silnrsi / graphite Goto Github PK

Graphite is a "smart font" system developed specifically to handle the complexities of lesser-known languages of the world.

Home Page: http://graphite.sil.org/

License: Other

CMake 4.29% C# 9.57% Shell 0.36% Perl 1.65% XS 0.64% C 6.44% Makefile 0.55% C++ 68.29% Python 7.80% Ruby 0.03% HTML 0.02% SCSS 0.37%

graphite's Introduction

Graphite engine

Project CI status

OS	Intel 64 bit	Intel 32 bit	Arm 32 bit
Linux
Windows

What is Graphite?

Graphite is a system that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors. A smart font contains not only letter shapes but also additional instructions indicating how to combine and position the letters in complex ways.

Graphite was primarily developed to provide the flexibility needed for minority languages which often need to be written according to slightly different rules than well-known languages that use the same script.

Examples of complex script behaviors Graphite can handle include:

contextual shaping
ligatures
reordering
split glyphs
bidirectionality
stacking diacritics
complex positioning
shape aware kerning
automatic diacritic collision avoidance

See examples of scripts with complex rendering.

Graphite system overview

The Graphite system consists of:

A rule-based programming language Graphite Description Language (GDL) that can be used to describe the behavior of a writing system
A compiler for that language
A rendering engine that can serve as the layout component of a text-processing application

Graphite renders TrueType fonts that have been extended by means of compiling a GDL program.

Further technical information is available on the Graphite technical overview page.

graphite's People

Contributors

Stargazers

Watchers

Forkers

jfkthame ilhaminsankamil schriftgestalt samdoss ashang-dot-org zhaojq-github behnam deforanetworks reneengelhard rdhafidh ryandesign glandium limkokholefork dalavancloud acidburn0zzz himajin100000 slunski spl mapreri gnulag gso650 light1707 1480c1 ffontaine val-verde mgood7123 xingxing118 trofi marksvc jddurand liang0 tuffnatty k-os kawaiinekomusume hahalosah rubricator sysfce2 a-detiste haileys wolfi-chainguard-demo infopowerbd ut-security chainguard-wolfi-bites-back

graphite's Issues

Positioning a non-base should position the whole cluster

Current Segment::positionSlots() only positions slots that are bases. Thus if a rule doesn't cover any bases, then none of the slots get positioned. Instead positionSlots should track the first and last glyphs back to the cluster bases.

padauk3Output test failure

When using CMake on Windows with cl compiler from Visual Studio 2022, the padauk3Output test fails.

Indeed, comparing tests/padauk3.log and standards/padauk3Windows.log, we can spot this difference (using diff provided with "git for windows" distribution):

$ diff C:/Users/jddfr/git/graphite-build/tests/padauk3.log C:/Users/jddfr/git/graphite/tests/standards/padauk3Windows.log
10c10
< 04   212  -1@0,0        20.2     0.0   0 -30    7   7    102f    102f
---
> 04   212  -1@0,0        20.3     0.0   0 -30    7   7    102f    102f

Graphite fails to build on Darwin with M1 processor

Hello!

I was unable to install Graphite on an ARM-based Mac, with the following error:

     137    cd /private/var/folders/q2/1vrny6hx1j3f4z0745zjrqwc0000gp/T/choward36/spack-stage/spack-stag
            e-graphite2-1.3.13-7uo4coik2xuzwerltu6ndvnauzncc7gv/spack-build-7uo4coi/tests/json && /Users
            /choward36/git/spack/lib/spack/env/clang/clang++  -I/var/folders/q2/1vrny6hx1j3f4z0745zjrqwc
            0000gp/T/choward36/spack-stage/spack-stage-graphite2-1.3.13-7uo4coik2xuzwerltu6ndvnauzncc7gv
            /spack-src/include -I/var/folders/q2/1vrny6hx1j3f4z0745zjrqwc0000gp/T/choward36/spack-stage/
            spack-stage-graphite2-1.3.13-7uo4coik2xuzwerltu6ndvnauzncc7gv/spack-src/src -O2 -g -DNDEBUG
            -arch arm64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/D
            eveloper/SDKs/MacOSX.sdk -std=gnu++11 -MD -MT tests/json/CMakeFiles/jsontest.dir/jsontest.cp
            p.o -MF CMakeFiles/jsontest.dir/jsontest.cpp.o.d -o CMakeFiles/jsontest.dir/jsontest.cpp.o -
            c /var/folders/q2/1vrny6hx1j3f4z0745zjrqwc0000gp/T/choward36/spack-stage/spack-stage-graphit
            e2-1.3.13-7uo4coik2xuzwerltu6ndvnauzncc7gv/spack-src/tests/json/jsontest.cpp
     138    clang: warning: argument unused during compilation: '-msse2' [-Wunused-command-line-argument
            ]
     139    clang: warning: argument unused during compilation: '-msse2' [-Wunused-command-line-argument
            ]
  >> 140    error: unknown FP unit 'sse'
  >> 141    make[2]: *** [src/CMakeFiles/graphite2.dir/direct_machine.cpp.o] Error 1

This is because the aarch64 architecture does not understand SSE extensions. The following patch fixes the problem:

--- a/src/CMakeLists.txt        2018-12-20 01:28:50.000000000 -0500
+++ b/src/CMakeLists.txt        2021-12-10 15:08:59.000000000 -0500
@@ -136,9 +136,12 @@

 if  (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin")
     set_target_properties(graphite2 PROPERTIES
-        COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wimplicit-fallthrough -Wendif-labels -Wshadow -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -mfpmath=sse -msse2"
+        COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wimplicit-fallthrough -Wendif-labels -Wshadow -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden"
         LINK_FLAGS      "-nodefaultlibs"
         LINKER_LANGUAGE C)
+    if (${CMAKE_SYSTEM_PROCESSOR} MATCHES "x86|i.86")
+        add_definitions(-mfpmath=sse -msse2)
+    endif()
     target_link_libraries(graphite2 c)
     include(Graphite)
     nolib_test(stdc++ $<TARGET_SONAME_FILE:graphite2>)

Let Graphite font variable

Several months ago, OpenType introduced Font Variation technology, but it cannot be recognized by Graphite engine, to fix it, introducing Graphite based font variation would be useful.

Kerning non-interacting glyphs faulty

Consider the case of two adjacent glyphs that need to be kerned. But if one of the glyphs is entirely above the other, by how much should they kern?

Currently, in effect, the glyph is ignored and searching continues with later glyphs. This is fine if there are later glyphs, but if there are not, then no kerning happens.

The proposed solution is to have a default kerning such that the bounding boxes are moved to have the margin between them.

Where are the download instructions!? (Not working on latest updated Windows 10)

There is no documentation anywhere on how to correctly compile this package!! I did see somewhere where cmake is needed, but that this did not work. Instead Microsoft Visual Studios 2008 is used but I don't understand the instructions.

I tried to extract the original graphite compiler but it is not working either and continues to give me an error where a dll file can not be found ...and with no other proper installation instructions it brings me here to ask for assistance.

pkg-config --modversion graphite2 returns bogus version

Trying to check graphite2 version via pkg-config returns ABI? version rather than project version. This makes it impossible to require a version with a particular vulnerability fixed without having to compile-check against GR2_VERSION_* macros.

$ pkg info -x graphite
graphite2-1.3.8

$ pkg-config --modversion graphite2
3.0.1

engine rejects assoc() with negative parameters

The engine is rejecting assoc operators with a negative parameter due to a limit test based on unsigned values.
test-assoc.zip

Building a static library on Windows

I'm trying to build a static library on Windows (using MSVC). Given that I'm not that familiar with cmake and building on Windows, I'm a bit lost in the dark. But perhaps you can help me shed some light on the problem.

First, here's what I run:

$ mkdir build
$ cd build
$ cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF ..
$ cmake --build . --config Release

With this, I get a number of errors:

CustomBuild:
  Error copying file (if different) from "C:/Users/travis/build/spl/graphite/build/src/Release/graphite2.dll" to "C:/Users/travis/build/spl/graphite/build/tests/bittwiddling/Release".
C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(209,5): error MSB6006: "cmd.exe" exited with code 1. 
...
Link:
  C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.16.27023\bin\HostX86\x86\link.exe /ERRORREPORT:QUEUE /OUT:"C:\Users\travis\build\spl\graphite\build\tests\examples\Release\clusters.exe" /INCREMENTAL:NO /NOLOGO ..\..\src\Release\graphite2.lib kernel32.lib user32.lib gdi32.lib winspool.lib shell32.lib ole32.lib oleaut32.lib uuid.lib comdlg32.lib advapi32.lib /MANIFEST /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /manifest:embed /PDB:"C:/Users/travis/build/spl/graphite/build/tests/examples/Release/clusters.pdb" /SUBSYSTEM:CONSOLE /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:"C:/Users/travis/build/spl/graphite/build/tests/examples/Release/clusters.lib" /MACHINE:X86 /SAFESEH  /machine:X86 clusters.dir\Release\cluster.obj
cluster.obj : error LNK2019: unresolved external symbol __imp__gr_face_destroy referenced in function _main [C:\Users\travis\build\spl\graphite\build\tests\examples\clusters.vcxproj]
cluster.obj : error LNK2019: unresolved external symbol __imp__gr_make_file_face referenced in function _main
...

Now, if I make the following change (inspired by microsoft/vcpkg#3102 and the fix-static-build.patch):

diff --git a/CMakeLists.txt b/CMakeLists.txt
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -82,11 +82,13 @@ if (BUILD_SHARED_LIBS)
 endif()
 
 add_subdirectory(src)
+if (FALSE)
 add_subdirectory(tests)
 add_subdirectory(doc)
 if (NOT GRAPHITE2_NFILEFACE)
     add_subdirectory(gr2fonttest)
 endif()
+endif()

the build is successful.

Is that the right change to make? If so, can CMakeLists.txt be updated with flags to support this? If not, what should I be doing differently or what can be done to support a static build on Windows?

