2 * Copyright (C) 2007,2008,2009,2010 Red Hat, Inc.
4 * This is part of HarfBuzz, a text shaping library.
6 * Permission is hereby granted, without written agreement and without
7 * license or royalty fees, to use, copy, modify, and distribute this
8 * software and its documentation for any purpose, provided that the
9 * above copyright notice and the following two paragraphs appear in
10 * all copies of this software.
12 * IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
13 * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
14 * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
15 * IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
18 * THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
19 * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 * FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
21 * ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
22 * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
24 * Red Hat Author(s): Behdad Esfahbod
27 #ifndef HB_OPEN_TYPES_PRIVATE_HH
28 #define HB_OPEN_TYPES_PRIVATE_HH
30 #include "hb-private.h"
35 /* Table/script/language-system/feature/... not found */
36 #define NO_INDEX ((unsigned int) 0xFFFF)
43 /* Cast to "const char *" and "char *" */
44 template <typename Type> inline const char * CharP (const Type* X) { return reinterpret_cast<const char *>(X); }
45 template <typename Type> inline char * CharP (Type* X) { return reinterpret_cast<char *>(X); }
47 #define CONST_CAST(T,X,Ofs) (*(reinterpret_cast<const T *>(CharP(&(X)) + Ofs)))
48 #define DECONST_CAST(T,X,Ofs) (*(reinterpret_cast<T *>((char *)CharP(&(X)) + Ofs)))
49 #define CAST(T,X,Ofs) (*(reinterpret_cast<T *>(CharP(&(X)) + Ofs)))
52 /* StructAfter<T>(X) returns the struct T& that is placed after X.
53 * Works with X of variable size also. X must implement get_size() */
54 template<typename Type, typename TObject>
55 inline const Type& StructAfter(const TObject &X)
57 return * reinterpret_cast<const Type*> (CharP (&X) + X.get_size());
59 template<typename Type, typename TObject>
60 inline Type& StructAfter(TObject &X)
62 return * reinterpret_cast<Type*> (CharP (&X) + X.get_size());
73 /* Global nul-content Null pool. Enlarge as necessary. */
74 static const void *_NullPool[32 / sizeof (void *)];
76 /* Generic template for nul-content sizeof-sized Null objects. */
77 template <typename Type>
78 static inline const Type& Null () {
79 ASSERT_STATIC (sizeof (Type) <= sizeof (_NullPool));
80 return CONST_CAST (Type, *_NullPool, 0);
83 /* Specializaiton for arbitrary-content arbitrary-sized Null objects. */
84 #define DEFINE_NULL_DATA(Type, size, data) \
85 static const char _Null##Type[size + 1] = data; /* +1 is for nul-termination in data */ \
87 inline const Type& Null<Type> () { \
88 return CONST_CAST (Type, *_Null##Type, 0); \
89 } /* The following line really exists such that we end in a place needing semicolon */ \
90 ASSERT_STATIC (sizeof (Type) + 1 <= sizeof (_Null##Type))
93 #define Null(Type) Null<Type>()
96 /* get_for_data() is a static class method returning a reference to an
97 * instance of Type located at the input data location. It's just a
98 * fancy, NULL-safe, cast! */
99 #define STATIC_DEFINE_GET_FOR_DATA(Type) \
100 static inline const Type& get_for_data (const char *data) \
