2 * Copyright (C) 2007,2008,2009 Red Hat, Inc.
4 * This is part of HarfBuzz, an OpenType Layout engine library.
6 * Permission is hereby granted, without written agreement and without
7 * license or royalty fees, to use, copy, modify, and distribute this
8 * software and its documentation for any purpose, provided that the
9 * above copyright notice and the following two paragraphs appear in
10 * all copies of this software.
12 * IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
13 * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
14 * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
15 * IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
18 * THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
19 * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 * FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
21 * ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
22 * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
24 * Red Hat Author(s): Behdad Esfahbod
27 #ifndef HB_OPEN_TYPES_PRIVATE_HH
28 #define HB_OPEN_TYPES_PRIVATE_HH
30 #include "hb-private.h"
35 #define NO_INDEX ((unsigned int) 0xFFFF)
42 #define CONST_CHARP(X) (reinterpret_cast<const char *>(X))
43 #define DECONST_CHARP(X) ((char *)reinterpret_cast<const char *>(X))
44 #define CHARP(X) (reinterpret_cast<char *>(X))
46 #define CONST_CAST(T,X,Ofs) (*(reinterpret_cast<const T *>(CONST_CHARP(&(X)) + Ofs)))
47 #define DECONST_CAST(T,X,Ofs) (*(reinterpret_cast<T *>((char *)CONST_CHARP(&(X)) + Ofs)))
48 #define CAST(T,X,Ofs) (*(reinterpret_cast<T *>(CHARP(&(X)) + Ofs)))
50 #define CONST_NEXT(T,X) (*(reinterpret_cast<const T *>(CONST_CHARP(&(X)) + (X).get_size ())))
51 #define NEXT(T,X) (*(reinterpret_cast<T *>(CHARP(&(X)) + (X).get_size ())))
60 /* Global nul-content Null pool. Enlarge as necessary. */
61 static const char NullPool[16] = "";
63 /* Generic template for nul-content sizeof-sized Null objects. */
64 template <typename Type>
67 ASSERT_STATIC (sizeof (Type) <= sizeof (NullPool));
68 static inline const Type &get () { return CONST_CAST (Type, *NullPool, 0); }
71 /* Specializaiton for arbitrary-content arbitrary-sized Null objects. */
72 #define DEFINE_NULL_DATA(Type, size, data) \
73 static const char _Null##Type[size] = data; \
77 static inline const Type &get () { return CONST_CAST (Type, *_Null##Type, 0); } \
81 #define Null(Type) (Null<Type>::get())
84 #define ASSERT_SIZE_DATA(Type, size, data) \
85 ASSERT_SIZE (Type, size); \
86 DEFINE_NULL_DATA (Type, size, data)
88 /* get_for_data() is a static class method returning a reference to an
89 * instance of Type located at the input data location. It's just a
90 * fancy, NULL-safe, cast! */
91 #define STATIC_DEFINE_GET_FOR_DATA(Type) \
92 static inline const Type& get_for_data (const char *data) \
94 if (HB_UNLIKELY (data == NULL)) return Null(Type); \
95 return CONST_CAST (Type, *data, 0); \
97 /* Like get_for_data(), but checks major version first. */
98 #define STATIC_DEFINE_GET_FOR_DATA_CHECK_MAJOR_VERSION(Type, MajorMin, MajorMax) \
99 static inline const Type& get_for_data (const char *data) \
101 if (HB_UNLIKELY (data == NULL)) return Null(Type); \
