[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft] crash loading font
From: |
Werner LEMBERG |
Subject: |
Re: [ft] crash loading font |
Date: |
Fri, 05 Aug 2005 21:03:24 +0200 (CEST) |
> We have 3 fonts that cause an illegal access violation in
> "t1_builder_close_contour" ("Adobe Jenson MM Italic Expert", "Kepler
> MM Expert", and "Kepler MM Ornaments 1"). [...]
>
> Has anyone seen this problem of have any idea what the issue is here?
This is a *very* deep issue. These Multiple Master fonts also fail
with fontforge, BTW. [David, George, I've just sent you the smallest
of them privately.] They reveal (at least) two serious bugs in
FreeType's Type 1 parser.
Bug 1:
The fonts contain this snippet (disassembled with t1disasm) somewhere
after the private dictionary:
/@DInit {
&thisfontdict /Private get /Subrs get exch get
/cs exch def
/ra rcs 256 idiv def
/rb rcs 256 mod def
/_i 0 def
&thisfontdict /Private get /lenIV known
{&thisfontdict /Private get /lenIV get
dup 0 lt { pop /@decryptproc {} store 0 } if
}
{4} ifelse
{ @Read pop } repeat
} bind def
I have no idea why this code is in the fonts and what it does --
anyway, it tests the `/lenIV' token, and this causes FreeType to
behave incorrectly. As soon as FreeType sees `/lenIV' it tries to get
a value for it. The assumption is that it looks like
/lenIV <value> def
It finds `known' (and `get') which can't be parsed, so it returns
zero. But this is wrong, since the default value for /lenIV is four,
and /lenIV isn't set in those fonts!
Bug 2:
Due to the incorrect lenIV value the charstring data is crap which
makes FreeType crash. This bug I've fixed right now.
Werner