102 if (HB_UNLIKELY (data == NULL)) return Null(Type); \
103 return CONST_CAST (Type, *data, 0); \
105 /* Like get_for_data(), but checks major version first. */
106 #define STATIC_DEFINE_GET_FOR_DATA_CHECK_MAJOR_VERSION(Type, MajorMin, MajorMax) \
107 static inline const Type& get_for_data (const char *data) \
109 if (HB_UNLIKELY (data == NULL)) return Null(Type); \
110 const Type& t = CONST_CAST (Type, *data, 0); \
111 if (HB_UNLIKELY (t.version.major < MajorMin || t.version.major > MajorMax)) return Null(Type); \
120 #ifndef HB_DEBUG_SANITIZE
121 #define HB_DEBUG_SANITIZE HB_DEBUG
124 #if HB_DEBUG_SANITIZE
126 #define TRACE_SANITIZE_ARG_DEF , unsigned int sanitize_depth HB_GNUC_UNUSED
127 #define TRACE_SANITIZE_ARG , sanitize_depth + 1
128 #define TRACE_SANITIZE_ARG_INIT , 1
129 #define TRACE_SANITIZE() \
131 if (sanitize_depth < HB_DEBUG_SANITIZE) \
132 fprintf (stderr, "SANITIZE(%p) %-*d-> %s\n", \
133 (CharP (this) == CharP (&NullPool)) ? 0 : this, \
134 sanitize_depth, sanitize_depth, \
135 __PRETTY_FUNCTION__); \
138 #define TRACE_SANITIZE_ARG_DEF
139 #define TRACE_SANITIZE_ARG
140 #define TRACE_SANITIZE_ARG_INIT
141 #define TRACE_SANITIZE() HB_STMT_START {} HB_STMT_END
144 #define SANITIZE_ARG_DEF \
145 hb_sanitize_context_t *context TRACE_SANITIZE_ARG_DEF
146 #define SANITIZE_ARG \
147 context TRACE_SANITIZE_ARG
148 #define SANITIZE_ARG_INIT \
149 &context TRACE_SANITIZE_ARG_INIT
151 typedef struct _hb_sanitize_context_t hb_sanitize_context_t;
152 struct _hb_sanitize_context_t
154 const char *start, *end;
159 static HB_GNUC_UNUSED void
160 _hb_sanitize_init (hb_sanitize_context_t *context,
163 context->blob = blob;
164 context->start = hb_blob_lock (blob);
165 context->end = context->start + hb_blob_get_length (blob);
166 context->edit_count = 0;
168 #if HB_DEBUG_SANITIZE
169 fprintf (stderr, "sanitize %p init [%p..%p] (%u bytes)\n",
170 context->blob, context->start, context->end, context->end - context->start);
174 static HB_GNUC_UNUSED void
175 _hb_sanitize_fini (hb_sanitize_context_t *context,
178 #if HB_DEBUG_SANITIZE
179 fprintf (stderr, "sanitize %p fini [%p..%p] %u edit requests\n",
180 context->blob, context->start, context->end, context->edit_count);
184 hb_blob_unlock (context->blob);
187 static HB_GNUC_UNUSED inline bool
188 _hb_sanitize_check (SANITIZE_ARG_DEF,
192 bool ret = context->start <= base &&
193 base <= context->end &&
194 (unsigned int) (context->end - base) >= len;
196 #if HB_DEBUG_SANITIZE
197 if (sanitize_depth < HB_DEBUG_SANITIZE) \
198 fprintf (stderr, "SANITIZE(%p) %-*d-> check [%p..%p] (%d bytes) in [%p..%p] -> %s\n", \
200 sanitize_depth, sanitize_depth,
202 context->start, context->end,
203 ret ? "pass" : "FAIL");
208 static HB_GNUC_UNUSED inline bool
209 _hb_sanitize_array (SANITIZE_ARG_DEF,
211 unsigned int record_size,
214 bool overflows = len >= ((unsigned int) -1) / record_size;
216 #if HB_DEBUG_SANITIZE
217 if (sanitize_depth < HB_DEBUG_SANITIZE) \
218 fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \
220 sanitize_depth, sanitize_depth,
221 base, base + (record_size * len), record_size, len, (unsigned long) record_size * len,
222 context->start, context->end,
223 !overflows ? "does not overflow" : "OVERFLOWS FAIL");