102 const Type& t = CONST_CAST (Type, *data, 0); \
103 if (HB_UNLIKELY (t.version.major < MajorMin || t.version.major > MajorMax)) return Null(Type); \
112 #ifndef HB_DEBUG_SANITIZE
113 #define HB_DEBUG_SANITIZE HB_DEBUG
116 #if HB_DEBUG_SANITIZE
117 #define TRACE_SANITIZE_ARG_DEF , unsigned int sanitize_depth
118 #define TRACE_SANITIZE_ARG , sanitize_depth + 1
119 #define TRACE_SANITIZE_ARG_INIT , 1
120 #define TRACE_SANITIZE() \
122 if (sanitize_depth < HB_DEBUG_SANITIZE) \
123 fprintf (stderr, "SANITIZE(%p) %-*d-> %s\n", \
124 (CONST_CHARP (this) == NullPool) ? 0 : this, \
125 sanitize_depth, sanitize_depth, \
126 __PRETTY_FUNCTION__); \
129 #define TRACE_SANITIZE_ARG_DEF
130 #define TRACE_SANITIZE_ARG
131 #define TRACE_SANITIZE_ARG_INIT
132 #define TRACE_SANITIZE() HB_STMT_START {} HB_STMT_END
135 #define SANITIZE_ARG_DEF \
136 hb_sanitize_context_t *context TRACE_SANITIZE_ARG_DEF
137 #define SANITIZE_ARG \
138 context TRACE_SANITIZE_ARG
139 #define SANITIZE_ARG_INIT \
140 &context TRACE_SANITIZE_ARG_INIT
142 typedef struct _hb_sanitize_context_t hb_sanitize_context_t;
143 struct _hb_sanitize_context_t
145 const char *start, *end;
150 static HB_GNUC_UNUSED void
151 _hb_sanitize_init (hb_sanitize_context_t *context,
154 context->blob = blob;
155 context->start = hb_blob_lock (blob);
156 context->end = context->start + hb_blob_get_length (blob);
157 context->edit_count = 0;
159 #if HB_DEBUG_SANITIZE
160 fprintf (stderr, "sanitize %p init [%p..%p] (%u bytes)\n",
161 context->blob, context->start, context->end, context->end - context->start);
165 static HB_GNUC_UNUSED void
166 _hb_sanitize_fini (hb_sanitize_context_t *context,
169 #if HB_DEBUG_SANITIZE
170 fprintf (stderr, "sanitize %p fini [%p..%p] %u edit requests\n",
171 context->blob, context->start, context->end, context->edit_count);
175 hb_blob_unlock (context->blob);
178 static HB_GNUC_UNUSED inline bool
179 _hb_sanitize_check (SANITIZE_ARG_DEF,
183 bool ret = context->start <= base &&
184 base <= context->end &&
185 (unsigned int) (context->end - base) >= len;
187 #if HB_DEBUG_SANITIZE
188 if (sanitize_depth < HB_DEBUG_SANITIZE) \
189 fprintf (stderr, "SANITIZE(%p) %-*d-> check [%p..%p] (%d bytes) in [%p..%p] -> %s\n", \
191 sanitize_depth, sanitize_depth,
193 context->start, context->end,
194 ret ? "pass" : "FAIL");
199 static HB_GNUC_UNUSED inline bool
200 _hb_sanitize_array (SANITIZE_ARG_DEF,
202 unsigned int record_size,
205 bool overflows = len >= ((unsigned int) -1) / record_size;
207 #if HB_DEBUG_SANITIZE
208 if (sanitize_depth < HB_DEBUG_SANITIZE) \
209 fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \
211 sanitize_depth, sanitize_depth,
212 base, base + (record_size * len), record_size, len, (unsigned long) record_size * len,
213 context->start, context->end,
214 !overflows ? "does not overflow" : "OVERFLOWS FAIL");
216 return HB_LIKELY (!overflows) && _hb_sanitize_check (SANITIZE_ARG, base, record_size * len);
219 static HB_GNUC_UNUSED inline bool
220 _hb_sanitize_edit (SANITIZE_ARG_DEF,
221 const char *base HB_GNUC_UNUSED,
222 unsigned int len HB_GNUC_UNUSED)
224 bool perm = hb_blob_try_writable_inplace (context->blob);