Question: licensing

I maintain a fork of Mozilla code, released under the MPL v2. This will include the Graphite 2 library. Since your main licensing is LGPL but you also permit licensing under the MPL (but no version is supplied), would you prefer I include a specific license block with the contents of COPYING in it in the browser, or would it be OK to publish as-is under the MPL v2 without a prominent notification in the licensing page?

fix to build with Intel compiler

Currently, graphite2 does not build with the Intel compiler due to the REGPARM definition. The following patch will get it to build.

index b23819f..0f75ae8 100644
--- a/src/inc/Machine.h
+++ b/src/inc/Machine.h
@@ -46,7 +46,7 @@ of the License or (at your option) any later version.
 #endif
 #else
 #define     HOT             __attribute__((hot))
-#if defined(__x86_64)
+#if defined(__x86_64) && !defined(__INTEL_COMPILER)
 #define     REGPARM(n)      __attribute__((hot, regparm(n)))
 #else
 #define     REGPARM(n)

document that #include must use forward /

In trying to get graide and smith to play well together on Windows, we've discovered something important -- but undocumented -- about the pre-processor used within grcompiler: if you have pathnames in #include statements, they must use / for a path separator. For example:

#include "../source/master.gdl"

works but

#include "..\source\master.gdl"

doesn't. (At least it doesn't in this regard: if master.gdl has further includes, e.g., #include "features.gdl", the preprocessor won't find the file because it hasn't figured out there was a directory change. I think this is what is going on).

At any rate, the GDL documentation should say to use '/' for path separators in #include statements.

arm-linux-g++: error: unrecognized command line option '-msse2'

if (${CMAKE_SYSTEM_PROCESSOR} MATCHES "x86|i.86")
        add_definitions(-mfpmath=sse -msse2)

This is really bad for cross-compilation. Target system should be checked, not the host one.

Add graphite to oss-fuzz

Google is offering free fuzzing of widely-used open source projects with their OSS-Fuzz initiative.
https://github.com/google/oss-fuzz

Given that graphite is widely used and fuzzing has previously proved successful at finding real bugs, I think it would make sense to take advantage of that offer and see what they find? :)

Memory corruption found in graphite2::Face::~Face()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a memory corruption vulnerability was found in graphite2::Face::~Face(), which may allow attackers to cause a denial of service or possibly excute arbitrary code via a crafted font type file.

0x02 How to reproduce

This issue can be reproduced by the following command:
gr2fonttest libgraphite2-Face-Face-memory-corruption-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
0x03 Backtrace Information

gzq@ubuntu:~/tmp/graphite-1.3.11/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...(no debugging symbols found)...done.
(gdb) r libgraphite2-Face-Face-memory-corruption-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest libgraphite2-Face-Face-memory-corruption-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	
*** Error in `/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest': free(): invalid next size (fast): 0x000055555578e7b0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7ffff74cf0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x82c9a)[0x7ffff74d8c9a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff74dcd8c]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x14c5c)[0x7ffff7bb9c5c]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x6fad)[0x7ffff7babfad]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(_ZNK10Parameters12testFileFontEv+0x527)[0x555555556df7]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(main+0x268)[0x555555555f98]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff74763f1]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(_start+0x2a)[0x555555555fea]
======= Memory map: ========
555555554000-555555559000 r-xp 00000000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
555555758000-555555759000 r--p 00004000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
555555759000-55555575a000 rw-p 00005000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
55555575a000-5555557af000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff6f36000-7ffff703e000 r-xp 00000000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff703e000-7ffff723d000 ---p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723d000-7ffff723e000 r--p 00107000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723e000-7ffff723f000 rw-p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723f000-7ffff7255000 r-xp 00000000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7255000-7ffff7454000 ---p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7454000-7ffff7455000 r--p 00015000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7455000-7ffff7456000 rw-p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7456000-7ffff7614000 r-xp 00000000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7614000-7ffff7813000 ---p 001be000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7813000-7ffff7817000 r--p 001bd000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7817000-7ffff7819000 rw-p 001c1000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7819000-7ffff781d000 rw-p 00000000 00:00 0 
7ffff781d000-7ffff7995000 r-xp 00000000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7995000-7ffff7b95000 ---p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b95000-7ffff7b9f000 r--p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b9f000-7ffff7ba1000 rw-p 00182000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7ba1000-7ffff7ba5000 rw-p 00000000 00:00 0 
7ffff7ba5000-7ffff7bd5000 r-xp 00000000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7bd5000-7ffff7dd4000 ---p 00030000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd4000-7ffff7dd6000 r--p 0002f000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd6000-7ffff7dd7000 rw-p 00031000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7fd2000-7ffff7fd7000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff748d3ea in __GI_abort () at abort.c:89
#2  0x00007ffff74cf0d0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff75e4f80 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74d8c9a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff75e4ff8 "free(): invalid next size (fast)", action=3) at malloc.c:5048
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3904
#5  0x00007ffff74dcd8c in __GI___libc_free (mem=<optimized out>) at malloc.c:2984
#6  0x00007ffff7bb9c5c in graphite2::Face::~Face() () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#7  0x00007ffff7babfad in graphite2::CachedFace::~CachedFace() () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#8  0x0000555555556df7 in Parameters::testFileFont() const ()
#9  0x0000555555555f98 in main ()

I didn't dig into the detail.

For security consideration, the poc file attached is encrypted with a password, if you need it, please ask me for it.

0x04 Author
This issue is reported by Ziqiang Gu from Weiran Labs.

libgraphite2-Face-Face-memory-corruption-1.zip

New release

Hello.

Would it be possible to create a new release, please? Some Linux distributions started to switch to Python 3 only environment and commits in the master branch contain some fixes and improvements regarding Python 3 compatibility.

Thank you and have a nice day.
Lumír

Memory corruption found in graphite2::SegCacheEntry::clear()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a memory corruption vulnerability was found in graphite2::SegCacheEntry::clear(), which may allow attackers to cause a denial of service or possibly excute arbitrary code via a crafted font type file.

0x02 How to reproduce

This issue can be reproduced by the following command:
gr2fonttest libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003

0x03 Backtrace Information

gzq@ubuntu:~/tmp/graphite-1.3.11/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...(no debugging symbols found)...done.
(gdb) r libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	
*** Error in `/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest': free(): invalid next size (fast): 0x00005555557704f0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7ffff74cf0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x82c9a)[0x7ffff74d8c9a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff74dcd8c]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x2903f)[0x7ffff7bce03f]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x280c8)[0x7ffff7bcd0c8]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x6f3c)[0x7ffff7babf3c]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(_ZNK10Parameters12testFileFontEv+0x527)[0x555555556df7]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(main+0x268)[0x555555555f98]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff74763f1]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(_start+0x2a)[0x555555555fea]
======= Memory map: ========
555555554000-555555559000 r-xp 00000000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
555555758000-555555759000 r--p 00004000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
555555759000-55555575a000 rw-p 00005000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
55555575a000-5555557af000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff6f36000-7ffff703e000 r-xp 00000000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff703e000-7ffff723d000 ---p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723d000-7ffff723e000 r--p 00107000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723e000-7ffff723f000 rw-p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723f000-7ffff7255000 r-xp 00000000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7255000-7ffff7454000 ---p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7454000-7ffff7455000 r--p 00015000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7455000-7ffff7456000 rw-p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7456000-7ffff7614000 r-xp 00000000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7614000-7ffff7813000 ---p 001be000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7813000-7ffff7817000 r--p 001bd000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7817000-7ffff7819000 rw-p 001c1000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7819000-7ffff781d000 rw-p 00000000 00:00 0 
7ffff781d000-7ffff7995000 r-xp 00000000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7995000-7ffff7b95000 ---p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b95000-7ffff7b9f000 r--p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b9f000-7ffff7ba1000 rw-p 00182000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7ba1000-7ffff7ba5000 rw-p 00000000 00:00 0 
7ffff7ba5000-7ffff7bd5000 r-xp 00000000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7bd5000-7ffff7dd4000 ---p 00030000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd4000-7ffff7dd6000 r--p 0002f000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd6000-7ffff7dd7000 rw-p 00031000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7fd2000-7ffff7fd7000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff748d3ea in __GI_abort () at abort.c:89
#2  0x00007ffff74cf0d0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff75e4f80 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74d8c9a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff75e4ff8 "free(): invalid next size (fast)", action=3) at malloc.c:5048
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3904
#5  0x00007ffff74dcd8c in __GI___libc_free (mem=<optimized out>) at malloc.c:2984
#6  0x00007ffff7bce03f in graphite2::SegCacheEntry::clear() () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#7  0x00007ffff7bcd0c8 in graphite2::SegCache::clear(graphite2::SegCacheStore*) () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#8  0x00007ffff7babf3c in graphite2::CachedFace::~CachedFace() () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#9  0x0000555555556df7 in Parameters::testFileFont() const ()
#10 0x0000555555555f98 in main ()

I didn't dig into the detail. I'm not sure if this issue is the same with the previous one(#24 ), the backtrace seems different.

For security consideration, the poc file attached is encrypted with a password, if you need it, please ask me for it.

0x04 Author

This issue is reported by Ziqiang Gu from Weiran Labs.

libgraphite2-SegCacheEntry-clear-memory-corruption.zip

segfault in graphite2::Slot::set()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a segment fault vulnerability was found in graphite2::Slot::set(), which may allow attackers to cause a denial of service or possibly other impact via a crafted font type file.

