/* * Copyright © 2007,2008,2009,2010 Red Hat, Inc. * Copyright © 2012,2018 Google, Inc. * * This is part of HarfBuzz, a text shaping library. * * Permission is hereby granted, without written agreement and without * license or royalty fees, to use, copy, modify, and distribute this * software and its documentation for any purpose, provided that the * above copyright notice and the following two paragraphs appear in * all copies of this software. * * IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN * IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH * DAMAGE. * * THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS * ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. * * Red Hat Author(s): Behdad Esfahbod * Google Author(s): Behdad Esfahbod */ #ifndef HB_SANITIZE_HH #define HB_SANITIZE_HH #include "hb.hh" #include "hb-blob.hh" #include "hb-dispatch.hh" /* * Sanitize * * * === Introduction === * * The sanitize machinery is at the core of our zero-cost font loading. We * mmap() font file into memory and create a blob out of it. Font subtables * are returned as a readonly sub-blob of the main font blob. These table * blobs are then sanitized before use, to ensure invalid memory access does * not happen. The toplevel sanitize API use is like, eg. to load the 'head' * table: * * hb_blob_t *head_blob = hb_sanitize_context_t ().reference_table<OT::head> (face); * * The blob then can be converted to a head table struct with: * * const head *head_table = head_blob->as<head> (); * * What the reference_table does is, to call hb_face_reference_table() to load * the table blob, sanitize it and return either the sanitized blob, or empty * blob if sanitization failed. The blob->as() function returns the null * object of its template type argument if the blob is empty. Otherwise, it * just casts the blob contents to the desired type. * * Sanitizing a blob of data with a type T works as follows (with minor * simplification): * * - Cast blob content to T*, call sanitize() method of it, * - If sanitize succeeded, return blob. * - Otherwise, if blob is not writable, try making it writable, * or copy if cannot be made writable in-place, * - Call sanitize() again. Return blob if sanitize succeeded. * - Return empty blob otherwise. * * * === The sanitize() contract === * * The sanitize() method of each object type shall return true if it's safe to * call other methods of the object, and %false otherwise. * * Note that what sanitize() checks for might align with what the specification * describes as valid table data, but does not have to be. In particular, we * do NOT want to be pedantic and concern ourselves with validity checks that * are irrelevant to our use of the table. On the contrary, we want to be * lenient with error handling and accept invalid data to the extent that it * does not impose extra burden on us. * * Based on the sanitize contract, one can see that what we check for depends * on how we use the data in other table methods. Ie. if other table methods * assume that offsets do NOT point out of the table data block, then that's * something sanitize() must check for (GSUB/GPOS/GDEF/etc work this way). On * the other hand, if other methods do such checks themselves, then sanitize() * does not have to bother with them (glyf/local work this way). The choice * depends on the table structure and sanitize() performance. For example, to * check glyf/loca offsets in sanitize() would cost O(num-glyphs). We try hard * to avoid such costs during font loading. By postponing such checks to the * actual glyph loading, we reduce the sanitize cost to O(1) and total runtime * cost to O(used-glyphs). As such, this is preferred. * * The same argument can be made re GSUB/GPOS/GDEF, but there, the table * structure is so complicated that by checking all offsets at sanitize() time, * we make the code much simpler in other methods, as offsets and referenced * objects do not need to be validated at each use site. */ /* This limits sanitizing time on really broken fonts. */ #ifndef HB_SANITIZE_MAX_EDITS #define HB_SANITIZE_MAX_EDITS … #endif #ifndef HB_SANITIZE_MAX_OPS_FACTOR #define HB_SANITIZE_MAX_OPS_FACTOR … #endif #ifndef HB_SANITIZE_MAX_OPS_MIN #define HB_SANITIZE_MAX_OPS_MIN … #endif #ifndef HB_SANITIZE_MAX_OPS_MAX #define HB_SANITIZE_MAX_OPS_MAX … #endif #ifndef HB_SANITIZE_MAX_SUBTABLES #define HB_SANITIZE_MAX_SUBTABLES … #endif struct hb_sanitize_context_t : hb_dispatch_context_t<hb_sanitize_context_t, bool, HB_DEBUG_SANITIZE> { … }; struct hb_sanitize_with_object_t { … }; #endif /* HB_SANITIZE_HH */
Codebase Browser
godot