From 7ec694ddf25a313483044256f7ed88b644432e15 Mon Sep 17 00:00:00 2001
From: HinTak <htl10@users.sourceforge.net>
Date: Wed, 7 Nov 2018 13:19:36 +0000
Subject: [PATCH 1/5] Use non-GRID-fitted values for metrics (#1363)

* Use non-GRID-fitted values for metrics

See freetype/src/base/ftobjs.c:ft_recompute_scaled_metrics() and
the usage of GRID_FIT_METRICS inside.

Fixes https://github.com/behdad/harfbuzz/issues/1262

* Update hb-ft.cc
---
 src/hb-ft.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/hb-ft.cc b/src/hb-ft.cc
index 8b80b960b..9b9d787de 100644
--- a/src/hb-ft.cc
+++ b/src/hb-ft.cc
@@ -466,9 +466,9 @@ hb_ft_get_font_h_extents (hb_font_t *font HB_UNUSED,
   const hb_ft_font_t *ft_font = (const hb_ft_font_t *) font_data;
   hb_lock_t lock (ft_font->lock);
   FT_Face ft_face = ft_font->ft_face;
-  metrics->ascender = ft_face->size->metrics.ascender;
-  metrics->descender = ft_face->size->metrics.descender;
-  metrics->line_gap = ft_face->size->metrics.height - (ft_face->size->metrics.ascender - ft_face->size->metrics.descender);
+  metrics->ascender = FT_MulFix(ft_face->ascender, ft_face->size->metrics.y_scale);
+  metrics->descender = FT_MulFix(ft_face->descender, ft_face->size->metrics.y_scale);
+  metrics->line_gap = FT_MulFix( ft_face->height, ft_face->size->metrics.y_scale ) - (metrics->ascender - metrics->descender);
   if (font->y_scale < 0)
   {
     metrics->ascender = -metrics->ascender;

From 64f0becd89cc2b0136c7dc1609abc9f957525cf8 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 7 Nov 2018 09:10:55 -0500
Subject: [PATCH 2/5] [post] Fix bound checking

---
 src/hb-ot-post-table.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index b15a459b1..1772a10c1 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -124,7 +124,7 @@ struct post
       pool = &StructAfter<uint8_t> (v2.glyphNameIndex);
 
       const uint8_t *end = (uint8_t *) table + table_length;
-      for (const uint8_t *data = pool; data < end && data + *data <= end; data += 1 + *data)
+      for (const uint8_t *data = pool; data < end && data + *data < end; data += 1 + *data)
 	index_to_offset.push (data - pool);
     }
     inline void fini (void)

From 5ed816ab5900ac4ff7feca3d98cbd92e62fd1754 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 7 Nov 2018 09:13:51 -0500
Subject: [PATCH 3/5] [post] Minor

---
 src/hb-ot-post-table.hh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index 1772a10c1..00bd1bcb9 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -49,12 +49,15 @@ namespace OT {
 
 struct postV2Tail
 {
+  friend struct post;
+
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
     return_trace (glyphNameIndex.sanitize (c));
   }
 
+  protected:
   ArrayOf<HBUINT16>	glyphNameIndex;	/* This is not an offset, but is the
 					 * ordinal number of the glyph in 'post'
 					 * string tables. */
@@ -62,6 +65,7 @@ struct postV2Tail
 			namesX;		/* Glyph names with length bytes [variable]
 					 * (a Pascal string). */
 
+  public:
   DEFINE_SIZE_ARRAY2 (2, glyphNameIndex, namesX);
 };
 

From 7d91f07edf29c4923716af6cee8eb94f948ac91f Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 7 Nov 2018 09:14:42 -0500
Subject: [PATCH 4/5] [post] Protect against huge empty tables

---
 src/hb-ot-post-table.hh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index 00bd1bcb9..b29096f16 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -128,7 +128,9 @@ struct post
       pool = &StructAfter<uint8_t> (v2.glyphNameIndex);
 
       const uint8_t *end = (uint8_t *) table + table_length;
-      for (const uint8_t *data = pool; data < end && data + *data < end; data += 1 + *data)
+      for (const uint8_t *data = pool;
+	   index_to_offset.len < 65535 && data < end && data + *data < end;
+	   data += 1 + *data)
 	index_to_offset.push (data - pool);
     }
     inline void fini (void)

From 9d5027696e418b7c2a5ccbc18faafe6b9290d08b Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 7 Nov 2018 09:16:53 -0500
Subject: [PATCH 5/5] [post] Return true on truncation

Client can check that buffer was completely filled out and reallocate.
---
 src/hb-ot-post-table.hh | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/hb-ot-post-table.hh b/src/hb-ot-post-table.hh
index b29096f16..18f9976bc 100644
--- a/src/hb-ot-post-table.hh
+++ b/src/hb-ot-post-table.hh
@@ -148,10 +148,9 @@ struct post
         return false;
       if (!buf_len)
 	return true;
-      if (buf_len <= s.len) /* What to do with truncation? Returning false for now. */
-        return false;
-      strncpy (buf, s.arrayZ, s.len);
-      buf[s.len] = '\0';
+      unsigned int len = MIN (buf_len - 1, s.len);
+      strncpy (buf, s.arrayZ, len);
+      buf[len] = '\0';
       return true;
     }