225 return HB_LIKELY (!overflows) && _hb_sanitize_check (SANITIZE_ARG, base, record_size * len);
228 static HB_GNUC_UNUSED inline bool
229 _hb_sanitize_edit (SANITIZE_ARG_DEF,
230 const char *base HB_GNUC_UNUSED,
231 unsigned int len HB_GNUC_UNUSED)
233 bool perm = hb_blob_try_writable_inplace (context->blob);
234 context->edit_count++;
236 #if HB_DEBUG_SANITIZE
237 fprintf (stderr, "SANITIZE(%p) %-*d-> edit(%u) [%p..%p] (%d bytes) in [%p..%p] -> %s\n", \
239 sanitize_depth, sanitize_depth,
242 context->start, context->end,
243 perm ? "granted" : "REJECTED");
248 #define SANITIZE(X) HB_LIKELY ((X).sanitize (SANITIZE_ARG))
249 #define SANITIZE2(X,Y) (SANITIZE (X) && SANITIZE (Y))
251 #define SANITIZE_THIS(X) HB_LIKELY ((X).sanitize (SANITIZE_ARG, CharP(this)))
252 #define SANITIZE_THIS2(X,Y) (SANITIZE_THIS (X) && SANITIZE_THIS (Y))
253 #define SANITIZE_THIS3(X,Y,Z) (SANITIZE_THIS (X) && SANITIZE_THIS (Y) && SANITIZE_THIS(Z))
255 #define SANITIZE_BASE(X,B) HB_LIKELY ((X).sanitize (SANITIZE_ARG, B))
256 #define SANITIZE_BASE2(X,Y,B) (SANITIZE_BASE (X,B) && SANITIZE_BASE (Y,B))
258 #define SANITIZE_SELF() SANITIZE_OBJ (*this)
259 #define SANITIZE_OBJ(X) SANITIZE_MEM(&(X), sizeof (X))
261 #define SANITIZE_MEM(B,L) HB_LIKELY (_hb_sanitize_check (SANITIZE_ARG, CharP(B), (L)))
263 #define SANITIZE_ARRAY(A,S,L) HB_LIKELY (_hb_sanitize_array (SANITIZE_ARG, CharP(A), S, L))
265 #define NEUTER(Var, Val) \
266 (SANITIZE_OBJ (Var) && \
267 _hb_sanitize_edit (SANITIZE_ARG, CharP(&(Var)), (Var).get_size ()) && \
268 ((Var).set (Val), true))
271 /* Template to sanitize an object. */
272 template <typename Type>
275 static hb_blob_t *sanitize (hb_blob_t *blob) {
276 hb_sanitize_context_t context;
279 /* TODO is_sane() stuff */
282 #if HB_DEBUG_SANITIZE
283 fprintf (stderr, "Sanitizer %p start %s\n", blob, __PRETTY_FUNCTION__);
286 _hb_sanitize_init (&context, blob);
288 /* We drop const here */
289 Type *t = &CAST (Type, * (char *) CharP(context.start), 0);
291 sane = t->sanitize (SANITIZE_ARG_INIT);
293 if (context.edit_count) {
294 #if HB_DEBUG_SANITIZE
295 fprintf (stderr, "Sanitizer %p passed first round with %d edits; going a second round %s\n",
296 blob, context.edit_count, __PRETTY_FUNCTION__);
298 /* sanitize again to ensure no toe-stepping */
299 context.edit_count = 0;
300 sane = t->sanitize (SANITIZE_ARG_INIT);
301 if (context.edit_count) {
302 #if HB_DEBUG_SANITIZE
303 fprintf (stderr, "Sanitizer %p requested %d edits in second round; FAILLING %s\n",
304 blob, context.edit_count, __PRETTY_FUNCTION__);
309 _hb_sanitize_fini (&context, true);
311 unsigned int edit_count = context.edit_count;
312 _hb_sanitize_fini (&context, true);
313 if (edit_count && !hb_blob_is_writable (blob) && hb_blob_try_writable (blob)) {
314 /* ok, we made it writable by relocating. try again */
315 #if HB_DEBUG_SANITIZE
316 fprintf (stderr, "Sanitizer %p retry %s\n", blob, __PRETTY_FUNCTION__);
322 #if HB_DEBUG_SANITIZE
323 fprintf (stderr, "Sanitizer %p %s %s\n", blob, sane ? "passed" : "FAILED", __PRETTY_FUNCTION__);
328 hb_blob_destroy (blob);
329 return hb_blob_create_empty ();
333 static const Type& lock_instance (hb_blob_t *blob) {
334 return Type::get_for_data (hb_blob_lock (blob));
341 * The OpenType Font File: Data Types
345 /* "The following data types are used in the OpenType font file.
