Issue 13918002: [OTS] Integrate WOFF 2.0 algorithm into OTS

Issue 13918002: [OTS] Integrate WOFF 2.0 algorithm into OTS (Closed)

Created:
7 years, 8 months ago by Kunihiko Sakamoto

Modified:
7 years, 7 months ago

Reviewers:
Yusuke Sato

CC:
chromium-reviews, raph, agl

Base URL:
http://ots.googlecode.com/svn/trunk/

Visibility:
Public.

More Reviews

Description

[OTS] Integrate WOFF 2.0 algorithm into OTS Add woff2.h and woff2.cc from the WOFF 2.0 reference implementation (https://code.google.com/p/font-compression-reference/). WOFF2 support is disabled by default and is enabled by ots::EnableWOFF2(). Patch originally by bashi@chromium.org. BUG=122603 R=yusukes@chromium.org Committed: 100

Patch Set 1 #

Total comments: 90

Patch Set 2 : #

Total comments: 2

Patch Set 3 : #

Patch Set 4 : #

Created: 7 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+1135 lines, -33 lines)			Patch
M	include/opentype-sanitiser.h	View		1 chunk	+3 lines, -0 lines	0 comments	Download
M	ots.gyp	View		2 chunks	+2 lines, -0 lines	0 comments	Download
M	ots-common.gypi	View		1 chunk	+2 lines, -0 lines	0 comments	Download
M	src/gpos.cc	View	1	1 chunk	+1 line, -2 lines	0 comments	Download
M	src/gsub.cc	View	1	1 chunk	+1 line, -2 lines	0 comments	Download
M	src/ots.h	View	1	2 chunks	+17 lines, -0 lines	0 comments	Download
M	src/ots.cc	View	1 2	13 chunks	+50 lines, -29 lines	0 comments	Download
A	src/woff2.h	View	1 2	1 chunk	+20 lines, -0 lines	0 comments	Download
A	src/woff2.cc	View	1 2 3	1 chunk	+1037 lines, -0 lines	0 comments	Download
M	test/ot-sanitise.cc	View		1 chunk	+2 lines, -0 lines	0 comments	Download

Messages

Total messages: 14 (0 generated)

Expand Messages | Collapse Messages

Yusuke Sato

qq: Do we really want to maintain two sets of woff2.cc/h files (one in OTS, ...

7 years, 8 months ago (2013-04-09 05:22:08 UTC) #2

Kunihiko Sakamoto

[+Raph] Looking at https://code.google.com/p/font-compression-reference/source/browse/cpp, it looks like the cpp part of font-compression-reference is a kind ...

7 years, 8 months ago (2013-04-09 09:58:55 UTC) #3

raph

Absolutely, I'm happy for the decompression code to live in OTS as the authoritative source. ...

7 years, 8 months ago (2013-04-12 06:30:58 UTC) #5

Yusuke Sato

ksakamoto: I guess src/woff2.* have already been reviewed by someone else since they're already in ...

7 years, 8 months ago (2013-04-12 06:41:56 UTC) #6

Kunihiko Sakamoto

[+agl] In my understanding, woff2.{h,cc} were initially submitted to font-compression-reference without review, but afterwards reviewed ...

7 years, 8 months ago (2013-04-12 07:49:29 UTC) #7

[+agl]

In my understanding, woff2.{h,cc} were initially submitted to
font-compression-reference without review, but afterwards reviewed by Adam
(cc'd). Review URLs:
https://codereview.appspot.com/6139064
https://codereview.appspot.com/6160043
https://codereview.appspot.com/8346043

Also, we are going to have security review before enabling woff2 in Chrome.


I applied following changes to woff2.{h,cc} when copied.

diff -u font-compression-reference/cpp/woff2.cc ots-svn/src/woff2.cc
--- font-compression-reference/cpp/woff2.cc	2013-04-08 14:59:21.053948917 +0900
+++ ots-svn/src/woff2.cc	2013-04-09 12:48:24.848338446 +0900
@@ -1,25 +1,16 @@
-// Copyright (c) 2012 Google Inc. All rights reserved.
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This is the implementation of decompression of the proposed WOFF Ultra
 // Condensed file format.
 