0x02 How to reproduce

This issue can be reproduced by the following command:
gr2fonttest $POC -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003

0x03 Debugging Information

gzq@ubuntu:~/fuzz/tmp/graphite/build/gr2fonttest$ gdb -q gr2fonttest
Reading symbols from gr2fonttest...done.
(gdb) r libgraphite2-segfault-graphite2::Slot::set-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/fuzz/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-segfault-graphite2::Slot::set-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	

Program received signal SIGSEGV, Segmentation fault.
graphite2::Slot::set (this=0x5555557cad80, orig=..., charOffset=5, sizeAttr=3, justLevels=0, numChars=4) at /home/gzq/fuzz/tmp/graphite/src/Slot.cpp:52
52	    m_glyphid = orig.m_glyphid;
(gdb) print orig
$1 = (const graphite2::Slot &) <error reading variable>
(gdb) 
$2 = (const graphite2::Slot &) <error reading variable>
(gdb) print *this
$3 = {m_next = 0x5555557cad00, m_prev = 0x5555557cae00, m_glyphid = 0, m_realglyphid = 0, m_original = 12, m_before = 12, m_after = 12, m_index = 0, m_parent = 0x0, m_child = 0x0, m_sibling = 0x0, m_position = {x = 0, y = 0}, m_shift = {x = 0, y = 0}, m_advance = {
    x = 576, y = 0}, m_attach = {x = 0, y = 0}, m_with = {x = 0, y = 0}, m_just = 0, m_flags = 0 '\000', m_attLevel = 0 '\000', m_bidiCls = 0 '\000', m_bidiLevel = 0 '\000', m_userAttr = 0x5555557cb658, m_justs = 0x0}

(gdb) bt
#0  graphite2::Slot::set (this=0x5555557cad80, orig=..., charOffset=5, sizeAttr=3, justLevels=0, numChars=4) at /home/gzq/fuzz/tmp/graphite/src/Slot.cpp:52
#1  0x00007ffff7bc6062 in graphite2::Segment::splice (this=this@entry=0x5555557800e0, offset=offset@entry=5, length=<optimized out>, length@entry=4, startSlot=startSlot@entry=0x5555557cae00, endSlot=<optimized out>, srcSlot=<optimized out>, numGlyphs=<optimized out>)
    at /home/gzq/fuzz/tmp/graphite/src/Segment.cpp:320
#2  0x00007ffff7babaaf in graphite2::CachedFace::runGraphite (this=0x55555576d4b0, seg=<optimized out>, pSilf=<optimized out>) at /home/gzq/fuzz/tmp/graphite/src/CachedFace.cpp:113
#3  0x00007ffff7bab213 in graphite2::Segment::runGraphite (this=0x5555557800e0) at /home/gzq/fuzz/tmp/graphite/src/inc/Segment.h:97
#4  (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555771570, enc=gr_utf8, pFeats=0x555555780080, script=0, face=0x55555576d4b0, font=0x555555771520) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:46
#5  gr_make_seg (font=0x555555771520, face=0x55555576d4b0, script=<optimized out>, pFeats=0x555555780080, enc=gr_utf8, pStart=0x555555771570, nChars=19, dir=1) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:105
#6  0x0000555555557109 in Parameters::testFileFont (this=0x7fffffffe220) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:700
#7  0x0000555555555f98 in main (argc=29, argv=0x7fffffffe398) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810
(gdb)

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC

libgraphite2-segfault-graphite2__Slot__set-1.zip

Build with Clang fails; link error: unable to find library -lgcc

Hi,
I am trying to compile graphite2-1.3.11 with Clang on Gentoo, and it fails with a linking error.
There is no GCC on the system, so it make sense that it can't find the library, but I have not been able to find where it gets the -lgcc flag. The system uses musl, instead of glibc - I do not know if that is relevant.
Please help. Thank you :-)

�[32;01m*�[0m abi_x86_64.amd64: running multilib-minimal_abi_src_configure

Working in BUILD_DIR: "/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64"
cmake -C /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/gentoo_common_config.cmake -G Unix Makefiles -DCMAKE_INSTALL_PREFIX=/usr -DVM_MACHINE_TYPE=direct -DCMAKE_BUILD_TYPE=Gentoo -DCMAKE_USER_MAKE_RULES_OVERRIDE=/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/gentoo_rules.cmake -DCMAKE_TOOLCHAIN_FILE=/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/gentoo_toolchain.cmake /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11
loading initial cache file /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/gentoo_common_config.cmake
-- The C compiler identification is Clang 6.0.0
-- The CXX compiler identification is Clang 6.0.0
-- Check for working C compiler: /usr/lib/llvm/6/bin/clang
-- Check for working C compiler: /usr/lib/llvm/6/bin/clang -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/lib/llvm/6/bin/clang++
-- Check for working CXX compiler: /usr/lib/llvm/6/bin/clang++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Build: Gentoo
-- Building library: shared
-- Segment Cache support: enabled
-- File Face support: enabled
-- Tracing support: enabled
-- Using vm machine type: call
-- Compiler ID is: Clang
-- <<< Gentoo configuration >>>
Build type Gentoo
Install path /usr
Compiler flags:
C -O3 -pipe
C++ -O3 -pipe
Linker flags:
Executable -Wl,-O2 -Wl,--as-needed -Wl,--strip-all
Module -Wl,-O2 -Wl,--as-needed -Wl,--strip-all
Shared -Wl,-O2 -Wl,--as-needed -Wl,--strip-all

-- Configuring done
-- Generating done
CMake Warning:
Manually-specified variables were not used by the project:

VM_MACHINE_TYPE

-- Build files have been written to: /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64
�[32;01m*�[0m abi_x86_64.amd64: running multilib-minimal_abi_src_compile

Working in BUILD_DIR: "/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64"
make -j6 VERBOSE=1
/usr/bin/cmake -H/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11 -B/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64 --check-build-system CMakeFiles/Makefile.cmake 0
/usr/bin/cmake -E cmake_progress_start /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/CMakeFiles /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/CMakeFiles/progress.marks
make -f CMakeFiles/Makefile2 all
make[1]: Entering directory '/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64'
make -f src/CMakeFiles/graphite2.dir/build.make src/CMakeFiles/graphite2.dir/depend
make[2]: Entering directory '/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64'
cd /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64 && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11 /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11/src /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64 /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src/CMakeFiles/graphite2.dir/DependInfo.cmake --color=
Dependee "/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src/CMakeFiles/graphite2.dir/DependInfo.cmake" is newer than depender "/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src/CMakeFiles/graphite2.dir/depend.internal".
Dependee "/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src/CMakeFiles/CMakeDirectoryInformation.cmake" is newer than depender "/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src/CMakeFiles/graphite2.dir/depend.internal".
Scanning dependencies of target graphite2
make[2]: Leaving directory '/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64'
make -f src/CMakeFiles/graphite2.dir/build.make src/CMakeFiles/graphite2.dir/build
make[2]: Entering directory '/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64'
[ 2%] Building CXX object src/CMakeFiles/graphite2.dir/call_machine.cpp.o
...
[ 89%] Building CXX object src/CMakeFiles/graphite2.dir/json.cpp.o
cd /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src && /usr/lib/llvm/6/bin/clang++ -Dgraphite2_EXPORTS -I/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11/include -I/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11/src -DNDEBUG -O3 -pipe -fPIC -mfpmath=sse -msse2 -Wimplicit-fallthrough -Wall -Wextra -Wno-unknown-pragmas -Wendif-labels -Wshadow -Wctor-dtor-privacy -Wnon-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -o CMakeFiles/graphite2.dir/json.cpp.o -c /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11/src/json.cpp
[ 92%] Linking C shared library libgraphite2.so
cd /dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64/src && /usr/bin/cmake -E cmake_link_script CMakeFiles/graphite2.dir/link.txt --verbose=1
/usr/lib/llvm/6/bin/clang -fPIC -O3 -pipe -nodefaultlibs -Wl,-O2 -Wl,--as-needed -Wl,--strip-all -shared -Wl,-soname,libgraphite2.so.3 -o libgraphite2.so.3.0.1 CMakeFiles/graphite2.dir/call_machine.cpp.o CMakeFiles/graphite2.dir/gr_char_info.cpp.o CMakeFiles/graphite2.dir/gr_features.cpp.o CMakeFiles/graphite2.dir/gr_face.cpp.o CMakeFiles/graphite2.dir/gr_font.cpp.o CMakeFiles/graphite2.dir/gr_logging.cpp.o CMakeFiles/graphite2.dir/gr_segment.cpp.o CMakeFiles/graphite2.dir/gr_slot.cpp.o CMakeFiles/graphite2.dir/CachedFace.cpp.o CMakeFiles/graphite2.dir/CmapCache.cpp.o CMakeFiles/graphite2.dir/Code.cpp.o CMakeFiles/graphite2.dir/Collider.cpp.o CMakeFiles/graphite2.dir/Decompressor.cpp.o CMakeFiles/graphite2.dir/Face.cpp.o CMakeFiles/graphite2.dir/FeatureMap.cpp.o CMakeFiles/graphite2.dir/Font.cpp.o CMakeFiles/graphite2.dir/GlyphFace.cpp.o CMakeFiles/graphite2.dir/GlyphCache.cpp.o CMakeFiles/graphite2.dir/Intervals.cpp.o CMakeFiles/graphite2.dir/Justifier.cpp.o CMakeFiles/graphite2.dir/NameTable.cpp.o CMakeFiles/graphite2.dir/Pass.cpp.o CMakeFiles/graphite2.dir/Position.cpp.o CMakeFiles/graphite2.dir/Segment.cpp.o CMakeFiles/graphite2.dir/Silf.cpp.o CMakeFiles/graphite2.dir/Slot.cpp.o CMakeFiles/graphite2.dir/Sparse.cpp.o CMakeFiles/graphite2.dir/TtfUtil.cpp.o CMakeFiles/graphite2.dir/UtfCodec.cpp.o CMakeFiles/graphite2.dir/FileFace.cpp.o CMakeFiles/graphite2.dir/SegCache.cpp.o CMakeFiles/graphite2.dir/SegCacheEntry.cpp.o CMakeFiles/graphite2.dir/SegCacheStore.cpp.o CMakeFiles/graphite2.dir/json.cpp.o -lc -lgcc
/usr/bin/x86_64-gentoo-linux-musl-ld: error: unable to find library -lgcc
clang-6.0: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [src/CMakeFiles/graphite2.dir/build.make:953: src/libgraphite2.so.3.0.1] Error 1
make[2]: Leaving directory '/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64'
make[1]: *** [CMakeFiles/Makefile2:86: src/CMakeFiles/graphite2.dir/all] Error 2
make[1]: Leaving directory '/dev/shm/portage/media-gfx/graphite2-1.3.11/work/graphite2-1.3.11-abi_x86_64.amd64'
make: *** [Makefile:141: all] Error 2

Better integration with HarfBuzz font functions

HarfBuzz provides font function callbacks and allows clients to provides them (it provides also an internal implementation and a FreeType-based one). Currently libgraphite2 always accesses the font tables itself directly, breaking HarfBuzz-client code that depends on custom font functions (see harfbuzz/harfbuzz#1822).

