2 * Copyright (C) 2007,2008,2009,2010 Red Hat, Inc.
4 * This is part of HarfBuzz, an OpenType Layout engine library.
6 * Permission is hereby granted, without written agreement and without
7 * license or royalty fees, to use, copy, modify, and distribute this
8 * software and its documentation for any purpose, provided that the
9 * above copyright notice and the following two paragraphs appear in
10 * all copies of this software.
12 * IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
13 * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
14 * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
15 * IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
18 * THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
19 * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 * FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
21 * ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
22 * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
24 * Red Hat Author(s): Behdad Esfahbod
27 #ifndef HB_OPEN_TYPES_PRIVATE_HH
28 #define HB_OPEN_TYPES_PRIVATE_HH
30 #include "hb-private.h"
35 #define NO_INDEX ((unsigned int) 0xFFFF)
42 #define CONST_CHARP(X) (reinterpret_cast<const char *>(X))
43 #define DECONST_CHARP(X) ((char *)reinterpret_cast<const char *>(X))
44 #define CHARP(X) (reinterpret_cast<char *>(X))
46 #define CONST_CAST(T,X,Ofs) (*(reinterpret_cast<const T *>(CONST_CHARP(&(X)) + Ofs)))
47 #define DECONST_CAST(T,X,Ofs) (*(reinterpret_cast<T *>((char *)CONST_CHARP(&(X)) + Ofs)))
48 #define CAST(T,X,Ofs) (*(reinterpret_cast<T *>(CHARP(&(X)) + Ofs)))
50 #define CONST_NEXT(T,X) (*(reinterpret_cast<const T *>(CONST_CHARP(&(X)) + (X).get_size ())))
51 #define NEXT(T,X) (*(reinterpret_cast<T *>(CHARP(&(X)) + (X).get_size ())))
53 #define CONST_ARRAY_AFTER(T,X) ((reinterpret_cast<const T *>(CONST_CHARP(&(X)) + X.get_size ())))
54 #define ARRAY_AFTER(T,X) ((reinterpret_cast<T *>(CHARP(&(X)) + X.get_size ())))
63 /* Global nul-content Null pool. Enlarge as necessary. */
64 static const void *_NullPool[32 / sizeof (void *)];
66 /* Generic template for nul-content sizeof-sized Null objects. */
67 template <typename Type>
68 static inline const Type& Null () {
69 ASSERT_STATIC (sizeof (Type) <= sizeof (_NullPool));
70 return CONST_CAST (Type, *_NullPool, 0);
73 /* Specializaiton for arbitrary-content arbitrary-sized Null objects. */
74 #define DEFINE_NULL_DATA(Type, size, data) \
75 static const char _Null##Type[size + 1] = data; \
77 inline const Type& Null<Type> () { \
78 return CONST_CAST (Type, *_Null##Type, 0); \
82 #define Null(Type) Null<Type>()
85 /* get_for_data() is a static class method returning a reference to an
86 * instance of Type located at the input data location. It's just a
87 * fancy, NULL-safe, cast! */
88 #define STATIC_DEFINE_GET_FOR_DATA(Type) \
89 static inline const Type& get_for_data (const char *data) \
91 if (HB_UNLIKELY (data == NULL)) return Null(Type); \
92 return CONST_CAST (Type, *data, 0); \
94 /* Like get_for_data(), but checks major version first. */
95 #define STATIC_DEFINE_GET_FOR_DATA_CHECK_MAJOR_VERSION(Type, MajorMin, MajorMax) \
96 static inline const Type& get_for_data (const char *data) \
98 if (HB_UNLIKELY (data == NULL)) return Null(Type); \
99 const Type& t = CONST_CAST (Type, *data, 0); \
100 if (HB_UNLIKELY (t.version.major < MajorMin || t.version.major > MajorMax)) return Null(Type); \
109 #ifndef HB_DEBUG_SANITIZE
110 #define HB_DEBUG_SANITIZE HB_DEBUG
113 #if HB_DEBUG_SANITIZE
114 #define TRACE_SANITIZE_ARG_DEF , unsigned int sanitize_depth HB_GNUC_UNUSED
115 #define TRACE_SANITIZE_ARG , sanitize_depth + 1
116 #define TRACE_SANITIZE_ARG_INIT , 1
117 #define TRACE_SANITIZE() \
119 if (sanitize_depth < HB_DEBUG_SANITIZE) \
