| OLD | NEW |
|---|
| (Empty) |
| 1 What's OTS? | |
| 2 =========== | |
| 3 | |
| 4 Sanitiser for OpenType (OTS) is a small library which parses OpenType files | |
| 5 (usually from `@font-face`) and attempts to validate and sanitise them. This | |
| 6 library is primarily intended to be used with Chromium. We hope this reduces | |
| 7 the attack surface of the system font libraries. | |
| 8 | |
| 9 What the sanitiser does is as follows: | |
| 10 | |
| 11 1. Parses an original font. If the parsing fails, OTS rejects the original | |
| 12 font. | |
| 13 2. Validates the parsed data structure. If the validation fails, it rejects the | |
| 14 original font as well. | |
| 15 3. Creates a new font on memory by serializing the data structure, and we call | |
| 16 this "transcoding". | |
| 17 | |
| 18 By transcoding fonts in this way, it is ensured that: | |
| 19 | |
| 20 1. All information in an original font that OTS doesn't know or can't parse is | |
| 21 dropped from the transcoded font. | |
| 22 2. All information in the transcoded font is valid (standard compliant). | |
| 23 Particularly 'length' and 'offset' values, that are often used as attack | |
| 24 vectors, are ensured to be correct. | |
| 25 | |
| 26 Supported OpenType tables | |
| 27 ========================= | |
| 28 | |
| 29 | Name | Mandatory table? | Supported by OTS? | Note | | |
| 30 |--------|-----------------------------|-------------------|--------| | |
| 31 | `sfnt` | Yes | Yes | Overlapped tables a
re not allowed; it is treated as a fatal parser error.| | |
| 32 | `maxp` | Yes | Yes | | | |
| 33 | `head` | Yes | Yes | | | |
| 34 | `hhea` | Yes | Yes | | | |
| 35 | `hmtx` | Yes | Yes | | | |
| 36 | `name` | Yes | Yes | | | |
| 37 | `OS/2` | Yes | Yes | | | |
| 38 | `post` | Yes | Yes | | | |
| 39 | `cmap` | Yes | Partialy | see below | | |
| 40 | `glyf` | Yes, for TrueType fonts | Yes | TrueType bytecode i
s supported, but OTS does **not** validate it.| | |
| 41 | `loca` | Yes, when glyf table exists | Yes | | | |
| 42 | `CFF ` | Yes, for OpenType fonts | Yes | OpenType bytecode i
s also supported, and OTS **does** validate it.| | |
| 43 | `cvt ` | No | Yes | Though this table i
s not mandatory, OTS can't drop the table from a transcoded font since it might
be referred from other hinting-related tables. Errors on this table should be tr
eated as fatal.| | |
| 44 | `fpgm` | No | Yes | Ditto. | | |
| 45 | `prep` | No | Yes | Ditto. | | |
| 46 | `VDMX` | No | Yes | This table is impor
tant for calculating the correct line spacing, at least on Chromium Windows and
Chromium Linux.| | |
| 47 | `hdmx` | No | Yes | | | |
| 48 | `gasp` | No | Yes | | | |
| 49 | `VORG` | No | Yes | | | |
| 50 | `LTSH` | No | Yes | | | |
| 51 | `kern` | No | Yes | | | |
| 52 | `GDEF` | No | Yes | | | |
| 53 | `GSUB` | No | Yes | | | |
| 54 | `GPOS` | No | Yes | | | |
| 55 | `morx` | No | No | | | |
| 56 | `jstf` | No | No | | | |
| 57 | `vmtx` | No | Yes | | | |
| 58 | `vhea` | No | Yes | | | |
| 59 | `EBDT` | No | No | We don't support em
bedded bitmap strikes.| | |
| 60 | `EBLC` | No | No | Ditto. | | |
| 61 | `EBSC` | No | No | Ditto. | | |
| 62 | `bdat` | No | No | Ditto. | | |
| 63 | `bhed` | No | No | Ditto. | | |
| 64 | `bloc` | No | No | Ditto. | | |
| 65 | `DSIG` | No | No | | | |
| 66 | All other tables | - | No | | | |
| 67 | |