Lingraphite should provide away to override its internal font functions, allowing for a tighter integration with HarfBuzz. It would be also nice for reducing size of static builds (e.g. WASM builds).

Awami Nastaliq font collision issue

On the demo page (http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fontdemo) I noticed that the Awami Nastaliq font renders almost correctly in 1.3.10 in Mozilla-based browser code, but it seems one contraction isn't done.

The browser renders:

And the graphical example shows:

Linking of libraries is inconsistent on Linux vs BSD

Discussed here: harfbuzz/harfbuzz#2614
harfbuzz/harfbuzz#2614 (comment) for potential fix

Compressed tables not working quite right

There is a bug in the decompressor that can cause a font to be rejected if the right conditions exist when the table is compressed using lz4hc. There is a work around (compress up to the last 4 bytes then tack the last 4 bytes onto the final copy), But the engine should be fixed to not have this problem.

Critical memory corruption vulnerability found in graphite2::Segment::~Segment()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a critical memory corruption vulnerability was found in graphite2::Segment::~Segment(), which may allow attackers to cause a denial of service or possibly execute arbitrary code via a crafted font type file.

0x02 How to reproduce

0x03 Debugging Information

gzq@ubuntu:~/tmp/graphite/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...done.
(gdb) r libgraphite2-corrupted-size-or-prev_size-0x0x3bded-2.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-corrupted-size-or-prev_size-0x0x3bded-2.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	
*** Error in `/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest': corrupted size vs. prev_size: 0x00005555557d0d30 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7ffff74cf0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x83752)[0x7ffff74d9752]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff74dcd8c]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(+0x2046d)[0x7ffff7bc546d]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(gr_seg_destroy+0xe)[0x7ffff7bab35e]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(_ZNK10Parameters12testFileFontEv+0x194)[0x555555556a64]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(main+0x268)[0x555555555f98]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff74763f1]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(_start+0x2a)[0x555555555fea]
======= Memory map: ========
555555554000-555555559000 r-xp 00000000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
555555758000-555555759000 r--p 00004000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
555555759000-55555575a000 rw-p 00005000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
55555575a000-5555557f3000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff6f36000-7ffff703e000 r-xp 00000000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff703e000-7ffff723d000 ---p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723d000-7ffff723e000 r--p 00107000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723e000-7ffff723f000 rw-p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723f000-7ffff7255000 r-xp 00000000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7255000-7ffff7454000 ---p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7454000-7ffff7455000 r--p 00015000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7455000-7ffff7456000 rw-p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7456000-7ffff7614000 r-xp 00000000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7614000-7ffff7813000 ---p 001be000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7813000-7ffff7817000 r--p 001bd000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7817000-7ffff7819000 rw-p 001c1000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7819000-7ffff781d000 rw-p 00000000 00:00 0 
7ffff781d000-7ffff7995000 r-xp 00000000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7995000-7ffff7b95000 ---p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b95000-7ffff7b9f000 r--p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b9f000-7ffff7ba1000 rw-p 00182000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7ba1000-7ffff7ba5000 rw-p 00000000 00:00 0 
7ffff7ba5000-7ffff7bd5000 r-xp 00000000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7bd5000-7ffff7dd4000 ---p 00030000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd4000-7ffff7dd6000 r--p 0002f000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd6000-7ffff7dd7000 rw-p 00031000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7fd2000-7ffff7fd7000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff748d3ea in __GI_abort () at abort.c:89
#2  0x00007ffff74cf0d0 in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff75e4f80 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74d9752 in malloc_printerr (ar_ptr=0x7ffff7817b00 <main_arena>, ptr=0x5555557d0d30, str=0x7ffff75e1ade "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5048
#4  _int_free (av=0x7ffff7817b00 <main_arena>, p=0x5555557d0a80, have_lock=0) at malloc.c:4051
#5  0x00007ffff74dcd8c in __GI___libc_free (mem=<optimized out>) at malloc.c:2984
#6  0x00007ffff7bc546d in graphite2::Segment::~Segment (this=0x555555780770, __in_chrg=<optimized out>) at /home/gzq/tmp/graphite/src/Segment.cpp:71
#7  0x00007ffff7bab35e in gr_seg_destroy (p=0x555555780770) at /home/gzq/tmp/graphite/src/gr_segment.cpp:114
#8  0x0000555555556a64 in Parameters::testFileFont (this=0x7fffffffe210) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:763
#9  0x0000555555555f98 in main (argc=29, argv=0x7fffffffe388) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC

libgraphite2-corrupted-size-or-prev_size-0x0x3bded-2.zip

Add grapite project to CI service

Adding graphite to a CI can help prevent regression and is fairly easy to setup. It can automatically perform different builds and runs unit tests on each commit.

There are many good free options available:

Graphite Fails to Compile in recent Electronite version 20 - std::iterator deprecated

Electronite is a fork of Electron that adds Graphite support. And starting with Electron v20.3.3 (https://github.com/unfoldingWord/electronite/tree/electronite-v20.3.3-beta), graphite fails to compile in the Electron Build environment. I am getting similar build errors in Windows, MacOS, and LInux that are related to the use of std::iterator.

In building for Windows, I get the error:

"[5 processes, 3768/44375 @ 2.9/s : 1289.525s] "CXX obj/third_party/graphite/graphite_source/GlyphCache.obj
FAILED: obj/third_party/graphite/graphite_source/GlyphCache.obj
..\..\third_party\llvm-build\Release+Asserts\bin\clang-cl.exe /c ../../third_party/graphite/graphite2/src/GlyphCache.cpp /Foobj/third_party/graphite/graphite_source/GlyphCache.obj /nologo /showIncludes:user "-imsvcC:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\ATLMFC\include" "-imsvcC:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include" "-imsvcC:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\include\um" "-imsvcC:\Program Files (x86)\Windows Kits\10\include\10.0.20348.0\ucrt" "-imsvcC:\Program Files (x86)\Windows Kits\10\include\10.0.20348.0\shared" "-imsvcC:\Program Files (x86)\Windows Kits\10\include\10.0.20348.0\um" "-imsvcC:\Program Files (x86)\Windows Kits\10\include\10.0.20348.0\winrt" "-imsvcC:\Program Files (x86)\Windows Kits\10\include\10.0.20348.0\cppwinrt" -DGRAPHITE2_NTRACING -DGRAPHITE2_NSEGCACHE -DGRAPHITE2_NFILEFACE -DUSE_AURA=1 -DOFFICIAL_BUILD "-DCR_CLANG_REVISION=\"llvmorg-15-init-11722-g3f3a235a-2\"" -D_LIBCPP_ABI_NAMESPACE=Cr -D_LIBCPP_DISABLE_VISIBILITY_ANNOTATIONS -D_LIBCPP_ENABLE_NODISCARD -D_LIBCPP_NO_AUTO_LINK -D__STD_C -D_CRT_RAND_S -D_CRT_SECURE_NO_DEPRECATE -D_SCL_SECURE_NO_DEPRECATE -D_ATL_NO_OPENGL -D_WINDOWS -DCERT_CHAIN_PARA_HAS_EXTRA_FIELDS -DPSAPI_VERSION=2 -DWIN32 -D_SECURE_ATL -DWINAPI_FAMILY=WINAPI_FAMILY_DESKTOP_APP -DWIN32_LEAN_AND_MEAN -DNOMINMAX -D_UNICODE -DUNICODE -DNTDDI_VERSION=NTDDI_WIN10_FE -D_WIN32_WINNT=0x0A00 -DWINVER=0x0A00 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -D_CRT_NONSTDC_NO_WARNINGS -D_WINSOCK_DEPRECATED_NO_WARNINGS -D_SCL_SECURE_NO_WARNINGS -D_CRT_SECURE_NO_WARNINGS -DGRAPHITE2_STATIC -I../.. -Igen -I../../buildtools/third_party/libc++ -I../../third_party/graphite/graphite2/src -I../../third_party/graphite/graphite2/include -fno-delete-null-pointer-checks -fno-ident -fcolor-diagnostics -fmerge-all-constants -fcrash-diagnostics-dir=../../tools/clang/crashreports -mllvm -instcombine-lower-dbg-declare=0 /clang:-ffp-contract=off -flto=thin -fsplit-lto-unit -fwhole-program-vtables -fcomplete-member-pointers /Gy /FS /bigobj /utf-8 /Zc:twoPhase -ffile-reproducible /Zc:sizedDealloc- /D__WRL_ENABLE_FUNCTION_STATICS__ -fmsc-version=1916 -m64 -msse3 -ffile-compilation-dir=. -no-canonical-prefixes -ftrivial-auto-var-init=pattern /O2 /Ob2 /Oy- /Zc:inline /Gw /Oi /Z7 -gcodeview-ghash -Xclang -fuse-ctor-homing -fprofile-use=../../chrome/build/pgo_profiles/chrome-win64-5112-1659522760-a359105fb1eb14e8c5d61b542f3a35d55c6ea4fc.profdata -Wno-profile-instr-unprofiled -Wno-profile-instr-out-of-date -Wno-backend-plugin /guard:cf /MT -Xclang -add-plugin -Xclang find-bad-constructs -Xclang -plugin-arg-find-bad-constructs -Xclang raw-ptr-template-as-trivial-member -Xclang -plugin-arg-find-bad-constructs -Xclang use-classify-type -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare /W3 /wd4800 /wd4267 -Wno-unused-variable -Wno-c++11-narrowing -Wno-unused-but-set-variable -Wno-misleading-indentation /WX -Wno-missing-field-initializers -Wno-unused-parameter -Wloop-analysis -Wno-unneeded-internal-declaration -Wno-nonportable-include-path -Wno-null-pointer-subtraction -Wenum-compare-conditional -Wno-psabi -Wno-ignored-pragma-optimize -Wno-unqualified-std-cast-call -Xclang -no-opaque-pointers /std:c++17 -Wno-trigraphs /Zc:alignedNew- /TP /GR- -I../../buildtools/third_party/libc++/trunk/include /Fd"obj/third_party/graphite/graphite_source_cc.pdb"
../../third_party/graphite/graphite2/src/GlyphCache.cpp(47,40): error: 'iterator<std::input_iterator_tag, std::pair<unsigned short, unsigned short>>' is deprecated [-Werror,-Wdeprecated-declarations]
    class _glat_iterator : public std::iterator<std::input_iterator_tag, std::pair<sparse::key_type, sparse::mapped_type> >
                                       ^
../../buildtools/third_party/libc++/trunk/include\__iterator/iterator.h(24,29): note: 'iterator<std::input_iterator_tag, std::pair<unsigned short, unsigned short>>' has been explicitly marked deprecated here
struct _LIBCPP_TEMPLATE_VIS _LIBCPP_DEPRECATED_IN_CXX17 iterator
                            ^
../../buildtools/third_party/libc++/trunk/include\__config(912,39): note: expanded from macro '_LIBCPP_DEPRECATED_IN_CXX17'
#  define _LIBCPP_DEPRECATED_IN_CXX17 _LIBCPP_DEPRECATED
                                      ^
../../buildtools/third_party/libc++/trunk/include\__config(889,48): note: expanded from macro '_LIBCPP_DEPRECATED'
#    define _LIBCPP_DEPRECATED __attribute__ ((deprecated))