346 * All OpenType fonts use Motorola-style byte ordering (Big Endian):" */
353 template <typename Type, int Bytes> class BEInt;
355 template <typename Type>
359 inline class BEInt<Type,2>& operator = (Type i) { hb_be_uint16_put (v,i); return *this; }
360 inline operator Type () const { return hb_be_uint16_get (v); }
361 inline bool operator == (const BEInt<Type, 2>& o) const { return hb_be_uint16_cmp (v, o.v); }
362 inline bool operator != (const BEInt<Type, 2>& o) const { return !(*this == o); }
363 private: uint8_t v[2];
365 template <typename Type>
369 inline class BEInt<Type,4>& operator = (Type i) { hb_be_uint32_put (v,i); return *this; }
370 inline operator Type () const { return hb_be_uint32_get (v); }
371 inline bool operator == (const BEInt<Type, 4>& o) const { return hb_be_uint32_cmp (v, o.v); }
372 inline bool operator != (const BEInt<Type, 4>& o) const { return !(*this == o); }
373 private: uint8_t v[4];
376 /* Integer types in big-endian order and no alignment requirement */
377 template <typename Type>
380 static inline unsigned int get_size () { return sizeof (Type); }
381 inline void set (Type i) { v = i; }
382 inline operator Type(void) const { return v; }
383 inline bool operator == (const IntType<Type> &o) const { return v == o.v; }
384 inline bool operator != (const IntType<Type> &o) const { return v != o.v; }
385 inline bool sanitize (SANITIZE_ARG_DEF) {
387 return SANITIZE_SELF ();
389 private: BEInt<Type, sizeof (Type)> v;
392 typedef IntType<uint16_t> USHORT; /* 16-bit unsigned integer. */
393 typedef IntType<int16_t> SHORT; /* 16-bit signed integer. */
394 typedef IntType<uint32_t> ULONG; /* 32-bit unsigned integer. */
395 typedef IntType<int32_t> LONG; /* 32-bit signed integer. */
397 ASSERT_SIZE (USHORT, 2);
398 ASSERT_SIZE (SHORT, 2);
399 ASSERT_SIZE (ULONG, 4);
400 ASSERT_SIZE (LONG, 4);
402 /* Array of four uint8s (length = 32 bits) used to identify a script, language
403 * system, feature, or baseline */
406 /* What the char* converters return is NOT nul-terminated. Print using "%.4s" */
407 inline operator const char* (void) const { return CharP(this); }
408 inline operator char* (void) { return CharP(this); }
410 inline bool sanitize (SANITIZE_ARG_DEF) {
412 /* Note: Only accept ASCII-visible tags (mind DEL)
413 * This is one of the few places (only place?) that we check
414 * for data integrity, as opposed to just boundary checks.