-// For now, use of LZMA is conditional, because the build is trickier. When
-// that gets all sorted out, we can get rid of these ifdefs.
-#define USE_LZMA
-
 #include <vector>
-
-#ifdef USE_LZMA
-#include "third_party/lzma_sdk/LzmaLib.h"
-#endif
-
 #include <zlib.h>
+#include "third_party/lzma_sdk/LzmaLib.h"
 
 #include "opentype-sanitiser.h"
 #include "ots-memory-stream.h"
-
 #include "ots.h"
 #include "woff2.h"
 
@@ -727,7 +718,6 @@
       return OTS_FAILURE();
     }
     return true;
-#ifdef USE_LZMA
   } else if (compression_type == kCompressionTypeLzma) {
     if (src_size < kLzmaHeaderSize) {
       // Make sure we have at least a full Lzma header
@@ -743,27 +733,11 @@
       return OTS_FAILURE();
     }
     return true;
-#endif
   }
   // Unknown compression type
   return OTS_FAILURE();
 }
 
-bool ReadLongDirectory(ots::Buffer* file, std::vector<Table>* tables,
-    size_t num_tables) {
-  for (size_t i = 0; i < num_tables; ++i) {
-    Table* table = &(*tables)[i];
-    if (!file->ReadU32(&table->tag) ||
-        !file->ReadU32(&table->flags) ||
-        !file->ReadU32(&table->src_length) ||
-        !file->ReadU32(&table->transform_length) ||
-        !file->ReadU32(&table->dst_length)) {
-      return OTS_FAILURE();
-    }
-  }
-  return true;
-}
-
 const uint32_t known_tags[29] = {
   TAG('c', 'm', 'a', 'p'),  // 0
   TAG('h', 'e', 'a', 'd'),  // 1
Only in font-compression-reference/cpp/: woff2-decompress.cc
Only in font-compression-reference/cpp/: woff2.gyp
diff -u font-compression-reference/cpp/woff2.h ots-svn/src/woff2.h
--- font-compression-reference/cpp/woff2.h	2013-04-08 14:31:21.860168235 +0900
+++ ots-svn/src/woff2.h	2013-04-09 12:48:24.848338446 +0900
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 Google Inc. All rights reserved.
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,7 +14,7 @@
 // be the same as determined by ComputeFinalSize(). Returns true on successful
 // decompression.
 bool ConvertWOFF2ToTTF(uint8_t *result, size_t result_length,
-                  const uint8_t *data, size_t length);
+                       const uint8_t *data, size_t length);
 
 }

Yusuke Sato

initial review. sorry for the delay! https://codereview.chromium.org/13918002/diff/1/src/ots.cc File src/ots.cc (right): https://codereview.chromium.org/13918002/diff/1/src/ots.cc#newcode415 src/ots.cc:415: std::vector<uint8_t> decompressed_buffer(decompressed_size); * ...

7 years, 8 months ago (2013-04-17 18:38:46 UTC) #8

Kunihiko Sakamoto

Thank you for the thorough review! And sorry for the slow response. https://codereview.chromium.org/13918002/diff/1/src/ots.cc File src/ots.cc ...

7 years, 8 months ago (2013-04-23 06:36:26 UTC) #9

Kunihiko Sakamoto

Yusuke-san, could you take another look? Thanks!

7 years, 7 months ago (2013-05-07 01:49:43 UTC) #10

Yusuke Sato

LGTM Please ask the security team to review the code before enabling this on Chrome. ...

7 years, 7 months ago (2013-05-07 06:11:27 UTC) #11

LGTM

Please ask the security team to review the code before enabling this on Chrome.

https://codereview.chromium.org/13918002/diff/1/src/ots.cc
File src/ots.cc (right):

https://codereview.chromium.org/13918002/diff/1/src/ots.cc#newcode415
src/ots.cc:415: std::vector<uint8_t> decompressed_buffer(decompressed_size);
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > * Do we have to zero-fill the buffer?
> 
> Done.

std::vector<uint8_t> decompressed_buffer(decompressed_size, 0); and
std::vector<uint8_t> decompressed_buffer(decompressed_size); are the same,
aren't they?

Sorry, I should've been more clear. Please do *NOT* zero-clear the buffer unless
it's really necessary. For example, scoped array and new unit8_t[] may suffice.
 
> > * Please define the max decompressed size and return with OTS_FAILURE() when
> > |decompressed_size| exceeds that. With the current code, I guess drive-by
web
> > can easily crash the renderer by oom.
> 
> Good catch, thanks.
> I set the limit to 30MB, that is somewhat stricter than other formats where
sum
> of decompressed tables must be <=30MB.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc
File src/woff2.cc (right):

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode157
src/woff2.cc:157: dst[offset] = x >> 24;
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > is there any reason not to check the buffer length on each write?
> 
> I don't think so.
> Probably I should create 'writer' version of the Buffer class and use it
across
> the code? (It requires a considerable amount of change though.)

