Galk.interpreters.limits implementation #247
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Following a recent look into type2 fonts implementation in the library i realized there's not much there by way of securing the usage of type2 and type1 fonts. they are interpreted in order to create relevant representations in and outcome pdf, but there's no checks into the validity of glyph operators within glyphs charstrings.
This can be be problematic if you are creating a PDF that includes a faulty (or even malicious) font. normally this would not be the case...you are using fonts that you know, but if you are a general purpose mechanism allowing users to submit their fonts, there's a bit of a chance that an erring font might find it's way into your mechanism.
then you would like protections from simple things like a glyph subroutine calling another one and it in turn calling back the source subroutine, which would create an endless loop. Or just reading 2 arguments from the stack for an or operator when there's just one.
hummus will now abort in such case, rather than just reading from places it shouldn't read, with a useful trace log so you know what happened.
To avoid subr endless loop i'm holding now type2 and type1 charstrings limitations, which requires a max depth of nesting of 10. There's also arguments limit (24 for type 1, 48 for type 1), and type 2 also defines a stem hint limit, so those are upheld as well, aborting in case a font breaches those limitations.
all this should protect users of the library that use fonts from unknown source a bit better.
note that this has nothing to do with the parser, this is a purely writer MR.
Also...found 2 errors. roll operator for type 2 and get operator for type 1 had errors in their implementations...not sure it had a really interesting effective meaning.