225 context->edit_count++;
227 #if HB_DEBUG_SANITIZE
228 fprintf (stderr, "SANITIZE(%p) %-*d-> edit(%u) [%p..%p] (%d bytes) in [%p..%p] -> %s\n", \
230 sanitize_depth, sanitize_depth,
233 context->start, context->end,
234 perm ? "granted" : "REJECTED");
239 #define SANITIZE(X) HB_LIKELY ((X).sanitize (SANITIZE_ARG))
240 #define SANITIZE2(X,Y) (SANITIZE (X) && SANITIZE (Y))
242 #define SANITIZE_THIS(X) HB_LIKELY ((X).sanitize (SANITIZE_ARG, CONST_CHARP(this)))
243 #define SANITIZE_THIS2(X,Y) (SANITIZE_THIS (X) && SANITIZE_THIS (Y))
244 #define SANITIZE_THIS3(X,Y,Z) (SANITIZE_THIS (X) && SANITIZE_THIS (Y) && SANITIZE_THIS(Z))
246 #define SANITIZE_BASE(X,B) HB_LIKELY ((X).sanitize (SANITIZE_ARG, B))
247 #define SANITIZE_BASE2(X,Y,B) (SANITIZE_BASE (X,B) && SANITIZE_BASE (Y,B))
249 #define SANITIZE_SELF() SANITIZE_OBJ (*this)
250 #define SANITIZE_OBJ(X) SANITIZE_MEM(&(X), sizeof (X))
251 #define SANITIZE_GET_SIZE() SANITIZE_SELF() && SANITIZE_MEM (this, this->get_size ())
253 /* TODO Optimize this if L is fixed (gcc magic) */
254 #define SANITIZE_MEM(B,L) HB_LIKELY (_hb_sanitize_check (SANITIZE_ARG, CONST_CHARP(B), (L)))
256 #define SANITIZE_ARRAY(A,S,L) HB_LIKELY (_hb_sanitize_array (SANITIZE_ARG, CONST_CHARP(A), S, L))
258 #define NEUTER(Var, Val) \
259 (SANITIZE_OBJ (Var) && \
260 _hb_sanitize_edit (SANITIZE_ARG, CONST_CHARP(&(Var)), sizeof (Var)) && \
261 ((Var) = (Val), true))
264 /* Template to sanitize an object. */
265 template <typename Type>
268 static hb_blob_t *sanitize (hb_blob_t *blob) {
269 hb_sanitize_context_t context;
272 /* TODO is_sane() stuff */
275 #if HB_DEBUG_SANITIZE
276 fprintf (stderr, "Sanitizer %p start %s\n", blob, __PRETTY_FUNCTION__);
279 _hb_sanitize_init (&context, blob);
281 Type *t = &CAST (Type, *DECONST_CHARP(context.start), 0);
283 sane = t->sanitize (SANITIZE_ARG_INIT);
285 if (context.edit_count) {
286 #if HB_DEBUG_SANITIZE
287 fprintf (stderr, "Sanitizer %p passed first round with %d edits; going a second round %s\n",
288 blob, context.edit_count, __PRETTY_FUNCTION__);
290 /* sanitize again to ensure no toe-stepping */
291 context.edit_count = 0;
292 sane = t->sanitize (SANITIZE_ARG_INIT);
293 if (context.edit_count) {
294 #if HB_DEBUG_SANITIZE
295 fprintf (stderr, "Sanitizer %p requested %d edits in second round; FAILLING %s\n",
296 blob, context.edit_count, __PRETTY_FUNCTION__);
301 _hb_sanitize_fini (&context, true);
303 unsigned int edit_count = context.edit_count;
304 _hb_sanitize_fini (&context, true);
305 if (edit_count && !hb_blob_is_writable (blob) && hb_blob_try_writable (blob)) {
306 /* ok, we made it writable by relocating. try again */
307 #if HB_DEBUG_SANITIZE
308 fprintf (stderr, "Sanitizer %p retry %s\n", blob, __PRETTY_FUNCTION__);
314 #if HB_DEBUG_SANITIZE
315 fprintf (stderr, "Sanitizer %p %s %s\n", blob, sane ? "passed" : "FAILED", __PRETTY_FUNCTION__);
320 hb_blob_destroy (blob);
321 return hb_blob_create_empty ();
325 static const Type& lock_instance (hb_blob_t *blob) {
326 return Type::get_for_data (hb_blob_lock (blob));
333 * The OpenType Font File: Data Types
337 /* "The following data types are used in the OpenType font file.