120 fprintf (stderr, "SANITIZE(%p) %-*d-> %s\n", \
121 (CONST_CHARP (this) == CONST_CHARP (&NullPool)) ? 0 : this, \
122 sanitize_depth, sanitize_depth, \
123 __PRETTY_FUNCTION__); \
126 #define TRACE_SANITIZE_ARG_DEF
127 #define TRACE_SANITIZE_ARG
128 #define TRACE_SANITIZE_ARG_INIT
129 #define TRACE_SANITIZE() HB_STMT_START {} HB_STMT_END
132 #define SANITIZE_ARG_DEF \
133 hb_sanitize_context_t *context TRACE_SANITIZE_ARG_DEF
134 #define SANITIZE_ARG \
135 context TRACE_SANITIZE_ARG
136 #define SANITIZE_ARG_INIT \
137 &context TRACE_SANITIZE_ARG_INIT
139 typedef struct _hb_sanitize_context_t hb_sanitize_context_t;
140 struct _hb_sanitize_context_t
142 const char *start, *end;
147 static HB_GNUC_UNUSED void
148 _hb_sanitize_init (hb_sanitize_context_t *context,
151 context->blob = blob;
152 context->start = hb_blob_lock (blob);
153 context->end = context->start + hb_blob_get_length (blob);
154 context->edit_count = 0;
156 #if HB_DEBUG_SANITIZE
157 fprintf (stderr, "sanitize %p init [%p..%p] (%u bytes)\n",
158 context->blob, context->start, context->end, context->end - context->start);
162 static HB_GNUC_UNUSED void
163 _hb_sanitize_fini (hb_sanitize_context_t *context,
166 #if HB_DEBUG_SANITIZE
167 fprintf (stderr, "sanitize %p fini [%p..%p] %u edit requests\n",
168 context->blob, context->start, context->end, context->edit_count);
172 hb_blob_unlock (context->blob);
175 static HB_GNUC_UNUSED inline bool
176 _hb_sanitize_check (SANITIZE_ARG_DEF,
180 bool ret = context->start <= base &&
181 base <= context->end &&
182 (unsigned int) (context->end - base) >= len;
184 #if HB_DEBUG_SANITIZE
185 if (sanitize_depth < HB_DEBUG_SANITIZE) \
186 fprintf (stderr, "SANITIZE(%p) %-*d-> check [%p..%p] (%d bytes) in [%p..%p] -> %s\n", \
188 sanitize_depth, sanitize_depth,
190 context->start, context->end,
191 ret ? "pass" : "FAIL");
196 static HB_GNUC_UNUSED inline bool
197 _hb_sanitize_array (SANITIZE_ARG_DEF,
199 unsigned int record_size,
202 bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
204 #if HB_DEBUG_SANITIZE
205 if (sanitize_depth < HB_DEBUG_SANITIZE) \
206 fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \
208 sanitize_depth, sanitize_depth,
209 base, base + (record_size * len), record_size, len, (unsigned long) record_size * len,
210 context->start, context->end,
211 !overflows ? "does not overflow" : "OVERFLOWS FAIL");
213 return HB_LIKELY (!overflows) && _hb_sanitize_check (SANITIZE_ARG, base, record_size * len);
216 static HB_GNUC_UNUSED inline bool
217 _hb_sanitize_edit (SANITIZE_ARG_DEF,
218 const char *base HB_GNUC_UNUSED,
219 unsigned int len HB_GNUC_UNUSED)
221 bool perm = hb_blob_try_writable_inplace (context->blob);
222 context->edit_count++;
224 #if HB_DEBUG_SANITIZE
225 fprintf (stderr, "SANITIZE(%p) %-*d-> edit(%u) [%p..%p] (%d bytes) in [%p..%p] -> %s\n", \
227 sanitize_depth, sanitize_depth,
230 context->start, context->end,
231 perm ? "granted" : "REJECTED");
236 #define SANITIZE(X) HB_LIKELY ((X).sanitize (SANITIZE_ARG))
237 #define SANITIZE2(X,Y) (SANITIZE (X) && SANITIZE (Y))
239 #define SANITIZE_THIS(X) HB_LIKELY ((X).sanitize (SANITIZE_ARG, CONST_CHARP(this)))
240 #define SANITIZE_THIS2(X,Y) (SANITIZE_THIS (X) && SANITIZE_THIS (Y))
241 #define SANITIZE_THIS3(X,Y,Z) (SANITIZE_THIS (X) && SANITIZE_THIS (Y) && SANITIZE_THIS(Z))
243 #define SANITIZE_BASE(X,B) HB_LIKELY ((X).sanitize (SANITIZE_ARG, B))
244 #define SANITIZE_BASE2(X,Y,B) (SANITIZE_BASE (X,B) && SANITIZE_BASE (Y,B))
246 #define SANITIZE_SELF() SANITIZE_OBJ (*this)
247 #define SANITIZE_OBJ(X) SANITIZE_MEM(&(X), sizeof (X))
248 #define SANITIZE_GET_SIZE() SANITIZE_SELF() && SANITIZE_MEM (this, this->get_size ())
250 #define SANITIZE_MEM(B,L) HB_LIKELY (_hb_sanitize_check (SANITIZE_ARG, CONST_CHARP(B), (L)))