Please add a TODO. I guess you have to do this anyway to pass the security
review..

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode181
src/woff2.cc:181: if (n_points > in_size) {
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > Is this correct? I guess this might be >=.
> 
> Correct, I think.
> Note that each point consumes 1-4 bytes of |in| buffer, so this is an early
> return with lower-bound check.

Please add a code comment then.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode506
src/woff2.cc:506: std::vector<uint32_t> loca_values(num_glyphs + 1);
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > Is zero-fill required?
> 
> No - all element should be written.

Please fix. it's still zero-filled.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode530
src/woff2.cc:530: if (instruction_size + 2 > glyf_dst_size - glyph_size) {
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > integer overflow not checked?
> |instruction_size| is set by Read255UShort, so
> 0 <= instruction_size < 65536.

add comment please.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode596
src/woff2.cc:596: instruction_size + 2) {
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > integer overflow not checked.
> 
> Same as above.

add comment please.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode653
src/woff2.cc:653: if (static_cast<uint64_t>(glyf_table->dst_offset +
glyf_table->dst_length) >
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > what is the case for? Looks no-op to me.
> 
> You mean the static_cast is no-op?

yes. s/case/cast/. cast<64b>(32b+32b) does not make sense to me because the
inner 32b+32b yields 32b result. cast<64b>(32b)+32b might make sense, though.
The result of 64b+32b is 64b. For more details, please check the spec.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode741
src/woff2.cc:741: const uint32_t known_tags[29] = {
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > kKnownTags. Move this to around line 69. I guess you can get rid of '29'.
> 
> Done.

"Move this to around line 69." is not yet done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode839
src/woff2.cc:839: uint32_t total_length;
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > IIRC, always adding '= 0;' would be better to avoid gcc warnings. please fix
> > this and elsewhere.
> 
> Hmm gcc -Wall does not generate any warnings on this?

On Chrome OS build environment (gcc 4.7, soon 4.8), it might. FYI.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode860
src/woff2.cc:860: // TODO(bashi): Should call IsValidVersionTag() here.
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > File a bug?
> 
> Now it's easy, as this is a change to ots repository.
> Done.

nice.

https://codereview.chromium.org/13918002/diff/14001/src/woff2.cc
File src/woff2.cc (right):

https://codereview.chromium.org/13918002/diff/14001/src/woff2.cc#newcode93
src/woff2.cc:93: , flags(0)
this does not look like a Chromium style. Please check the style guide.

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Constr...

Kunihiko Sakamoto

Thanks for your review! https://codereview.chromium.org/13918002/diff/1/src/ots.cc File src/ots.cc (right): https://codereview.chromium.org/13918002/diff/1/src/ots.cc#newcode415 src/ots.cc:415: std::vector<uint8_t> decompressed_buffer(decompressed_size); On 2013/05/07 06:11:27, ...

7 years, 7 months ago (2013-05-07 10:17:22 UTC) #12

Thanks for your review!

https://codereview.chromium.org/13918002/diff/1/src/ots.cc
File src/ots.cc (right):

https://codereview.chromium.org/13918002/diff/1/src/ots.cc#newcode415
src/ots.cc:415: std::vector<uint8_t> decompressed_buffer(decompressed_size);
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > * Do we have to zero-fill the buffer?
> > 
> > Done.
> 
> std::vector<uint8_t> decompressed_buffer(decompressed_size, 0); and
> std::vector<uint8_t> decompressed_buffer(decompressed_size); are the same,
> aren't they?
> 
> Sorry, I should've been more clear. Please do *NOT* zero-clear the buffer
unless
> it's really necessary. For example, scoped array and new unit8_t[] may
suffice.
>  
Oh, got it.
We should zero clear this buffer, because ConvertWOFF2ToTTF() does not overwrite
padding-bytes.

> > > * Please define the max decompressed size and return with OTS_FAILURE()
when
> > > |decompressed_size| exceeds that. With the current code, I guess drive-by
> web
> > > can easily crash the renderer by oom.
> > 
> > Good catch, thanks.
> > I set the limit to 30MB, that is somewhat stricter than other formats where
> sum
> > of decompressed tables must be <=30MB.
>

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc
File src/woff2.cc (right):

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode157
src/woff2.cc:157: dst[offset] = x >> 24;
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > is there any reason not to check the buffer length on each write?
> > 
> > I don't think so.
> > Probably I should create 'writer' version of the Buffer class and use it
> across
> > the code? (It requires a considerable amount of change though.)
> 
> Please add a TODO. I guess you have to do this anyway to pass the security
> review..

