ArrayOf.serialize_append allocates space for the new item, but ArrayOf.pop() does not recover the allocated space. So in the case where the revert path was entered the extra space added by serialize_append gets left in the serialization buffer. This moves the snapshot to before ArrayOf.serialize_append is called so that revert cleans up the buffer extend.
previously remove_redundant_sys () is missing in harfbuzz, after
redundant langsys removal, some features are removed as well in
prune_features() in fonttools. This change is trying to get the same
result between harfbuzz and fonttools.
optimize recurse_lookups in Context/ChainContext
glyph closure, only the glyphs that the parent lookup
can apply the recursion to can participate in recursing
the lookup.
Previous GSUB glyph closure is done by recursively visiting
all reachable lookup tables that apply to any glyphs in the
current/input glyph set, but actually only the glyphs that
the parent lookup can apply the recursion to can participate
in recursing the lookup. This is step 1 for glyph closure
optimization:
1. Add stack of currently active glyph set pointers into hb_closure_context_t
2. Update closure() method in simple GSUB tables to use
this stack in order not to change current glyph set at different stages
of recursion
3. Add function may_have_non_1to1() to GSUB tables
- Lookup::closure_lookups also checks if the lookups visited and sets the lookup to visited. If we set visited in 'recurse' then Lookup::closure_lookups will fail to recurse into the children of the lookup.
- Also when copying ChainRule's skip LookupRecord's that point to lookups which aren't retained. This matches FontTool's behaviour.
If the table is kept, when the table is present but only the accelerator
allocation failed, then we run into nullptr dereferences downstream in
hb_ot_map_t::apply when trying to access proxy.accels[i].
To fix this, instead of only setting lookup_count of accelerator_t
itself, drop the whole table to avoid hb-ot-map construction assuming
that the lookups will work correctly despite accelerator allocation
having failed.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24490https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24490
This matches fontTools behaviour. glyphset_gsub does not contain gids added from closing over composite glyphs in glyf, since these cannot particpate in GSUB/GPOS processing.
The backtrack, input, and lookahead sequence must be matched in their entirety so these sequences should not be subset. If any of the coverage tables in a sequence subsets to empty then the whole subtable should be dropped since it's not possible for this lookup to be activated.
Behdad Esfahbod
Qunxin Liu
Garret Rieger
Dominik Röttsches