS_FAILURE();
971 }
972 } else if (compression_type == kCompressionTypeNone) {
973 if (transform_length != table->src_length) {
974 return OTS_FAILURE();
975 }
976 transform_buf = src_buf;
977 continue_valid = false;
978 } else if ((flags & kWoff2FlagsContinueStream) == 0) {
979 uint64_t total_size = transform_length;
980 for (uint16_t j = i + 1; j < num_tables; ++j) {
981 if ((tables.at(j).flags & kWoff2FlagsContinueStream) == 0) {
982 break;
983 }
984 total_size += tables.at(j).transform_length;
985 if (total_size > std::numeric_limits<uint32_t>::max()) {
986 return OTS_FAILURE();
987 }
988 }
989 // Enforce same 30M limit on uncompressed tables as OTS
990 if (total_size > 30 * 1024 * 1024) {
991 return OTS_FAILURE();
992 }
993 uncompressed_buf.resize(total_size);
994 if (!Woff2Uncompress(&uncompressed_buf[0], total_size,
995 src_buf, table->src_length, compression_type)) {
996 return OTS_FAILURE();
997 }
998 transform_buf = &uncompressed_buf[0];
999 continue_valid = true;
1000 } else {
1001 return OTS_FAILURE();
1002 }
1003
1004 if ((flags & kWoff2FlagsTransform) == 0) {
1005 if (transform_length != table->dst_length) {
1006 return OTS_FAILURE();
1007 }
1008 if (static_cast<uint64_t>(table->dst_offset) + transform_length >
1009 result_length) {
1010 return OTS_FAILURE();
1011 }
1012 std::memcpy(result + table->dst_offset, transform_buf,
1013 transform_length);
1014 } else {
1015 if (!ReconstructTransformed(tables, table->tag,
1016 transform_buf, transform_length, result, result_length)) {
1017 return OTS_FAILURE();
1018 }
1019 }
1020 if (continue_valid) {
1021 transform_buf += transform_length;
1022 if (transform_buf > &uncompressed_buf[0] + uncompressed_buf.size()) {
1023 return OTS_FAILURE();
1024 }
1025 }
1026 }
1027
1028 return FixChecksums(tables, result);
1029 }
1030
1031 } // namespace ots
1032