338 * All OpenType fonts use Motorola-style byte ordering (Big Endian):" */
344 /* TODO On machines that allow unaligned access, use this version. */
345 #define _DEFINE_INT_TYPE1_UNALIGNED(NAME, TYPE, BIG_ENDIAN, BYTES) \
348 inline NAME& operator = (TYPE i) { (TYPE&) v = BIG_ENDIAN (i); return *this; } \
349 inline operator TYPE(void) const { return BIG_ENDIAN ((TYPE&) v); } \
350 inline bool operator== (NAME o) const { return (TYPE&) v == (TYPE&) o.v; } \
351 inline bool sanitize (SANITIZE_ARG_DEF) { \
353 return SANITIZE_SELF (); \
355 private: unsigned char v[BYTES]; \
357 ASSERT_SIZE (NAME, BYTES)
359 #define DEFINE_INT_TYPE1(NAME, TYPE, BIG_ENDIAN, BYTES) \
362 inline NAME& operator = (TYPE i) { BIG_ENDIAN##_put_unaligned(v, i); return *this; } \
363 inline operator TYPE(void) const { return BIG_ENDIAN##_get_unaligned (v); } \
364 inline bool operator== (NAME o) const { return BIG_ENDIAN##_cmp_unaligned (v, o.v); } \
365 inline bool sanitize (SANITIZE_ARG_DEF) { \
367 return SANITIZE_SELF (); \
369 private: unsigned char v[BYTES]; \
371 ASSERT_SIZE (NAME, BYTES)
372 #define DEFINE_INT_TYPE0(NAME, type, b) DEFINE_INT_TYPE1 (NAME, type##_t, hb_be_##type, b)
373 #define DEFINE_INT_TYPE(NAME, u, w) DEFINE_INT_TYPE0 (NAME, u##int##w, (w / 8))
376 DEFINE_INT_TYPE (USHORT, u, 16); /* 16-bit unsigned integer. */
377 DEFINE_INT_TYPE (SHORT, , 16); /* 16-bit signed integer. */
378 DEFINE_INT_TYPE (ULONG, u, 32); /* 32-bit unsigned integer. */
379 DEFINE_INT_TYPE (LONG, , 32); /* 32-bit signed integer. */
382 /* Array of four uint8s (length = 32 bits) used to identify a script, language
383 * system, feature, or baseline */
386 inline Tag (const Tag &o) { *(ULONG*)this = (ULONG&) o; }
387 inline Tag (uint32_t i) { *(ULONG*)this = i; }
388 inline Tag (const char *c) { *(ULONG*)this = *(ULONG*)c; }
389 inline bool operator== (const char *c) const { return *(ULONG*)this == *(ULONG*)c; }
390 /* What the char* converters return is NOT nul-terminated. Print using "%.4s" */
391 inline operator const char* (void) const { return CONST_CHARP(this); }
392 inline operator char* (void) { return CHARP(this); }
394 inline bool sanitize (SANITIZE_ARG_DEF) {
396 /* Note: Only accept ASCII-visible tags (mind DEL)
397 * This is one of the few times (only time?) we check
398 * for data integrity, as opposed o just boundary checks
400 return SANITIZE_SELF () && (((uint32_t) *this) & 0x80808080) == 0;
403 ASSERT_SIZE (Tag, 4);
404 #define _NULL_TAG_INIT {' ', ' ', ' ', ' '}
405 DEFINE_NULL_DATA (Tag, 4, _NULL_TAG_INIT);
406 #undef _NULL_TAG_INIT
408 /* Glyph index number, same as uint16 (length = 16 bits) */
409 typedef USHORT GlyphID;
411 /* Offset to a table, same as uint16 (length = 16 bits), Null offset = 0x0000 */
412 typedef USHORT Offset;
414 /* LongOffset to a table, same as uint32 (length = 32 bits), Null offset = 0x00000000 */
415 typedef ULONG LongOffset;
419 struct CheckSum : ULONG
421 static uint32_t CalcTableChecksum (ULONG *Table, uint32_t Length)
424 ULONG *EndPtr = Table+((Length+3) & ~3) / sizeof(ULONG);
426 while (Table < EndPtr)
431 ASSERT_SIZE (CheckSum, 4);
440 inline operator uint32_t (void) const { return (major << 16) + minor; }
442 inline bool sanitize (SANITIZE_ARG_DEF) {
444 return SANITIZE_SELF ();
450 ASSERT_SIZE (FixedVersion, 4);
455 * Template subclasses of Offset and LongOffset that do the dereferencing.
456 * Use: (this+memberName)
459 template <typename OffsetType, typename Type>
460 struct GenericOffsetTo : OffsetType
462 inline const Type& operator() (const void *base) const
464 unsigned int offset = *this;
465 if (HB_UNLIKELY (!offset)) return Null(Type);
466 return CONST_CAST(Type, *CONST_CHARP(base), offset);
469 inline bool sanitize (SANITIZE_ARG_DEF, const void *base) {
471 if (!SANITIZE_SELF ()) return false;
472 unsigned int offset = *this;
473 if (HB_UNLIKELY (!offset)) return true;
474 return SANITIZE (CAST(Type, *DECONST_CHARP(base), offset)) || NEUTER (DECONST_CAST(OffsetType,*this,0), 0);
476 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, const void *base2) {
478 if (!SANITIZE_SELF ()) return false;
479 unsigned int offset = *this;
480 if (HB_UNLIKELY (!offset)) return true;
481 return SANITIZE_BASE (CAST(Type, *DECONST_CHARP(base), offset), base2) || NEUTER (DECONST_CAST(OffsetType,*this,0), 0);
483 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, unsigned int user_data) {
485 if (!SANITIZE_SELF ()) return false;
486 unsigned int offset = *this;
487 if (HB_UNLIKELY (!offset)) return true;
488 return SANITIZE_BASE (CAST(Type, *DECONST_CHARP(base), offset), user_data) || NEUTER (DECONST_CAST(OffsetType,*this,0), 0);
491 template <typename Base, typename OffsetType, typename Type>
492 inline const Type& operator + (const Base &base, GenericOffsetTo<OffsetType, Type> offset) { return offset (base); }
494 template <typename Type>
495 struct OffsetTo : GenericOffsetTo<Offset, Type> {};
497 template <typename Type>
498 struct LongOffsetTo : GenericOffsetTo<LongOffset, Type> {};
505 template <typename LenType, typename Type>
506 struct GenericArrayOf
508 inline const Type& operator [] (unsigned int i) const
510 if (HB_UNLIKELY (i >= len)) return Null(Type);
513 inline unsigned int get_size () const
514 { return sizeof (len) + len * sizeof (array[0]); }
516 inline bool sanitize (SANITIZE_ARG_DEF) {
518 if (!SANITIZE_GET_SIZE()) return false;
520 * for non-recursive types, this is not much needed.
