Skip to content

Commit

Permalink
[tx] Fix issue 354: array overrun when writing a CFF2 charstring with…
Browse files Browse the repository at this point in the history 
… lots of hints to CFF2. (#467)

t2cCtx *h->stack.blendArgs was sized  as 6 elements. The max number of operands in a T2 charstring (other than for the blend op) is actually 96, aka T2_Max_STEMS.

In writing test for issue 354, discovered that tx was writing the CFF2 var store incorrectly when writing a CFF2: it was adding the var store offset twice during offset calculations.
  • Loading branch information
@readroberts @miguelsousa
readroberts authored and miguelsousa committed Jul 12, 2018
1 parent 5498790 commit 55190d3
Show file tree
Hide file tree
Showing 8 changed files with 363 additions and 35 deletions.
309 changes: 309 additions & 0 deletions Tests/tx_data/expected_output/cff2_vf.dcf.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,309 @@
### Header (00000000-00000004)
major =2
minor =0
hdrSize=5
offSize=0
### Top DICT Data (00000005-0000000d)
[0]={
58 CharStrings
18 VarStore
1336 FDArray
}
### VarStore (00000012-00000039)
length =38
format = 1
regionListOffset = 0000000c
subtableCount = 1
--- subtableOffsets[index]={offset}
[0]={0000001c}
--- RegionList
axisCount = 1
regionCount = 2
--- RegionCoords[region,axis]={start,peak,end}
[0,0]={3,3,0}
[1,0]={0,1,1}
--- VarStoreSubtable[0]
itemCount = 0
shortDeltaCount = 0
regionIndexCount = 2
--- RegionIndex[region]={index}
[0]={0}
[1]={1}
--- DeltaValue[item,region]={delta}