252 #define SANITIZE_ARRAY(A,S,L) HB_LIKELY (_hb_sanitize_array (SANITIZE_ARG, CONST_CHARP(A), S, L))
254 #define NEUTER(Var, Val) \
255 (SANITIZE_OBJ (Var) && \
256 _hb_sanitize_edit (SANITIZE_ARG, CONST_CHARP(&(Var)), sizeof (Var)) && \
257 ((Var).set (Val), true))
260 /* Template to sanitize an object. */
261 template <typename Type>
264 static hb_blob_t *sanitize (hb_blob_t *blob) {
265 hb_sanitize_context_t context;
268 /* TODO is_sane() stuff */
271 #if HB_DEBUG_SANITIZE
272 fprintf (stderr, "Sanitizer %p start %s\n", blob, __PRETTY_FUNCTION__);
275 _hb_sanitize_init (&context, blob);
277 Type *t = &CAST (Type, *DECONST_CHARP(context.start), 0);
279 sane = t->sanitize (SANITIZE_ARG_INIT);
281 if (context.edit_count) {
282 #if HB_DEBUG_SANITIZE
283 fprintf (stderr, "Sanitizer %p passed first round with %d edits; going a second round %s\n",
284 blob, context.edit_count, __PRETTY_FUNCTION__);
286 /* sanitize again to ensure no toe-stepping */
287 context.edit_count = 0;
288 sane = t->sanitize (SANITIZE_ARG_INIT);
289 if (context.edit_count) {
290 #if HB_DEBUG_SANITIZE
291 fprintf (stderr, "Sanitizer %p requested %d edits in second round; FAILLING %s\n",
292 blob, context.edit_count, __PRETTY_FUNCTION__);
297 _hb_sanitize_fini (&context, true);
299 unsigned int edit_count = context.edit_count;
300 _hb_sanitize_fini (&context, true);
301 if (edit_count && !hb_blob_is_writable (blob) && hb_blob_try_writable (blob)) {
302 /* ok, we made it writable by relocating. try again */
303 #if HB_DEBUG_SANITIZE
304 fprintf (stderr, "Sanitizer %p retry %s\n", blob, __PRETTY_FUNCTION__);
310 #if HB_DEBUG_SANITIZE
311 fprintf (stderr, "Sanitizer %p %s %s\n", blob, sane ? "passed" : "FAILED", __PRETTY_FUNCTION__);
316 hb_blob_destroy (blob);
317 return hb_blob_create_empty ();
321 static const Type& lock_instance (hb_blob_t *blob) {
322 return Type::get_for_data (hb_blob_lock (blob));
329 * The OpenType Font File: Data Types
333 /* "The following data types are used in the OpenType font file.
334 * All OpenType fonts use Motorola-style byte ordering (Big Endian):" */
340 /* TODO On machines that allow unaligned access, use this version. */
341 #define _DEFINE_INT_TYPE1_UNALIGNED(NAME, TYPE, BIG_ENDIAN, BYTES) \
344 inline NAME& set (TYPE i) { (TYPE&) v = BIG_ENDIAN (i); return *this; } \
345 inline operator TYPE(void) const { return BIG_ENDIAN ((TYPE&) v); } \
346 inline bool operator == (const NAME &o) const { return (TYPE&) v == (TYPE&) o.v; } \
347 inline bool sanitize (SANITIZE_ARG_DEF) { \
349 return SANITIZE_SELF (); \
351 private: unsigned char v[BYTES]; \
353 ASSERT_SIZE (NAME, BYTES)
355 #define DEFINE_INT_TYPE1(NAME, TYPE, BIG_ENDIAN, BYTES) \
358 static inline unsigned int get_size () { return BYTES; } \
359 inline void set (TYPE i) { BIG_ENDIAN##_put_unaligned(v, i); } \
360 inline operator TYPE(void) const { return BIG_ENDIAN##_get_unaligned (v); } \
361 inline bool operator == (const NAME &o) const { return BIG_ENDIAN##_cmp_unaligned (v, o.v); } \
362 inline bool sanitize (SANITIZE_ARG_DEF) { \
364 return SANITIZE_SELF (); \
366 private: unsigned char v[BYTES]; \
368 ASSERT_SIZE (NAME, BYTES)
369 #define DEFINE_INT_TYPE0(NAME, type, b) DEFINE_INT_TYPE1 (NAME, type##_t, hb_be_##type, b)
370 #define DEFINE_INT_TYPE(NAME, u, w) DEFINE_INT_TYPE0 (NAME, u##int##w, (w / 8))
373 DEFINE_INT_TYPE (USHORT, u, 16); /* 16-bit unsigned integer. */
374 DEFINE_INT_TYPE (SHORT, , 16); /* 16-bit signed integer. */
375 DEFINE_INT_TYPE (ULONG, u, 32); /* 32-bit unsigned integer. */
376 DEFINE_INT_TYPE (LONG, , 32); /* 32-bit signed integer. */
379 /* Array of four uint8s (length = 32 bits) used to identify a script, language
380 * system, feature, or baseline */