Done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode181
src/woff2.cc:181: if (n_points > in_size) {
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > Is this correct? I guess this might be >=.
> > 
> > Correct, I think.
> > Note that each point consumes 1-4 bytes of |in| buffer, so this is an early
> > return with lower-bound check.
> 
> Please add a code comment then.

Done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode506
src/woff2.cc:506: std::vector<uint32_t> loca_values(num_glyphs + 1);
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > Is zero-fill required?
> > 
> > No - all element should be written.
> 
> Please fix. it's still zero-filled.

Changed to use vector::reserve for allocation and vector::push_back for filling.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode530
src/woff2.cc:530: if (instruction_size + 2 > glyf_dst_size - glyph_size) {
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > integer overflow not checked?
> > |instruction_size| is set by Read255UShort, so
> > 0 <= instruction_size < 65536.
> 
> add comment please.

Done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode596
src/woff2.cc:596: instruction_size + 2) {
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > integer overflow not checked.
> > 
> > Same as above.
> 
> add comment please.

Done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode653
src/woff2.cc:653: if (static_cast<uint64_t>(glyf_table->dst_offset +
glyf_table->dst_length) >
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > what is the case for? Looks no-op to me.
> > 
> > You mean the static_cast is no-op?
> 
> yes. s/case/cast/. cast<64b>(32b+32b) does not make sense to me because the
> inner 32b+32b yields 32b result. cast<64b>(32b)+32b might make sense, though.
> The result of 64b+32b is 64b. For more details, please check the spec.

Thanks for the explanation.
Changed to cast<64b>(32b)+32b.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode657
src/woff2.cc:657: if (static_cast<uint64_t>(loca_table->dst_offset +
loca_table->dst_length) >
On 2013/04/17 18:38:46, Yusuke Sato wrote:
> the same.

Done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode741
src/woff2.cc:741: const uint32_t known_tags[29] = {
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > kKnownTags. Move this to around line 69. I guess you can get rid of '29'.
> > 
> > Done.
> 
> "Move this to around line 69." is not yet done.
> 
Oops, sorry. Done.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode839
src/woff2.cc:839: uint32_t total_length;
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> On 2013/04/23 06:36:26, ksakamoto wrote:
> > On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > > IIRC, always adding '= 0;' would be better to avoid gcc warnings. please
fix
> > > this and elsewhere.
> > 
> > Hmm gcc -Wall does not generate any warnings on this?
> 
> On Chrome OS build environment (gcc 4.7, soon 4.8), it might. FYI.

Gcc 4.7 didn't warn for me...
I would like to leave them uninitialized for now. Let me know if you are sure
that this generates warning and we should avoid it.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode880
src/woff2.cc:880: // Note: change below to ReadLongDirectory to enable long
format.
On 2013/04/23 06:36:26, ksakamoto wrote:
> On 2013/04/17 18:38:46, Yusuke Sato wrote:
> > what's "long format"? Don't we have to support it? Please add a comment for
a
> > newbie like me. Please file a bug if needed.
> 
> I guess we don't. Checking with David.

Confirmed that the long format is no longer used.
Removed the comment.

https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode986
src/woff2.cc:986: if (static_cast<uint64_t>(table->dst_offset +
transform_length) >
On 2013/04/17 18:38:46, Yusuke Sato wrote:
> no-op?
Fixed.

https://codereview.chromium.org/13918002/diff/14001/src/woff2.cc
File src/woff2.cc (right):

https://codereview.chromium.org/13918002/diff/14001/src/woff2.cc#newcode93
src/woff2.cc:93: , flags(0)
On 2013/05/07 06:11:27, Yusuke Sato wrote:
> this does not look like a Chromium style. Please check the style guide.
> 
>
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Constr...

Fixed, thanks.

Yusuke Sato

LGTM still stands. https://codereview.chromium.org/13918002/diff/1/src/woff2.cc File src/woff2.cc (right): https://codereview.chromium.org/13918002/diff/1/src/woff2.cc#newcode839 src/woff2.cc:839: uint32_t total_length; On 2013/05/07 10:17:23, ksakamoto ...

7 years, 7 months ago (2013-05-07 16:56:44 UTC) #13

Kunihiko Sakamoto

7 years, 7 months ago (2013-05-08 01:20:43 UTC) #14

Message was sent while issue was closed.

Committed patchset #4 manually as r100 (presubmit successful).

Expand Messages | Collapse Messages