And in building for Linux, I get the error:

[6 processes, 756/41382 @ 22.0/s : 34.433s] CXX obj/third_party/graphite/graphite_source/GlyphCache.o
FAILED: obj/third_party/graphite/graphite_source/GlyphCache.o 
../../third_party/llvm-build/Release+Asserts/bin/clang++ -MMD -MF obj/third_party/graphite/graphite_source/GlyphCache.o.d -DGRAPHITE2_NTRACING -DGRAPHITE2_NSEGCACHE -DGRAPHITE2_NFILEFACE -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DNO_UNWIND_TABLES -D_GNU_SOURCE -DCR_CLANG_REVISION=\"llvmorg-15-init-11722-g3f3a235a-2\" -D_LIBCPP_ABI_NAMESPACE=Cr -D_LIBCPP_DISABLE_VISIBILITY_ANNOTATIONS -D_LIBCXXABI_DISABLE_VISIBILITY_ANNOTATIONS -D_LIBCPP_ENABLE_NODISCARD -DCR_LIBCXX_REVISION=b1269813eaf5b8ac78e35e45a0f7cc320bd3e7d6 -DCR_SYSROOT_HASH=202e5738f4fad834a43ad9978efc53ff710ee979 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -I../.. -Igen -I../../buildtools/third_party/libc++ -I../../third_party/graphite/graphite2/src -I../../third_party/graphite/graphite2/include -fno-delete-null-pointer-checks -fno-ident -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-tables -fPIC -pthread -fcolor-diagnostics -fmerge-all-constants -fcrash-diagnostics-dir=../../tools/clang/crashreports -mllvm -instcombine-lower-dbg-declare=0 -ffp-contract=off -flto=thin -fsplit-lto-unit -fwhole-program-vtables -fcomplete-member-pointers -m64 -msse3 -ffile-compilation-dir=. -no-canonical-prefixes -ftrivial-auto-var-init=pattern -O2 -fdata-sections -ffunction-sections -fno-unique-section-names -fno-omit-frame-pointer -gdwarf-4 -g2 -gdwarf-aranges -ggnu-pubnames -Xclang -fuse-ctor-homing -fprofile-use=../../chrome/build/pgo_profiles/chrome-linux-5112-1659546792-1870321c902fd7dca1271b1e96ff9ea74063d09a.profdata -Wno-profile-instr-unprofiled -Wno-profile-instr-out-of-date -Wno-backend-plugin -fvisibility=hidden -Xclang -add-plugin -Xclang find-bad-constructs -Xclang -plugin-arg-find-bad-constructs -Xclang raw-ptr-template-as-trivial-member -Xclang -plugin-arg-find-bad-constructs -Xclang use-classify-type -Xclang -plugin-arg-find-bad-constructs -Xclang check-ipc -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -Werror -Wall -Wno-unused-variable -Wno-c++11-narrowing -Wno-unused-but-set-variable -Wno-misleading-indentation -Wno-missing-field-initializers -Wno-unused-parameter -Wloop-analysis -Wno-unneeded-internal-declaration -Wenum-compare-conditional -Wno-psabi -Wno-ignored-pragma-optimize -Wno-unqualified-std-cast-call -Xclang -no-opaque-pointers -Wall -Wextra -Wno-unknown-pragmas -Wendif-labels -Wshadow -Wctor-dtor-privacy -Wnon-virtual-dtor -std=c++17 -Wno-trigraphs -fno-aligned-new -fno-exceptions -fno-rtti -nostdinc++ -isystem../../buildtools/third_party/libc++/trunk/include -isystem../../buildtools/third_party/libc++abi/trunk/include --sysroot=../../build/linux/debian_bullseye_amd64-sysroot -fvisibility-inlines-hidden -c ../../third_party/graphite/graphite2/src/GlyphCache.cpp -o obj/third_party/graphite/graphite_source/GlyphCache.o
../../third_party/graphite/graphite2/src/GlyphCache.cpp:47:40: error: 'iterator<std::input_iterator_tag, std::pair<unsigned short, unsigned short>>' is deprecated [-Werror,-Wdeprecated-declarations]
    class _glat_iterator : public std::iterator<std::input_iterator_tag, std::pair<sparse::key_type, sparse::mapped_type> >
                                       ^
../../buildtools/third_party/libc++/trunk/include/__iterator/iterator.h:24:29: note: 'iterator<std::input_iterator_tag, std::pair<unsigned short, unsigned short>>' has been explicitly marked deprecated here
struct _LIBCPP_TEMPLATE_VIS _LIBCPP_DEPRECATED_IN_CXX17 iterator
                            ^
../../buildtools/third_party/libc++/trunk/include/__config:912:39: note: expanded from macro '_LIBCPP_DEPRECATED_IN_CXX17'
#  define _LIBCPP_DEPRECATED_IN_CXX17 _LIBCPP_DEPRECATED
                                      ^
../../buildtools/third_party/libc++/trunk/include/__config:889:48: note: expanded from macro '_LIBCPP_DEPRECATED'
#    define _LIBCPP_DEPRECATED __attribute__ ((deprecated))

And in building for MacOS, the error message is similar to Linux.

It appears that starting in Electron v20, the build environment has changed so that this has been escalated from a build warning to an error.

I found this posting that explains the change in implementation of std::iterator: https://stackoverflow.com/questions/43268146/why-is-stditerator-deprecated

Some problems for Graphite-enabled fonts list

I have found some problems when I read your Graphite-enabled fonts list.

UnifrakturMaguntia has its own home page at SourceForge, but what you link to is Google Code and it was thrown into Google Code Archive.
I have noticed you created new Graphite font Awami Nastaliq, but you haven't seen it in this list.

Static builds (still) broken

A while ago I send a pr to enable shared and static builds. This was rejected in favor of an alternative solution.

I now tried with the latest release but building with -DBUILD_SHARED_LIBS=OFF still doesn't work:

==> cmake . -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS_RELEASE=-DNDEBUG -DCMAKE_CXX_FLAGS_RELEASE=-DNDEBUG -DCMAKE_BUILD_TYPE=Release
Last 15 lines from /Users/jeroen/Library/Logs/Homebrew/graphite2/01.cmake:
-- Check size of size_t
-- Check size of size_t - done
-- Configuring done
CMake Error at Graphite.cmake:6 (add_test):
  Error evaluating generator expression:

    $<TARGET_SONAME_FILE:graphite2>

  TARGET_SONAME_FILE is allowed only for SHARED libraries.
Call Stack (most recent call first):
  src/CMakeLists.txt:152 (nolib_test)

set_property could not find CACHE variable CMAKE_BUILD_TYPE.

this happens when adding as a external project in a multi-config generator

the following fixes this

if(NOT CMAKE_BUILD_TYPE)
    set(CMAKE_BUILD_TYPE Release CACHE STRING "" FORCE)
    message(STATUS "CMAKE_BUILD_TYPE is not specified, default to Release. Note that this is only relevant for single-configuration generators (such as Makefile Generators and Ninja).")
endif()

segfault in libgraphite2 graphite2::Slot::prev()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a segment fault vulnerability was found in graphite2::Slot::prev(), which may allow attackers to cause a denial of service or possibly other impact via a crafted font type file.

0x02 How to reproduce

0x03 Debugging Information

gzq@ubuntu:~/fuzz/tmp/graphite/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...done.
(gdb) r libgraphite2-segfault-graphite2::Slot::prev-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/fuzz/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-segfault-graphite2::Slot::prev-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc635e in graphite2::Slot::prev (this=<optimized out>, s=<optimized out>) at /home/gzq/fuzz/tmp/graphite/src/inc/Slot.h:88
88	    void prev(Slot *s) { m_prev = s; }
(gdb) bt
#0  0x00007ffff7bc635e in graphite2::Slot::prev (this=<optimized out>, s=<optimized out>) at /home/gzq/fuzz/tmp/graphite/src/inc/Slot.h:88
#1  graphite2::Segment::reverseSlots (this=this@entry=0x5555557800e0) at /home/gzq/fuzz/tmp/graphite/src/Segment.cpp:357
#2  0x00007ffff7bab2d2 in graphite2::Segment::finalise (reverse=true, font=0x555555771520, this=0x5555557800e0) at /home/gzq/fuzz/tmp/graphite/src/inc/Segment.h:213
#3  (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555771570, enc=gr_utf8, pFeats=0x555555780080, script=0, face=<optimized out>, font=0x555555771520) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:51
#4  gr_make_seg (font=0x555555771520, face=<optimized out>, script=<optimized out>, pFeats=0x555555780080, enc=gr_utf8, pStart=0x555555771570, nChars=19, dir=1) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:105
#5  0x0000555555557109 in Parameters::testFileFont (this=0x7fffffffe220) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:700
#6  0x0000555555555f98 in main (argc=29, argv=0x7fffffffe398) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC
libgraphite2-segfault-graphite2__Slot__prev-1.zip

What MPL license version?

src/inc/UtfCodec.h file states:

Alternatively, the contents of this file may be used under the terms of the
Mozilla Public License (http://mozilla.org/MPL)

But there are multiple MPL license versions. Which one do you have on mind? If the version does not matter to you (see #1), could you please add some clarification to the sources?

awamicmp{1,2,3} fail

Hi,

graphite 1.3.13 fails its tests for me. 1.3.12 works fine. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918685 and https://buildd.debian.org/status/package.php?p=graphite2&suite=experimental:

75/92 Test #75: awamicmp1 ........................***Failed    1.01 sec
43.1 Failed
57.1 Failed
160.1 Failed
162.1 Failed

      Start 76: awamicmp2
76/92 Test #76: awamicmp2 ........................***Failed    1.00 sec
43.1 Failed
57.1 Failed
160.1 Failed
162.1 Failed

      Start 77: awamicmp3
77/92 Test #77: awamicmp3 ........................***Failed    0.97 sec
160.1 Failed
161.1 Failed
162.1 Failed

(on a clean amd64 chroot, too)

I saw that 49fce46 updated the values. Reverting that commit makes the test pass for me...