383 /* What the char* converters return is NOT nul-terminated. Print using "%.4s" */
384 inline operator const char* (void) const { return CONST_CHARP(this); }
385 inline operator char* (void) { return CHARP(this); }
387 inline bool sanitize (SANITIZE_ARG_DEF) {
389 /* Note: Only accept ASCII-visible tags (mind DEL)
390 * This is one of the few times (only time?) we check
391 * for data integrity, as opposed o just boundary checks
393 return SANITIZE_SELF () && (((uint32_t) *this) & 0x80808080) == 0;
396 ASSERT_SIZE (Tag, 4);
397 DEFINE_NULL_DATA (Tag, 4, " ");
399 /* Glyph index number, same as uint16 (length = 16 bits) */
400 typedef USHORT GlyphID;
402 /* Offset to a table, same as uint16 (length = 16 bits), Null offset = 0x0000 */
403 typedef USHORT Offset;
405 /* LongOffset to a table, same as uint32 (length = 32 bits), Null offset = 0x00000000 */
406 typedef ULONG LongOffset;
410 struct CheckSum : ULONG
412 static uint32_t CalcTableChecksum (ULONG *Table, uint32_t Length)
415 ULONG *EndPtr = Table+((Length+3) & ~3) / ULONG::get_size ();
417 while (Table < EndPtr)
422 ASSERT_SIZE (CheckSum, 4);
431 inline operator uint32_t (void) const { return (major << 16) + minor; }
433 inline bool sanitize (SANITIZE_ARG_DEF) {
435 return SANITIZE_SELF ();
441 ASSERT_SIZE (FixedVersion, 4);
446 * Template subclasses of Offset and LongOffset that do the dereferencing.
447 * Use: (this+memberName)
450 template <typename OffsetType, typename Type>
451 struct GenericOffsetTo : OffsetType
453 inline const Type& operator () (const void *base) const
455 unsigned int offset = *this;
456 if (HB_UNLIKELY (!offset)) return Null(Type);
457 return CONST_CAST(Type, *CONST_CHARP(base), offset);
460 inline bool sanitize (SANITIZE_ARG_DEF, const void *base) {
462 if (!SANITIZE_SELF ()) return false;
463 unsigned int offset = *this;
464 if (HB_UNLIKELY (!offset)) return true;
465 return SANITIZE (CAST(Type, *DECONST_CHARP(base), offset)) || NEUTER (DECONST_CAST(OffsetType,*this,0), 0);
467 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, const void *base2) {
469 if (!SANITIZE_SELF ()) return false;
470 unsigned int offset = *this;
471 if (HB_UNLIKELY (!offset)) return true;
472 return SANITIZE_BASE (CAST(Type, *DECONST_CHARP(base), offset), base2) || NEUTER (DECONST_CAST(OffsetType,*this,0), 0);
474 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, unsigned int user_data) {
476 if (!SANITIZE_SELF ()) return false;
477 unsigned int offset = *this;
478 if (HB_UNLIKELY (!offset)) return true;
479 return SANITIZE_BASE (CAST(Type, *DECONST_CHARP(base), offset), user_data) || NEUTER (DECONST_CAST(OffsetType,*this,0), 0);
482 template <typename Base, typename OffsetType, typename Type>
483 inline const Type& operator + (const Base &base, GenericOffsetTo<OffsetType, Type> offset) { return offset (base); }
485 template <typename Type>
486 struct OffsetTo : GenericOffsetTo<Offset, Type> {};
488 template <typename Type>
489 struct LongOffsetTo : GenericOffsetTo<LongOffset, Type> {};
496 template <typename LenType, typename Type>
497 struct GenericArrayOf
499 const Type *const_array(void) const { return CONST_ARRAY_AFTER (Type, len); }
500 Type *array(void) { return ARRAY_AFTER (Type, len); }
502 inline const Type& operator [] (unsigned int i) const
504 if (HB_UNLIKELY (i >= len)) return Null(Type);
505 return const_array()[i];
507 inline unsigned int get_size () const
508 { return len.get_size () + len * Type::get_size (); }
510 inline bool sanitize (SANITIZE_ARG_DEF) {
512 if (!SANITIZE_GET_SIZE()) return false;
513 /* Note: for structs that do not reference other structs,
514 * we do not need to call their sanitize() as we already did
515 * a bound check on the aggregate array size, hence the return.