416 return SANITIZE_SELF () && (((uint32_t) *this) & 0x80808080) == 0;
419 ASSERT_SIZE (Tag, 4);
420 DEFINE_NULL_DATA (Tag, 4, " ");
422 /* Glyph index number, same as uint16 (length = 16 bits) */
423 typedef USHORT GlyphID;
425 /* Offset to a table, same as uint16 (length = 16 bits), Null offset = 0x0000 */
426 typedef USHORT Offset;
428 /* LongOffset to a table, same as uint32 (length = 32 bits), Null offset = 0x00000000 */
429 typedef ULONG LongOffset;
433 struct CheckSum : ULONG
435 static uint32_t CalcTableChecksum (ULONG *Table, uint32_t Length)
438 ULONG *EndPtr = Table+((Length+3) & ~3) / ULONG::get_size ();
440 while (Table < EndPtr)
445 ASSERT_SIZE (CheckSum, 4);
454 inline operator uint32_t (void) const { return (major << 16) + minor; }
456 inline bool sanitize (SANITIZE_ARG_DEF) {
458 return SANITIZE_SELF ();
464 ASSERT_SIZE (FixedVersion, 4);
469 * Template subclasses of Offset and LongOffset that do the dereferencing.
470 * Use: (this+memberName)
473 template <typename OffsetType, typename Type>
474 struct GenericOffsetTo : OffsetType
476 inline const Type& operator () (const void *base) const
478 unsigned int offset = *this;
479 if (HB_UNLIKELY (!offset)) return Null(Type);
480 return CONST_CAST(Type, *CharP(base), offset);
483 inline bool sanitize (SANITIZE_ARG_DEF, void *base) {
485 if (!SANITIZE_SELF ()) return false;
486 unsigned int offset = *this;
487 if (HB_UNLIKELY (!offset)) return true;
488 return SANITIZE (CAST(Type, *CharP(base), offset)) || NEUTER (*this, 0);
490 inline bool sanitize (SANITIZE_ARG_DEF, void *base, void *base2) {
492 if (!SANITIZE_SELF ()) return false;
493 unsigned int offset = *this;
494 if (HB_UNLIKELY (!offset)) return true;
495 return SANITIZE_BASE (CAST(Type, *CharP(base), offset), base2) || NEUTER (*this, 0);
497 inline bool sanitize (SANITIZE_ARG_DEF, void *base, unsigned int user_data) {
499 if (!SANITIZE_SELF ()) return false;
500 unsigned int offset = *this;
501 if (HB_UNLIKELY (!offset)) return true;
502 return SANITIZE_BASE (CAST(Type, *CharP(base), offset), user_data) || NEUTER (*this, 0);
505 template <typename Base, typename OffsetType, typename Type>
506 inline const Type& operator + (const Base &base, GenericOffsetTo<OffsetType, Type> offset) { return offset (base); }
508 template <typename Type>
509 struct OffsetTo : GenericOffsetTo<Offset, Type> {};
511 template <typename Type>
512 struct LongOffsetTo : GenericOffsetTo<LongOffset, Type> {};
519 template <typename LenType, typename Type>
520 struct GenericArrayOf
522 const Type *array(void) const { return &StructAfter<Type> (len); }
523 Type *array(void) { return &StructAfter<Type> (len); }
525 const Type *sub_array (unsigned int start_offset, unsigned int *pcount /* IN/OUT */) const
527 unsigned int count = len;
528 if (HB_UNLIKELY (start_offset > count))
531 count -= start_offset;
532 count = MIN (count, *pcount);
534 return array() + start_offset;
537 inline const Type& operator [] (unsigned int i) const
539 if (HB_UNLIKELY (i >= len)) return Null(Type);
542 inline unsigned int get_size () const
543 { return len.get_size () + len * Type::get_size (); }
545 inline bool sanitize_shallow (SANITIZE_ARG_DEF) {
547 return SANITIZE_SELF() && SANITIZE_ARRAY (this, Type::get_size (), len);
550 inline bool sanitize (SANITIZE_ARG_DEF) {
552 if (!HB_LIKELY (sanitize_shallow (SANITIZE_ARG))) return false;
553 /* Note: for structs that do not reference other structs,
554 * we do not need to call their sanitize() as we already did
555 * a bound check on the aggregate array size, hence the return.