### FDArray INDEX (00000538-00000544)
--- object[index]={value}
[0]={
119 1349 Private
}
### CharStrings INDEX (0000003a-00000537)
--- object[index]={value}
[0]={
0 50 570 50 -28 10 63 -38 -28 10 3 blend
hstem
80 60 360 60 -35 20 70 -40 -35 20 3 blend
vstem
80 hmoveto
60 -35 20 1 blend
hlineto
420 670 35 -20 7 -18 2 blend
rlineto
-60 35 -20 1 blend
hlineto
-420 -670 -35 20 -7 18 2 blend
rlineto
480 hmoveto
-420 670 -35 20 7 -18 2 blend
rlineto
-60 35 -20 1 blend
hlineto
420 -670 35 -20 -7 18 2 blend
rlineto
60 -35 20 1 blend
hlineto
-420 50 -35 10 -28 10 2 blend
rmoveto
570 360 -570 -360 63 -38 70 -20 -63 38 -70 20 4 blend
vlineto
-60 -50 35 -10 28 -10 2 blend
rmoveto
480 670 7 -18 1 blend
-480 -670 -7 18 1 blend
hlineto
}
[1]={
0 55 164 46 410 -29 19 57 -58 -26 17 7 -1 4 blend
-20 hstemhm
5 230 -230 648 7 5 -32 -20 32 20 -9 7 4 blend
hintmask[E8]
5 7 5 1 blend
hmoveto
hintmask[F0]
230 40 -32 -20 -20 19 2 blend
hlineto
-110 15 13 21 -9 0 2 blend
rlineto
-20 6 3 1 blend
hlineto
-100 -15 13 -4 9 0 2 blend
rlineto
-40 20 -19 1 blend
vlineto
66 7 -11 1 blend
hmoveto
47 -18 17 1 blend
hlineto
204 599 -23 0 201 -599 7 -18 68 -16 6 -20 -10 -70 15 -42 -58 86 6 blend
rlineto
93 -61 108 1 blend
hlineto
-230 675 1 7 9 -23 2 blend
rlineto
-60 40 -60 1 blend
hlineto
-232 -675 10 8 -9 23 2 blend
rlineto
99 219 -11 4 28 -39 2 blend
rmoveto
302 -7 10 1 blend
hlineto
-16 46 8 -9 -26 17 2 blend
rlineto
-270 -8 0 1 blend
hlineto
-16 -46 7 -1 26 -17 2 blend
rlineto
213 -219 17 -39 -28 39 2 blend
rmoveto
270 40 -22 53 -20 16 2 blend
hlineto
-124 15 10 -6 -9 0 2 blend
rlineto
-20 6 -65 1 blend
hlineto
-126 -15 6 18 9 0 2 blend
rlineto
-40 20 -16 1 blend
vlineto
}
[2]={
0 55 437 178 -50 50 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 5 20 -28 19 50 -48 -15 11 28 -9 -28 9 -7 18 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 33 blend
hstemhm
24 52 180 90 180 52 1 -3 -33 41 58 -70 -60 108 58 -69 -33 40.5 6 blend
cntrmask[000070]
hintmask[BFFFF0]
291 55 -1 4 -28 19 2 blend
rmoveto
-140 -15 13 -11 8 0 2 blend
rlineto
-40 300 40 20 -19 -32 59 -20 19 3 blend
vlineto
-140 15 13 -15 -8 0 2 blend
rlineto
-20 6 -33 1 blend
hlineto
-35 255 27 -36 28 -19 2 blend
rmoveto
-105 1 0 1 blend
0 -104 -3 -101 1 0 -1 0 2 blend
vhcurveto
96 -62 108 1 blend
hlineto
-3 103 1 0 -1 0 2 blend
0 104 103 1 1 1 blend
vvcurveto
50 7 -19 1 blend
vlineto
105 -1 0 1 blend
0 104 3 101 -1 0 1 0 2 blend
vhcurveto
-96 62 -108 1 blend
hlineto
3 -103 -1 0 1 0 2 blend
0 -104 -103 -1 0 1 blend
vvcurveto
-50 -7 18 1 blend
vlineto
283 310 -20 84 35 -27 2 blend
rmoveto
-45 50 31 -37 -28 9 2 blend
rlineto
hintmask[C00070]
32 -178 -13 -8 15 -11 2 blend
rlineto
56 -32 37 1 blend
hlineto
hintmask[A00070]
-8 178 -2 7 -15 11 2 blend
rlineto
-546 12 -57 1 blend
hlineto
hintmask[C00070]
-8 -178 -2 6 15 -11 2 blend
rlineto
56 -32 38 1 blend
hlineto
hintmask[A00070]
32 178 -45 -50 -13 -8 -15 11 31 -38 28 -9 4 blend
rlineto
476 20 60 1 blend
hlineto
}
[3]={
0 55 364 55 -35 35 -29 11 54 -14 -29 16 15 -16 -15 16 5 blend
hstemhm
45 117 -47 36 -36 47 -47 116 316 77 -77 150 -120 47 0 -22 -3 1 25 -13 -25 8 25 -8 -25 13 25 -13 -2 -6 0 -20 -51 105 51 -105 -33 79 17 -22 -35 48 14 blend
hintmask[C500]
329 40 26 -45 3 -5 2 blend
rmoveto
49 -27 21 1 blend
hlineto
190 434 11 -18 -7 18 2 blend
rlineto
-43 21 -17 1 blend
hlineto
-168 -385 -24 56 -25 90 2 blend
rlineto
30 -20 11 1 blend
hlineto
-171 385 -30 54 25 -90 2 blend
rlineto
-79 51 -99 1 blend
hlineto
192 -434 18 -8 7 -18 2 blend
rlineto
218 -40 -9 -15 -3 5 2 blend
rmoveto
80 -48 105 1 blend
hlineto
-2 45 -1 101 64 2 2 -2 -2 2 blend
vvcurveto
54 -4 13 1 blend
vlineto
64 -2 -2 1 blend
1 101 2 2 1 blend
2 45 vhcurveto
-75 49 -95 1 blend
hlineto
-5 -264 2 -10 4 -11 2 blend
rlineto
hintmask[9000]
0 -210 -3 0 0 -2 2 blend
rlineto
-502 -17 38 1 blend
hmoveto
hintmask[8200]
186 35 20 -18 -15 16 2 blend
hlineto
-80 20 -18 9 -14 -5 2 blend
rlineto
hintmask[9080]
-20 10 1 1 blend
hlineto
-86 -20 -12 8 14 5 2 blend
rlineto
-35 15 -16 1 blend
vlineto
426 6 -17 1 blend
hmoveto
226 35 -20 58 -15 16 2 blend
hlineto
-100 20 2 6 -14 0 2 blend
rlineto
-20 10 -76 1 blend
hlineto
-106 -20 8 12 14 0 2 blend
rlineto
hintmask[C400]
-35 15 -16 1 blend
vlineto
-356 16 5 1 blend
hmoveto
47 210 -25 13 0 1 2 blend
hlineto
-10 264 4 -5 -4 12 2 blend
rlineto
-37 21 -8 1 blend
hlineto
hintmask[3000]
-474 4 -13 1 blend
vlineto
-70 439 -22 17 11 -3 2 blend
rmoveto
hintmask[4800]
86 -20 12 7 14 0 2 blend
rlineto
20 55 -15 -16 -29 16 2 blend
hlineto
hintmask[5040]
-106 -35 3 9 15 -16 2 blend
hlineto
532 -20 4 14 14 0 2 blend
rmoveto
hintmask[4080]
20 -15 28 1 blend
hlineto
hintmask[2080]
100 20 -2 -6 -14 0 2 blend
rlineto
hintmask[4080]
35 -15 16 1 blend
vlineto
}
### Private DICT (00000545-000005bb)
-15 15 474 13 40 13 10 13 84 13 10 15 45 20 2 -5 -2 5 -4 13 0 3 11 -28 0 3 -1 -5 0 3 1 -12 0 3 0 2 -2 5 3 -6 0 0 14 blend
BlueValues
-250 10 -5 18 0 0 2 blend
OtherBlues
-15 15 475 13 39 13 9 14 83 13 10 15 45 20 FamilyBlues
-249 10 FamilyOtherBlues
.0375 BlueScale
0 BlueFuzz
55 -29 19 1 blend
StdHW
80 -52 110 1 blend
StdVW
40 15 -20 20 -9 -1 2 blend
StemSnapH
80 10 -52 110 -6 0 2 blend
StemSnapV
58 changes: 34 additions & 24 deletions Tests/tx_data/expected_output/cff2_vf.pfa
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file modified Tests/tx_data/input/cff2_vf.otf
View file
Binary file not shown.
10 changes: 10 additions & 0 deletions Tests/tx_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,3 +196,13 @@ def test_long_charstring_bug444():
actual_path = runner(CMD + ['-o', '0', '-f', 'CJK-VarTest.otf'])
expected_path = _get_expected_path('CJK-VarTest.txt')
assert differ([expected_path, actual_path, '-s', '## Filename'])


def test_many_hints_string_bug354():
# The glyph T@gid002 has 33 hstem hints. This tests a bug where
# tx defined an array of only 6 operants.
# This is encountered only when wrinting to a VF CFF2.
cff2_path = runner(CMD + ['-o', 'cff2', '-f', 'cff2_vf.otf'])
dcf_txt_path = runner(CMD + ['-a', '-f', cff2_path, '-o', 'dcf'])
expected_path = _get_expected_path('cff2_vf.dcf.txt')
assert differ([expected_path, dcf_txt_path])
Loading

0 comments on commit 55190d3

Please sign in to comment.