518 /* We do keep this code though to make sure the structs pointed
519 * to do have a simple sanitize(), ie. they do not reference
521 unsigned int count = len;
522 for (unsigned int i = 0; i < count; i++)
523 if (!SANITIZE (array()[i]))
527 inline bool sanitize (SANITIZE_ARG_DEF, const void *base) {
529 if (!SANITIZE_GET_SIZE()) return false;
530 unsigned int count = len;
531 for (unsigned int i = 0; i < count; i++)
532 if (!array()[i].sanitize (SANITIZE_ARG, base))
536 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, const void *base2) {
538 if (!SANITIZE_GET_SIZE()) return false;
539 unsigned int count = len;
540 for (unsigned int i = 0; i < count; i++)
541 if (!array()[i].sanitize (SANITIZE_ARG, base, base2))
545 inline bool sanitize (SANITIZE_ARG_DEF, const void *base, unsigned int user_data) {
547 if (!SANITIZE_GET_SIZE()) return false;
548 unsigned int count = len;
549 for (unsigned int i = 0; i < count; i++)
550 if (!array()[i].sanitize (SANITIZE_ARG, base, user_data))
559 /* An array with a USHORT number of elements. */
560 template <typename Type>
561 struct ArrayOf : GenericArrayOf<USHORT, Type> {};
563 /* An array with a ULONG number of elements. */
564 template <typename Type>
565 struct LongArrayOf : GenericArrayOf<ULONG, Type> {};
567 /* Array of Offset's */
568 template <typename Type>
569 struct OffsetArrayOf : ArrayOf<OffsetTo<Type> > {};
571 /* Array of LongOffset's */
572 template <typename Type>
573 struct LongOffsetArrayOf : ArrayOf<LongOffsetTo<Type> > {};
575 /* LongArray of LongOffset's */
576 template <typename Type>
577 struct LongOffsetLongArrayOf : LongArrayOf<LongOffsetTo<Type> > {};
579 /* Array of offsets relative to the beginning of the array itself. */
580 template <typename Type>
581 struct OffsetListOf : OffsetArrayOf<Type>
583 inline const Type& operator [] (unsigned int i) const
585 if (HB_UNLIKELY (i >= this->len)) return Null(Type);
586 return this+this->const_array()[i];
589 inline bool sanitize (SANITIZE_ARG_DEF) {
591 return OffsetArrayOf<Type>::sanitize (SANITIZE_ARG, CONST_CHARP(this));
593 inline bool sanitize (SANITIZE_ARG_DEF, unsigned int user_data) {
595 return OffsetArrayOf<Type>::sanitize (SANITIZE_ARG, CONST_CHARP(this), user_data);
600 /* An array with a USHORT number of elements,
601 * starting at second element. */
602 template <typename Type>
603 struct HeadlessArrayOf
605 const Type *const_array(void) const { return CONST_ARRAY_AFTER (Type, len); }
606 Type *array(void) { return ARRAY_AFTER (Type, len); }
608 inline const Type& operator [] (unsigned int i) const
610 if (HB_UNLIKELY (i >= len || !i)) return Null(Type);
611 return const_array()[i-1];
613 inline unsigned int get_size () const
614 { return len.get_size () + (len ? len - 1 : 0) * Type::get_size (); }
616 inline bool sanitize (SANITIZE_ARG_DEF) {
618 if (!SANITIZE_GET_SIZE()) return false;
619 /* Note: for structs that do not reference other structs,
620 * we do not need to call their sanitize() as we already did
621 * a bound check on the aggregate array size, hence the return.
624 /* We do keep this code though to make sure the structs pointed
625 * to do have a simple sanitize(), ie. they do not reference
627 unsigned int count = len ? len - 1 : 0;
629 for (unsigned int i = 0; i < count; i++)
630 if (!SANITIZE (a[i]))
640 #endif /* HB_OPEN_TYPES_PRIVATE_HH */