558 /* We do keep this code though to make sure the structs pointed
559 * to do have a simple sanitize(), ie. they do not reference
561 unsigned int count = len;
562 for (unsigned int i = 0; i < count; i++)
563 if (!SANITIZE (array()[i]))
567 inline bool sanitize (SANITIZE_ARG_DEF, void *base) {
569 if (!HB_LIKELY (sanitize_shallow (SANITIZE_ARG))) return false;
570 unsigned int count = len;
571 for (unsigned int i = 0; i < count; i++)
572 if (!array()[i].sanitize (SANITIZE_ARG, base))
576 inline bool sanitize (SANITIZE_ARG_DEF, void *base, void *base2) {
578 if (!HB_LIKELY (sanitize_shallow (SANITIZE_ARG))) return false;
579 unsigned int count = len;
580 for (unsigned int i = 0; i < count; i++)
581 if (!array()[i].sanitize (SANITIZE_ARG, base, base2))
585 inline bool sanitize (SANITIZE_ARG_DEF, void *base, unsigned int user_data) {
587 if (!HB_LIKELY (sanitize_shallow (SANITIZE_ARG))) return false;
588 unsigned int count = len;
589 for (unsigned int i = 0; i < count; i++)
590 if (!array()[i].sanitize (SANITIZE_ARG, base, user_data))
599 /* An array with a USHORT number of elements. */
600 template <typename Type>
601 struct ArrayOf : GenericArrayOf<USHORT, Type> {};
603 /* An array with a ULONG number of elements. */
604 template <typename Type>
605 struct LongArrayOf : GenericArrayOf<ULONG, Type> {};
607 /* Array of Offset's */
608 template <typename Type>
609 struct OffsetArrayOf : ArrayOf<OffsetTo<Type> > {};
611 /* Array of LongOffset's */
612 template <typename Type>
613 struct LongOffsetArrayOf : ArrayOf<LongOffsetTo<Type> > {};
615 /* LongArray of LongOffset's */
616 template <typename Type>
617 struct LongOffsetLongArrayOf : LongArrayOf<LongOffsetTo<Type> > {};
619 /* Array of offsets relative to the beginning of the array itself. */
620 template <typename Type>
621 struct OffsetListOf : OffsetArrayOf<Type>
623 inline const Type& operator [] (unsigned int i) const
625 if (HB_UNLIKELY (i >= this->len)) return Null(Type);
626 return this+this->array()[i];
629 inline bool sanitize (SANITIZE_ARG_DEF) {
631 return OffsetArrayOf<Type>::sanitize (SANITIZE_ARG, CharP(this));
633 inline bool sanitize (SANITIZE_ARG_DEF, unsigned int user_data) {
635 return OffsetArrayOf<Type>::sanitize (SANITIZE_ARG, CharP(this), user_data);
640 /* An array with a USHORT number of elements,
641 * starting at second element. */
642 template <typename Type>
643 struct HeadlessArrayOf
645 const Type *array(void) const { return &StructAfter<Type> (len); }
646 Type *array(void) { return &StructAfter<Type> (len); }
648 inline const Type& operator [] (unsigned int i) const
650 if (HB_UNLIKELY (i >= len || !i)) return Null(Type);
653 inline unsigned int get_size () const
654 { return len.get_size () + (len ? len - 1 : 0) * Type::get_size (); }
656 inline bool sanitize_shallow (SANITIZE_ARG_DEF) {
658 return SANITIZE_SELF() && SANITIZE_ARRAY (this, Type::get_size (), len);
661 inline bool sanitize (SANITIZE_ARG_DEF) {
663 if (!HB_LIKELY (sanitize_shallow (SANITIZE_ARG))) return false;
664 /* Note: for structs that do not reference other structs,
665 * we do not need to call their sanitize() as we already did
666 * a bound check on the aggregate array size, hence the return.
669 /* We do keep this code though to make sure the structs pointed
670 * to do have a simple sanitize(), ie. they do not reference
672 unsigned int count = len ? len - 1 : 0;
674 for (unsigned int i = 0; i < count; i++)
675 if (!SANITIZE (a[i]))
685 #endif /* HB_OPEN_TYPE_PRIVATE_HH */