The weird thing is that it builds fine in my "working" sid chroot with all kinds of other packages installed. Is that check expecting something present not checked for? Or some specific version?
But that also then would make the other font tests fail?

Any hint welcome..

Regards,

Rene

How can i use the Graphite in an android project

I want to use this technology in an android project to Mongolian display，but i don't now how to use it;

Making more features woks with Graphite2

The Graphite technical overview has said:

Graphite2 represents a significant (10x) optimization in terms of speed and greatly improved robustness, but does not include a few features such a ligature component handling and cross-line-boundary contextualization.

Despite Graphite2 engine got some breakthroughs in its history, some features does not supported by Graphite2 would affect the advantages of Graphite2, also cause some inconveniences for developers whose want to convert from SilGraphite to Graphite2. To make better quality text layout, Graphite2 should get solution for them.

null pointer dereference vulnerability in Segment()

0x01 Description

A null pointer dereference vulnerability was found in Segment.cpp, which may allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted font type file.

0x02 How to reproduce

The issue can be reproduced by the following command:

**gr2fonttest $POCFILE -rtl -j 30 -cache -codes 1000**
Text codes
1000
Segmentation fault

0x03 Cause Analyze

The program failed to verify pointer m_silf in Segment():

gzq@ubuntu:~/fuzz/install/graphite/bin$ gdb -q ./gr2fonttest 
Reading symbols from ./gr2fonttest...done.
(gdb) r poc-libgraphite2-null-pointer-dereference.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/fuzz/install/graphite/bin/gr2fonttest poc-libgraphite2-null-pointer-dereference.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	

Program received signal SIGSEGV, Segmentation fault.
graphite2::Segment::Segment (this=0x555555846250, numchars=19, face=0x555555842480, script=0, textDir=1) at /home/gzq/fuzz/code/graphite/src/Segment.cpp:57
57	  m_passBits(m_silf->aPassBits() ? -1 : 0),
(gdb) print m_silf
**$1 = (const graphite2::Silf *) 0x0**

(gdb) bt
#0  graphite2::Segment::Segment (this=0x555555846250, numchars=19, face=0x555555842480, script=0, textDir=1) at /home/gzq/fuzz/code/graphite/src/Segment.cpp:57
#1  0x0000555555567ab5 in (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555845c70, enc=gr_utf8, pFeats=0x555555845c00, script=<optimized out>, face=0x555555842480, font=0x5555558459d0) at /home/gzq/fuzz/code/graphite/src/gr_segment.cpp:43
#2  gr_make_seg (font=0x5555558459d0, face=0x555555842480, script=<optimized out>, pFeats=0x555555845c00, enc=gr_utf8, pStart=0x555555845c70, nChars=19, dir=1) at /home/gzq/fuzz/code/graphite/src/gr_segment.cpp:105
#3  0x0000555555559bf5 in Parameters::testFileFont (this=0x7fffffffe240) at /home/gzq/fuzz/code/graphite/gr2fonttest/gr2FontTest.cpp:691
#4  0x00005555555565bc in main (argc=29, argv=0x7fffffffe3b8) at /home/gzq/fuzz/code/graphite/gr2fonttest/gr2FontTest.cpp:801
(gdb)

poc-libgraphite2-segment-null-pointer-dereference.zip

0x04 Author
Ziqiang Gu from WeiRan Labs

Possible ABI break when updating graphite from 1.3.11 to 1.3.13

Hi!
In freedesktop-sdk we're trying to keep ABI compatibility when updating elements like graphite to new releases. In order to achieve this we use libabigail tool to automate ABI compat checks. During graphite update from 1.3.11 to 1.3.13 (we missed 1.3.12 release) our tool produced following complaint:

┌───────────────────────────────────────────┐
│ ABI Break: libgraphite2.so.3:libgraphite2 │
└───────────────────────────────────────────┘

Functions changes summary: 0 Removed, 1 Changed (10 filtered out), 0 Added functions
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable

1 function with some indirect sub-type change:

  [C]'function gr_segment* gr_make_seg(const gr_font*, const gr_face*, gr_uint32, const gr_feature_val*, gr_encform, void*, size_t, int)' at gr_segment.cpp:103:1 has some indirect sub-type changes:
    return type changed:
      in pointed to type 'typedef gr_segment' at Segment.h:181:1:
        underlying type 'struct gr_segment' at Segment.h:247:1 changed:
          type size changed from 1536 to 1600 (in bits)
          1 base class change:
            'class graphite2::Segment' at Segment.h:81:1 changed:
              type size changed from 1536 to 1600 (in bits)
              7 data member changes:
               type of 'unsigned int graphite2::Segment::m_bufSize' changed:
                 entity changed from 'unsigned int' to compatible type 'typedef size_t' at stddef.h:216:1
                   type name changed from 'unsigned int' to 'unsigned long int'
                   type size changed from 32 to 64 (in bits)

               type of 'unsigned int graphite2::Segment::m_numGlyphs' changed:
                 entity changed from 'unsigned int' to compatible type 'typedef size_t' at stddef.h:216:1
                   type name changed from 'unsigned int' to 'unsigned long int'
                   type size changed from 32 to 64 (in bits)
               and offset changed from 1376 to 1408 (in bits) (by +32 bits)
               type of 'unsigned int graphite2::Segment::m_numCharinfo' changed:
                 entity changed from 'unsigned int' to compatible type 'typedef size_t' at stddef.h:216:1
                   type name changed from 'unsigned int' to 'unsigned long int'
                   type size changed from 32 to 64 (in bits)
               and offset changed from 1408 to 1472 (in bits) (by +64 bits)
               type of 'unsigned int graphite2::Segment::m_passBits' changed:
                 entity changed from 'unsigned int' to compatible type 'typedef graphite2::uint8' at Main.h:38:1
                   type name changed from 'unsigned int' to 'unsigned char'
                   type size changed from 32 to 8 (in bits)
               and offset changed from 1440 to 1584 (in bits) (by +144 bits)
               'int graphite2::Segment::m_defaultOriginal' offset changed from 1472 to 1536 (in bits) (by +64 bits)
               'graphite2::int8 graphite2::Segment::m_dir' offset changed from 1504 to 1568 (in bits) (by +64 bits)
               'graphite2::uint8 graphite2::Segment::m_flags' offset changed from 1512 to 1576 (in bits) (by +64 bits)

As part of our discussion about what to do with that we would like to ask about your opinion on the matter. Especially I wanted to ask if reported change was intentional and if it's safe for backward compatibility thus if above report is a false positive. I would be grateful if you can find time to respond. Thank you.

Partial graphite support

I'm not sure where to get support with this so I'm opening this issue.
I have a version of electron that has been compiled with graphite. See https://github.com/unfoldingWord-dev/electronite

Two out of three test on this page work. I'm trying to figure out why the Padauk font is not working.

Is there something so different about the Padauk font that would cause it to not render correctly when the Awami nastaliq font works?

Simple test works

Awami Nastaliq demo works

Padauk demo does not work

fnttxtrender doesn't work with python3

Hi,

in Debian we (temporarily) lost the python2 module for fonttools (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876439).

As said there, this resulted in graphite2s testsuite failing miserably, since it of course can't find its

from fontTools.ttLib import TTFont

import anymore. See
https://buildd.debian.org/status/logs.php?pkg=graphite2&ver=1.3.10-3&suite=sid.

(Now the python2 module is back, but let's ignore this for this issues sake.)

So we needed to migrate it to python3. I started with it and Mattia thankfully completed it.

See
https://anonscm.debian.org/cgit/pkg-openoffice/graphite2.git/tree/debian/patches/testsuite-python3.diff. With that patch it builds with python3 (but probably will not work with python2...)

Do you want/need to keep python2 compat? Or could this just applied as-is and requring python3?

Regards,

Rene

never use md5 and/or sha1 for the file hashes

use sha512

graphite2::LANG_ENTRIES should go in a read-only data section

Reported in Mozilla's bug tracker (bug 1334300):
Marking LANG_ENTRIES as constexpr ensures that it goes into a read-only section, and trims 44k from xul.dll, mostly by removing unnecessary dynamic initializers.

Sample patch:
https://bugzilla.mozilla.org/attachment.cgi?id=8836447&action=diff

Graphite Fails to Compile in recent Electronite version 22 - arithmetic between different enumeration types ('status_t' and 'graphite2::errors') is deprecated

Electronite is a fork of Electron that adds Graphite support. And starting with Electron v22.0.0 (https://github.com/unfoldingWord/electronite/tree/electronite-v22.0.0-beta), graphite fails to compile in the Electron Build environment. There are three lines in:

../../third_party/graphite/graphite2/src/Pass.cpp:197:92: error: arithmetic between different enumeration types ('status_t' and 'graphite2::errors') is deprecated [-Werror,-Wdeprecated-enum-enum-conversion]

It appears that starting in Electron v22, the build environment has changed so that this has been escalated from a build warning to an error.

