search

fonttools / ttfautohint-py

Python wrapper for ttfautohint, a free auto-hinter for TrueType fonts
https://www.freetype.org/ttfautohint/
MIT License
30 stars 7 forks source link

malloc: Heap corruption detected, free list is damaged #24

Open anthrotype opened 3 weeks ago

anthrotype commented 3 weeks ago

original issue with reproducer https://github.com/googlefonts/gftools/issues/1056

anthrotype commented 3 weeks ago

hm the glyf table from the test font that @cmyr attached to the above linked issue (Yarndings20-Regular.ttf.zip actually fails to be decompiled by fonttools ttx with the following error:

$ ttx /Users/clupo/Downloads/Yarndings20-Regular.ttf
Dumping "/Users/clupo/Downloads/Yarndings20-Regular.ttf" to "/Users/clupo/Downloads/Yarndings20-Regular#1.ttx"...
Dumping 'GlyphOrder' table...
Dumping 'head' table...
Dumping 'hhea' table...
Dumping 'maxp' table...
Dumping 'OS/2' table...
Dumping 'hmtx' table...
Dumping 'cmap' table...
Dumping 'fpgm' table...
Dumping 'prep' table...
Dumping 'cvt ' table...
Dumping 'loca' table...
Dumping 'glyf' table...
ERROR: An exception occurred during the decompilation of glyph program:

Traceback (most recent call last):
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 478, in _disassemble
    mnemonic, argBits, argoffset, name = opcodeDict[op]
                                         ~~~~~~~~~~^^^^
KeyError: 191

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 254, in toXML
    assembly = self.getAssembly()
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 245, in getAssembly
    self._disassemble(preserve=preserve)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 503, in _disassemble
    value = (bytecode[i] << 8) | bytecode[i + 1]
             ~~~~~~~~^^^
IndexError: array index out of range

ERROR: An exception occurred during the decompilation of glyph program:

Traceback (most recent call last):
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 478, in _disassemble
    mnemonic, argBits, argoffset, name = opcodeDict[op]
                                         ~~~~~~~~~~^^^^
KeyError: 64

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 254, in toXML
    assembly = self.getAssembly()
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 245, in getAssembly
    self._disassemble(preserve=preserve)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "/Users/clupo/oss/ttfautohint-py/.venv/lib/python3.13/site-packages/fontTools/ttLib/tables/ttProgram.py", line 497, in _disassemble
    value = bytecode[i]
            ~~~~~~~~^^^
IndexError: array index out of range

Dumping 'name' table...
Dumping 'post' table...
Dumping 'gasp' table...

maybe this is what causes a buffer overflow somewhere in libttfautohint?

Where does that font come from?

cmyr commented 3 weeks ago

the file was compiled by source from https://github.com/scfried/soft-type-yarndings.

anthrotype commented 3 weeks ago

i banged my head today on this but could not find the root cause.. I can't reproduce with vanilla ttfautohint executable (the original upstream C++ one). I wrote this 7 years ago and forgot almost everything.. 😳