| 68 Please note that OTS library does not parse "unsupported" tables. These | |
| 69 unsupported tables never appear in a transcoded font. | |
| 70 | |
| 71 Supported cmap formats | |
| 72 ---------------------- | |
| 73 | |
| 74 The following 9 formats are supported: | |
| 75 | |
| 76 * "MS Unicode" (platform 3 encoding 1 format 4) | |
| 77 * BMP | |
| 78 * "MS UCS-4" (platform 3 encoding 10 format 12) | |
| 79 * "MS UCS-4 fallback" (platform 3 encoding 10 format 13) | |
| 80 * "MS Symbol" (platform 3 encoding 0 format 4) | |
| 81 * "Mac Roman" (platform 1 encoding 0 format 0) | |
| 82 * 1-0-0 format is supported while 1-0-6 is not. | |
| 83 * "Unicode default" format (platform 0 encoding 0 format 4) | |
| 84 * treated as 3-1-4 format | |
| 85 * "Unicode 1.1" format (platform 0 encoding 1 format 4) | |
| 86 * ditto | |
| 87 * "Unicode 2.0+" format (platform 0 encoding 3 format 4) | |
| 88 * "Unicode UCS-4" format (platform 0 encoding 4 format 12) | |
| 89 * treated as 3-10-12 format | |
| 90 * Unicode Variation Sequences (platform 0 encoding 5 format 14) | |
| 91 | |
| 92 All other types of subtables are not supported and do not appear in transcoded f
onts. | |
| 93 | |
| 94 Validation strategies | |
| 95 ===================== | |
| 96 | |
| 97 With regards to 8 mandatory tables, glyph-related tables (`glyf`, `loca` and `CF
F`), | |
| 98 and hinting-related tables (`cvt`, `prep`, and `fpgm`): | |
| 99 | |
| 100 * If OTS finds table-length, table-offset, or table-alignment errors, in other | |
| 101 words it cannot continue parsing, OTS treats the error as fatal. | |
| 102 * If OTS finds simple value error which could be automatically fixed (e.g., | |
| 103 font weight is greater than 900 - that's undefined), and if the error is | |
| 104 considered common among non-malicious fonts, OTS rewrites the value and | |
| 105 continues transcoding. | |
| 106 * If OTS finds a value error which is hard to fix (e.g., values which should be | |
| 107 sorted are left unsorted), OTS treats the error as fatal. | |
| 108 | |
| 109 With regards to optional tables (`VORG`, `gasp`, `hdmx`, `LTSH`, and `VDMX`): | |
| 110 | |
| 111 * If OTS finds table-length, table-offset, or table-alignment errors, OTS | |
| 112 treats the error as fatal. | |
| 113 * If OTS finds other errors, it simply drops the table from a transcoded font. | |
| 114 | |
| 115 Files | |
| 116 ===== | |
| 117 | |
| 118 * include/opentype-sanitiser.h | |
| 119 * Declaration for the public API, `ots::Process()`. | |
| 120 * Definition of the `OTSStream` interface, a write-only memory stream. | |
| 121 * include/ots-memory-stream.h | |
| 122 * Definition of the `MemoryStream` class which implements the `OTSStream` | |
| 123 interface above. | |
| 124 * src/ots.h | |
| 125 * Debug macros. | |
| 126 * Definition of a `Buffer` class which is a read-only memory stream. | |
| 127 * src/ots.cc | |
| 128 * Definition of the `ots::Process()` function. | |
| 129 * `sfnt` table parser. | |
| 130 * test/\*.cc | |
| 131 * test tools. see test/README for details. | |
| 132 | |
| 133 Known issues | |
| 134 ============ | |
| 135 | |
| 136 Please check the [issues](https://github.com/khaledhosny/ots/issues) page. | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 797183002:
Revert of Updating OTS repo from https://github.com/khaledhosny/ots.git (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master