Found this article addressing the issue: https://learn.microsoft.com/en-us/cpp/error-messages/compiler-warnings/c5054?view=msvc-170

Created a patch to handle this (as well as the std::iterator deprecated error mentioned in #76):

diff --git a/src/GlyphCache.cpp b/src/GlyphCache.cpp
index 282bdc18..336de3f1 100644
--- a/src/GlyphCache.cpp
+++ b/src/GlyphCache.cpp
@@ -44,12 +44,18 @@ namespace
     // variable length structures.
 
     template<typename W>
-    class _glat_iterator : public std::iterator<std::input_iterator_tag, std::pair<sparse::key_type, sparse::mapped_type> >
+    class _glat_iterator
     {
         unsigned short  key() const             { return uint16(be::peek<W>(_e) + _n); }
         unsigned int    run() const             { return be::peek<W>(_e+sizeof(W)); }
         void            advance_entry()         { _n = 0; _e = _v; be::skip<W>(_v,2); }
     public:
+        using iterator_category = std::input_iterator_tag;
+        using value_type = std::pair<sparse::key_type, sparse::mapped_type>;
+        using difference_type = std::pair<sparse::key_type, sparse::mapped_type>;
+        using pointer = std::pair<sparse::key_type, sparse::mapped_type>*;
+        using reference = std::pair<sparse::key_type, sparse::mapped_type>&;
+        
         _glat_iterator(const void * glat=0) : _e(reinterpret_cast<const byte *>(glat)), _v(_e+2*sizeof(W)), _n(0) {}
 
         _glat_iterator<W> & operator ++ () {
diff --git a/src/Pass.cpp b/src/Pass.cpp
index db31c22d..c744bcbc 100644
--- a/src/Pass.cpp
+++ b/src/Pass.cpp
@@ -194,7 +194,7 @@ bool Pass::readPass(const byte * const pass_start, size_t pass_length, size_t su
         m_cPConstraint = vm::Machine::Code(true, pcCode, pcCode + pass_constraint_len,
                                   precontext[0], be::peek<uint16>(sort_keys), *m_silf, face, PASS_TYPE_UNKNOWN);
         if (e.test(!m_cPConstraint, E_OUTOFMEM)
-                || e.test(m_cPConstraint.status() != Code::loaded, m_cPConstraint.status() + E_CODEFAILURE))
+                || e.test(m_cPConstraint.status() != Code::loaded, m_cPConstraint.status() + static_cast<int> (E_CODEFAILURE)))
             return face.error(e);
         face.error_context(face.error_context() - 1);
     }
@@ -266,8 +266,8 @@ bool Pass::readRules(const byte * rule_map, const size_t num_entries,
         r->constraint = new (m_codes+n*2-1) vm::Machine::Code(true,  rc_begin, rc_end, r->preContext, r->sort, *m_silf, face, pt, &prog_pool_free);
 
         if (e.test(!r->action || !r->constraint, E_OUTOFMEM)
-                || e.test(r->action->status() != Code::loaded, r->action->status() + E_CODEFAILURE)
-                || e.test(r->constraint->status() != Code::loaded, r->constraint->status() + E_CODEFAILURE)
+                || e.test(r->action->status() != Code::loaded, r->action->status() + static_cast<int> (E_CODEFAILURE))
+                || e.test(r->constraint->status() != Code::loaded, r->constraint->status() + static_cast<int> (E_CODEFAILURE))
                 || e.test(!r->constraint->immutable(), E_MUTABLECCODE))
             return face.error(e);
     }

Cmake versions and deprecation warnings

building with cmake 3.22.1 (to target jammy in our next toolchain), I just noticed a few deprecation warnings:

CMake Deprecation Warning at CMakeLists.txt:1 (CMAKE_MINIMUM_REQUIRED):
Compatibility with CMake < 2.8.12 will be removed from a future version of CMake.

Update the VERSION argument value or use a ... suffix to tell
CMake that the project does not need compatibility with older versions.

Focal (current version of our toolchain) is at 3.16.3.

Remove the workaround for llvm.39241?

I notice that direct_machine.cpp has a workaround for llvm.39241:

// In this file, &&foo is used in a static variable initializer, and it's not
// entirely clear whether this should prevent inlining of the function or not.
// In practice, though, clang 7 can end up inlining the function with ThinLTO,
// which breaks at least is_return. https://bugs.llvm.org/show_bug.cgi?id=39241
// So all in all, we need at least the noinline attribute. noclone
// is not supported by clang.
attribute((noinline))
const void * direct_run(const bool get_table_mode,
const instr * program,
const byte * data,
Machine::stack_t * stack,
slotref * & __map,
uint8 _dir,
Machine::status_t & status,
SlotMap * __smap=0)

This compiler bug is already marked as fixed: https://bugs.llvm.org/show_bug.cgi?id=39241

Shall the above workaround be removed?

Support italic feature

Does Graphite having this support? If so any fonts would be allowed to add italic variant even if the fonts having single face.

Deprecation warnings when building with VS 2019 with `/std:c++17`

This was observed downstream in godotengine/godot#66497.

The following warnings are raised by VS 2019 / MSVC 14.29.30133 when building graphite with /std:c++17.
I know that graphite's CMake config specify C++11 standard, but in Godot downstream we build everything against C++17.

We're just going to silence that warning downstream (godotengine/godot#66534), but I figured you might be interested in knowing about it to improve forward compatibility with future standards (if this can be fixed easily while still targeting C++11).

cl /Fothirdparty\graphite\src\Segment.windows.tools.x86_64.obj /c thirdparty\graphite\src\Segment.cpp /TP /w /std:c++17 /nologo /Zi /FS /Od /EHsc /MT /Gd /GR /utf-8 /bigobj /wd4267 /wd4244 /wd4305 /wd4018 /wd4800 /EHsc /w -DGRAPHITE2_STATIC -DGRAPHITE2_NTRACING -DGRAPHITE2_NFILEFACE /DDEBUG_ENABLED /DDEV_ENABLED /DNO_EDITOR_SPLASH /DWINDOWS_ENABLED /DWASAPI_ENABLED /DWINMIDI_ENABLED /DTYPED_METHOD_BIND /DWIN32 /DMSVC /DWINVER=0x0601 /D_WIN32_WINNT=0x0601 /DNOMINMAX /D_WIN64 /DVULKAN_ENABLED /DGLES3_ENABLED /DTOOLS_ENABLED /DMINIZIP_ENABLED /DZSTD_STATIC_LINKING_ONLY /DUSE_VOLK /DVK_USE_PLATFORM_WIN32_KHR /DGLAD_ENABLED /DGLES_OVER_GL /Ithirdparty\graphite\src /Ithirdparty\graphite\include /Ithirdparty\libpng /Ithirdparty\glad /Ithirdparty\volk /Ithirdparty\vulkan /Ithirdparty\vulkan\include /Ithirdparty\zstd /Ithirdparty\zlib /Iplatform\windows /I.
Position.cpp
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include\xutility(1169): warning C4996: 'std::iterator<std::input_iterator_tag,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type>,ptrdiff_t,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> *,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> &>::iterator_category': warning STL4015: The std::iterator class template (used as a base class to provide typedefs) is deprecated in C++17. (The <iterator> header is NOT deprecated.) The C++ Standard has never required user-defined iterators to derive from std::iterator. To fix this warning, stop deriving from std::iterator and start providing publicly accessible typedefs named iterator_category, value_type, difference_type, pointer, and reference. Note that value_type is required to be non-const, even for constant iterators. You can define _SILENCE_CXX17_ITERATOR_BASE_CLASS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received this warning.
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include\xutility(1189): note: see reference to class template instantiation 'std::_Iterator_traits_base<_Iter,void>' being compiled
        with
        [
            _Iter=`anonymous-namespace'::glat_iterator
        ]
C:\Users\Remi\Documents\Godot\godot.git\thirdparty\graphite\src\inc/Sparse.h(106): note: see reference to class template instantiation 'std::iterator_traits<I>' being compiled
        with
        [
            I=`anonymous-namespace'::glat_iterator
        ]
C:\Users\Remi\Documents\Godot\godot.git\thirdparty\graphite\src\inc/GlyphFace.h(75): note: see reference to function template instantiation 'graphite2::sparse::sparse<I>(I,const I)' being compiled
        with
        [
            I=`anonymous-namespace'::glat_iterator
        ]
thirdparty\graphite\src\GlyphCache.cpp(420): note: see reference to function template instantiation 'graphite2::GlyphFace::GlyphFace<`anonymous-namespace'::glat_iterator>(const graphite2::Rect &,const graphite2::Position &,I,const I)' being compiled
        with
        [
            I=`anonymous-namespace'::glat_iterator
        ]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include\xutility(1170): warning C4996: 'std::iterator<std::input_iterator_tag,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type>,ptrdiff_t,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> *,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> &>::value_type': warning STL4015: The std::iterator class template (used as a base class to provide typedefs) is deprecated in C++17. (The <iterator> header is NOT deprecated.) The C++ Standard has never required user-defined iterators to derive from std::iterator. To fix this warning, stop deriving from std::iterator and start providing publicly accessible typedefs named iterator_category, value_type, difference_type, pointer, and reference. Note that value_type is required to be non-const, even for constant iterators. You can define _SILENCE_CXX17_ITERATOR_BASE_CLASS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received this warning.
Segment.cpp
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include\xutility(1171): warning C4996: 'std::iterator<std::input_iterator_tag,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type>,ptrdiff_t,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> *,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> &>::difference_type': warning STL4015: The std::iterator class template (used as a base class to provide typedefs) is deprecated in C++17. (The <iterator> header is NOT deprecated.) The C++ Standard has never required user-defined iterators to derive from std::iterator. To fix this warning, stop deriving from std::iterator and start providing publicly accessible typedefs named iterator_category, value_type, difference_type, pointer, and reference. Note that value_type is required to be non-const, even for constant iterators. You can define _SILENCE_CXX17_ITERATOR_BASE_CLASS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received this warning.
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include\xutility(1172): warning C4996: 'std::iterator<std::input_iterator_tag,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type>,ptrdiff_t,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> *,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> &>::pointer': warning STL4015: The std::iterator class template (used as a base class to provide typedefs) is deprecated in C++17. (The <iterator> header is NOT deprecated.) The C++ Standard has never required user-defined iterators to derive from std::iterator. To fix this warning, stop deriving from std::iterator and start providing publicly accessible typedefs named iterator_category, value_type, difference_type, pointer, and reference. Note that value_type is required to be non-const, even for constant iterators. You can define _SILENCE_CXX17_ITERATOR_BASE_CLASS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received this warning.
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\include\xutility(1173): warning C4996: 'std::iterator<std::input_iterator_tag,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type>,ptrdiff_t,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> *,std::pair<graphite2::sparse::key_type,graphite2::sparse::mapped_type> &>::reference': warning STL4015: The std::iterator class template (used as a base class to provide typedefs) is deprecated in C++17. (The <iterator> header is NOT deprecated.) The C++ Standard has never required user-defined iterators to derive from std::iterator. To fix this warning, stop deriving from std::iterator and start providing publicly accessible typedefs named iterator_category, value_type, difference_type, pointer, and reference. Note that value_type is required to be non-const, even for constant iterators. You can define _SILENCE_CXX17_ITERATOR_BASE_CLASS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received this warning.

