1/*
2 * Copyright (c) 2008, 2009, Google Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are
6 * met:
7 *
8 *     * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *     * Redistributions in binary form must reproduce the above
11 * copyright notice, this list of conditions and the following disclaimer
12 * in the documentation and/or other materials provided with the
13 * distribution.
14 *     * Neither the name of Google Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived from
16 * this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include "config.h"
32#include "VDMXParser.h"
33
34#include <stdlib.h>
35#include <string.h>
36
37#include "wtf/ByteOrder.h"
38
39// Buffer helper class
40//
41// This class perform some trival buffer operations while checking for
42// out-of-bounds errors. As a family they return false if anything is amiss,
43// updating the current offset otherwise.
44class Buffer {
45public:
46    Buffer(const uint8_t* buffer, size_t length)
47        : m_buffer(buffer)
48        , m_length(length)
49        , m_offset(0) { }
50
51    bool skip(size_t numBytes)
52    {
53        if (m_offset + numBytes > m_length)
54            return false;
55        m_offset += numBytes;
56        return true;
57    }
58
59    bool readU8(uint8_t* value)
60    {
61        if (m_offset + sizeof(uint8_t) > m_length)
62            return false;
63        *value = m_buffer[m_offset];
64        m_offset += sizeof(uint8_t);
65        return true;
66    }
67
68    bool readU16(uint16_t* value)
69    {
70        if (m_offset + sizeof(uint16_t) > m_length)
71            return false;
72        memcpy(value, m_buffer + m_offset, sizeof(uint16_t));
73        *value = ntohs(*value);
74        m_offset += sizeof(uint16_t);
75        return true;
76    }
77
78    bool readS16(int16_t* value)
79    {
80        return readU16(reinterpret_cast<uint16_t*>(value));
81    }
82
83    size_t offset() const
84    {
85        return m_offset;
86    }
87
88    void setOffset(size_t newoffset)
89    {
90        m_offset = newoffset;
91    }
92
93private:
94    const uint8_t *const m_buffer;
95    const size_t m_length;
96    size_t m_offset;
97};
98
99// VDMX parsing code.
100//
101// VDMX tables are found in some TrueType/OpenType fonts and contain
102// ascender/descender overrides for certain (usually small) sizes. This is
103// needed in order to match font metrics on Windows.
104//
105// Freetype does not parse these tables so we do so here.
106
107namespace blink {
108
109// Parse a TrueType VDMX table.
110//   yMax: (output) the ascender value from the table
111//   yMin: (output) the descender value from the table (negative!)
112//   vdmx: the table bytes
113//   vdmxLength: length of @vdmx, in bytes
114//   targetPixelSize: the pixel size of the font (e.g. 16)
115//
116// Returns true iff a suitable match are found. Otherwise, *yMax and *yMin are
117// untouched. size_t must be 32-bits to avoid overflow.
118//
119// See http://www.microsoft.com/opentype/otspec/vdmx.htm
120bool parseVDMX(int* yMax, int* yMin,
121               const uint8_t* vdmx, size_t vdmxLength,
122               unsigned targetPixelSize)
123{
124    Buffer buf(vdmx, vdmxLength);
125
126    // We ignore the version. Future tables should be backwards compatible with
127    // this layout.
128    uint16_t numRatios;
129    if (!buf.skip(4) || !buf.readU16(&numRatios))
130        return false;
131
132    // Now we have two tables. Firstly we have @numRatios Ratio records, then a
133    // matching array of @numRatios offsets. We save the offset of the beginning
134    // of this second table.
135    //
136    // Range 6 <= x <= 262146
137    unsigned long offsetTableOffset =
138        buf.offset() + 4 /* sizeof struct ratio */ * numRatios;
139
140    unsigned desiredRatio = 0xffffffff;
141    // We read 4 bytes per record, so the offset range is
142    //   6 <= x <= 524286
143    for (unsigned i = 0; i < numRatios; ++i) {
144        uint8_t xRatio, yRatio1, yRatio2;
145
146        if (!buf.skip(1)
147            || !buf.readU8(&xRatio)
148            || !buf.readU8(&yRatio1)
149            || !buf.readU8(&yRatio2))
150            return false;
151
152        // This either covers 1:1, or this is the default entry (0, 0, 0)
153        if ((xRatio == 1 && yRatio1 <= 1 && yRatio2 >= 1)
154            || (xRatio == 0 && yRatio1 == 0 && yRatio2 == 0)) {
155            desiredRatio = i;
156            break;
157        }
158    }
159
160    if (desiredRatio == 0xffffffff) // no ratio found
161        return false;
162
163    // Range 10 <= x <= 393216
164    buf.setOffset(offsetTableOffset + sizeof(uint16_t) * desiredRatio);
165
166    // Now we read from the offset table to get the offset of another array
167    uint16_t groupOffset;
168    if (!buf.readU16(&groupOffset))
169        return false;
170    // Range 0 <= x <= 65535
171    buf.setOffset(groupOffset);
172
173    uint16_t numRecords;
174    if (!buf.readU16(&numRecords) || !buf.skip(sizeof(uint16_t)))
175        return false;
176
177    // We read 6 bytes per record, so the offset range is
178    //   4 <= x <= 458749
179    for (unsigned i = 0; i < numRecords; ++i) {
180        uint16_t pixelSize;
181        if (!buf.readU16(&pixelSize))
182            return false;
183        // the entries are sorted, so we can abort early if need be
184        if (pixelSize > targetPixelSize)
185            return false;
186
187        if (pixelSize == targetPixelSize) {
188            int16_t tempYMax, tempYMin;
189            if (!buf.readS16(&tempYMax)
190                || !buf.readS16(&tempYMin))
191                return false;
192            *yMin = tempYMin;
193            *yMax = tempYMax;
194            return true;
195        }
196        if (!buf.skip(2 * sizeof(int16_t)))
197            return false;
198    }
199
200    return false;
201}
202
203} // namespace blink
204