521 * But we keep the code to make sure the objects pointed to
522 * do have a simple sanitize(). */
524 unsigned int count = len;
525 for (unsigned int i = 0; i < count; i++)
526 if (!SANITIZE (array[i]))
530 inline bool sanitize (SANITIZE_ARG_DEF, const void *base) {
532 if (!SANITIZE_GET_SIZE()) return false;
533 unsigned int count = len;
534 for (unsigned int i = 0; i < count; i++)
535 if (!array[i].sanitize (SANITIZE_ARG, base))
539 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, const void *base2) {
541 if (!SANITIZE_GET_SIZE()) return false;
542 unsigned int count = len;
543 for (unsigned int i = 0; i < count; i++)
544 if (!array[i].sanitize (SANITIZE_ARG, base, base2))
548 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, unsigned int user_data) {
550 if (!SANITIZE_GET_SIZE()) return false;
551 unsigned int count = len;
552 for (unsigned int i = 0; i < count; i++)
553 if (!array[i].sanitize (SANITIZE_ARG, base, user_data))
562 /* An array with a USHORT number of elements. */
563 template <typename Type>
564 struct ArrayOf : GenericArrayOf<USHORT, Type> {};
566 /* An array with a ULONG number of elements. */
567 template <typename Type>
568 struct LongArrayOf : GenericArrayOf<ULONG, Type> {};
570 /* Array of Offset's */
571 template <typename Type>
572 struct OffsetArrayOf : ArrayOf<OffsetTo<Type> > {};
574 /* Array of LongOffset's */
575 template <typename Type>
576 struct LongOffsetArrayOf : ArrayOf<LongOffsetTo<Type> > {};
578 /* LongArray of LongOffset's */
579 template <typename Type>
580 struct LongOffsetLongArrayOf : LongArrayOf<LongOffsetTo<Type> > {};
582 /* Array of offsets relative to the beginning of the array itself. */
583 template <typename Type>
584 struct OffsetListOf : OffsetArrayOf<Type>
586 inline const Type& operator [] (unsigned int i) const
588 if (HB_UNLIKELY (i >= this->len)) return Null(Type);
589 return this+this->array[i];
592 inline bool sanitize (SANITIZE_ARG_DEF) {
594 return OffsetArrayOf<Type>::sanitize (SANITIZE_ARG, CONST_CHARP(this));
596 inline bool sanitize (SANITIZE_ARG_DEF, unsigned int user_data) {
598 return OffsetArrayOf<Type>::sanitize (SANITIZE_ARG, CONST_CHARP(this), user_data);
603 /* An array with a USHORT number of elements,
604 * starting at second element. */
605 template <typename Type>
606 struct HeadlessArrayOf
608 inline const Type& operator [] (unsigned int i) const
610 if (HB_UNLIKELY (i >= len || !i)) return Null(Type);
613 inline unsigned int get_size () const
614 { return sizeof (len) + (len ? len - 1 : 0) * sizeof (array[0]); }
616 inline bool sanitize (SANITIZE_ARG_DEF) {
618 if (!SANITIZE_GET_SIZE()) return false;
620 * for non-recursive types, this is not much needed.
621 * But we keep the code to make sure the objects pointed to
622 * do have a simple sanitize(). */
624 unsigned int count = len ? len - 1 : 0;
625 for (unsigned int i = 0; i < count; i++)
626 if (!SANITIZE (array[i]))
636 #endif /* HB_OPEN_TYPES_PRIVATE_HH */