Critical memory corruption vulnerability found in graphite2::Slot::operator()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a critical memory corruption vulnerability was found in graphite2::Slot::operator(), which may allow attackers to cause a denial of service or possibly excute arbitrary code via a crafted font type file.

0x02 How to reproduce

0x03 Debugging Information

gzq@ubuntu:~/tmp/graphite/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...done.
(gdb) r libgraphite2-corrupted-size-or-prev_size-0x70e94-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-corrupted-size-or-prev_size-0x70e94-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	
*** Error in `/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest': corrupted size vs. prev_size: 0x00005555557ce690 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7ffff74cf0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x81507)[0x7ffff74d7507]
/lib/x86_64-linux-gnu/libc.so.6(+0x8468f)[0x7ffff74da68f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff74dc9e4]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(+0x28ea5)[0x7ffff7bcdea5]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(+0x28842)[0x7ffff7bcd842]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(+0x6b85)[0x7ffff7babb85]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(gr_make_seg+0xc3)[0x7ffff7bab213]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(_ZNK10Parameters12testFileFontEv+0x839)[0x555555557109]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(main+0x268)[0x555555555f98]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff74763f1]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(_start+0x2a)[0x555555555fea]
======= Memory map: ========
555555554000-555555559000 r-xp 00000000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
555555758000-555555759000 r--p 00004000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
555555759000-55555575a000 rw-p 00005000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
55555575a000-5555557d2000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff6f36000-7ffff703e000 r-xp 00000000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff703e000-7ffff723d000 ---p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723d000-7ffff723e000 r--p 00107000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723e000-7ffff723f000 rw-p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723f000-7ffff7255000 r-xp 00000000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7255000-7ffff7454000 ---p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7454000-7ffff7455000 r--p 00015000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7455000-7ffff7456000 rw-p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7456000-7ffff7614000 r-xp 00000000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7614000-7ffff7813000 ---p 001be000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7813000-7ffff7817000 r--p 001bd000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7817000-7ffff7819000 rw-p 001c1000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7819000-7ffff781d000 rw-p 00000000 00:00 0 
7ffff781d000-7ffff7995000 r-xp 00000000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7995000-7ffff7b95000 ---p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b95000-7ffff7b9f000 r--p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b9f000-7ffff7ba1000 rw-p 00182000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7ba1000-7ffff7ba5000 rw-p 00000000 00:00 0 
7ffff7ba5000-7ffff7bd5000 r-xp 00000000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7bd5000-7ffff7dd4000 ---p 00030000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd4000-7ffff7dd6000 r--p 0002f000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd6000-7ffff7dd7000 rw-p 00031000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7fd2000-7ffff7fd7000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff748d3ea in __GI_abort () at abort.c:89
#2  0x00007ffff74cf0d0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff75e4f80 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74d7507 in malloc_printerr (ar_ptr=0x7ffff7817b00 <main_arena>, ptr=0x5555557ce690, str=0x7ffff75e1ade "corrupted size vs. prev_size", action=3) at malloc.c:5048
#4  malloc_consolidate (av=av@entry=0x7ffff7817b00 <main_arena>) at malloc.c:4220
#5  0x00007ffff74da68f in _int_malloc (av=av@entry=0x7ffff7817b00 <main_arena>, bytes=bytes@entry=3200) at malloc.c:3487
#6  0x00007ffff74dc9e4 in __GI___libc_malloc (bytes=3200) at malloc.c:2927
#7  0x00007ffff7bcdea5 in graphite2::gralloc<unsigned char> (n=3200) at /home/gzq/tmp/graphite/src/inc/Main.h:134
#8  graphite2::Slot::operator new[] (size=3200) at /home/gzq/tmp/graphite/src/inc/Slot.h:139
#9  graphite2::SegCacheEntry::SegCacheEntry (this=0x5555557cffe8, cmapGlyphs=<optimized out>, length=5, seg=0x555555780380, charOffset=7, cacheTime=0) at /home/gzq/tmp/graphite/src/SegCacheEntry.cpp:63
#10 0x00007ffff7bcd842 in graphite2::SegCachePrefixEntry::cache (totalAccessCount=0, charOffset=7, seg=0x555555780380, length=5, cmapGlyphs=0x7fffffffe010, this=0x5555557cd720) at /home/gzq/tmp/graphite/src/inc/SegCache.h:138
#11 graphite2::SegCache::cache (this=this@entry=0x5555557cb9d0, store=<optimized out>, cmapGlyphs=cmapGlyphs@entry=0x7fffffffe010, length=length@entry=5, seg=seg@entry=0x555555780380, charOffset=charOffset@entry=7) at /home/gzq/tmp/graphite/src/SegCache.cpp:139
#12 0x00007ffff7babb85 in graphite2::CachedFace::runGraphite (this=0x55555576d4b0, seg=<optimized out>, pSilf=<optimized out>) at /home/gzq/tmp/graphite/src/CachedFace.cpp:107
#13 0x00007ffff7bab213 in graphite2::Segment::runGraphite (this=0x555555780380) at /home/gzq/tmp/graphite/src/inc/Segment.h:97
#14 (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x5555557719c0, enc=gr_utf8, pFeats=0x555555771a20, script=0, face=0x55555576d4b0, font=0x555555771580) at /home/gzq/tmp/graphite/src/gr_segment.cpp:46
#15 gr_make_seg (font=0x555555771580, face=0x55555576d4b0, script=<optimized out>, pFeats=0x555555771a20, enc=gr_utf8, pStart=0x5555557719c0, nChars=19, dir=1) at /home/gzq/tmp/graphite/src/gr_segment.cpp:105
#16 0x0000555555557109 in Parameters::testFileFont (this=0x7fffffffe210) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:700
#17 0x0000555555555f98 in main (argc=29, argv=0x7fffffffe388) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC

libgraphite2-corrupted-size-or-prev_size-0x70e94-1.zip

Don't include intsafe.h on Cygwin

Commit a1381bb broke the build on Cygwin. The attached patch fixes it.
0001-Don-t-include-intsafe.h-on-Cygwin.patch.txt

segfault in libgraphite2 graphite2::Segment::removeScope()

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a segment fault vulnerability was found in graphite2::Segment::removeScope(), which may allow attackers to cause a denial of service or possibly other impact via a crafted font type file.

0x02 How to reproduce

0x03 Debugging Information

gzq@ubuntu:~/tmp/graphite/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...done.
(gdb) r libgraphite2-segfault-graphite2::Segment::removeScope-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-segfault-graphite2::Segment::removeScope-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	

Program received signal SIGSEGV, Segmentation fault.
graphite2::Segment::removeScope (this=this@entry=0x555555780100, state=...) at /home/gzq/tmp/graphite/src/Segment.cpp:105
105	        m_first->prev(state.slotBeforeScope);
(gdb) print m_first
$1 = (graphite2::Slot *) 0x0
(gdb) bt
#0  graphite2::Segment::removeScope (this=this@entry=0x555555780100, state=...) at /home/gzq/tmp/graphite/src/Segment.cpp:105
#1  0x00007ffff7babb95 in graphite2::CachedFace::runGraphite (this=0x55555576d4b0, seg=<optimized out>, pSilf=<optimized out>) at /home/gzq/tmp/graphite/src/CachedFace.cpp:109
#2  0x00007ffff7bab213 in graphite2::Segment::runGraphite (this=0x555555780100) at /home/gzq/tmp/graphite/src/inc/Segment.h:97
#3  (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555771570, enc=gr_utf8, pFeats=0x5555557800a0, script=0, face=0x55555576d4b0, font=0x555555771520) at /home/gzq/tmp/graphite/src/gr_segment.cpp:46
#4  gr_make_seg (font=0x555555771520, face=0x55555576d4b0, script=<optimized out>, pFeats=0x5555557800a0, enc=gr_utf8, pStart=0x555555771570, nChars=19, dir=1) at /home/gzq/tmp/graphite/src/gr_segment.cpp:105
#5  0x0000555555557109 in Parameters::testFileFont (this=0x7fffffffe210) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:700
#6  0x0000555555555f98 in main (argc=29, argv=0x7fffffffe388) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810
(gdb)

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC

libgraphite2-segfault-graphite2__Segment__removeScope-1.zip

jsontestOutput newline issue

If one is running the tests on win32, newline style will default to crlf, which is likely to fail depending on how the git repository was checked out.
Since cmake v3.14, the --ignore-eol option can be used.
For previous versions, some scripting has to be made.

Tamil font features not working on LibO 6 (working on LibO 5)

Hello. I released Krishna Tamil a purely Graphite font based on Lohit Tamil 2.5.1 some years ago.

I now find that the features aren't working in LibreOffice 6.1 and LibreOffice 6.3 beta but they are working on LibreOffice 5.2. This is on Kubuntu Bionic 64 bit.

You can verify this by checking the rendering of the ODT against the PDF included in the above release ZIP file.

Curiously, the features in the Linux Libertine G font demo ODT are working fine…

silnrsi / graphite Goto Github PK

graphite's Introduction

Graphite engine

Project CI status

What is Graphite?

Graphite system overview

graphite's People

Contributors

Stargazers

Watchers

Forkers

graphite's Issues

Simple test works

Awami Nastaliq demo works

Padauk demo does not work

Recommend Projects

Recommend Topics

Recommend Org