Bug 82228

Summary: OpenType weight between 0 and 100 could result in assertion in FcWeightFromOpenType
Product: fontconfig Reporter: Daphne Pfister <daphnediane>
Component: libraryAssignee: fontconfig-bugs
Status: RESOLVED FIXED QA Contact: Behdad Esfahbod <freedesktop>
Severity: normal    
Priority: medium CC: freedesktop
Version: unspecified   
Hardware: Other   
OS: All   
See Also: https://bugs.freedesktop.org/show_bug.cgi?id=81453
Whiteboard:
i915 platform: i915 features:

Description Daphne Pfister 2014-08-06 07:04:29 UTC
Calling FcWeightFromOpenType with ot_weight between 1 and 99 triggers an assertion. lerp will get called with x = ot_weight, x1 = 0, x2 = 100, y1 = 0, y2 = 0. It will then compute dy = y2 - y1 = 0. Which will cause assert ( dx > 0 && dy > 0 && x1 <= x && x <= x2 ) to fail as dy is 0. Seems like if dy == 0, then it should return y1.

Possible patch

diff --git a/src/fcweight.c b/src/fcweight.c
index 87bbe67..4def775 100644
--- a/src/fcweight.c
+++ b/src/fcweight.c
@@ -45,6 +45,7 @@ static int lerp(int x, int x1, int x2, int y1, int y2)
 {
   int dx = x2 - x1;
   int dy = y2 - y1;
+  if (dy == 0 && x1 <= x && x <= x2) return y1;
   assert (dx > 0 && dy > 0 && x1 <= x && x <= x2);
   return y1 + (dy*(x-x1) + dx/2) / dx;
 }
Comment 1 Behdad Esfahbod 2014-08-06 14:40:04 UTC
Thanks.  That's definitely a bug.  I'm curious to know what numbers you see in the fonts though.  In the WPF Font Selection Model document, it suggest that if the font value in the OpenType OS/2 table is 1 to 9, then multiply it by 100.  I think I agree with that.  Now that you have seen this in the wild, what kind of values are out there?
Comment 2 Daphne Pfister 2014-08-06 14:55:27 UTC
(In reply to comment #1)
> Thanks.  That's definitely a bug.  I'm curious to know what numbers you see
> in the fonts though.  In the WPF Font Selection Model document, it suggest
> that if the font value in the OpenType OS/2 table is 1 to 9, then multiply
> it by 100.  I think I agree with that.  Now that you have seen this in the
> wild, what kind of values are out there?

To be honest only saw it through looking through source code changes, haven't hit it with any fonts yet. Looks like my bug though is a duplicate, just noticed bug 82220 which appears to be the same issue and has sample font attached that triggers it.
Comment 3 Behdad Esfahbod 2014-08-06 16:24:16 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > Thanks.  That's definitely a bug.  I'm curious to know what numbers you see
> > in the fonts though.  In the WPF Font Selection Model document, it suggest
> > that if the font value in the OpenType OS/2 table is 1 to 9, then multiply
> > it by 100.  I think I agree with that.  Now that you have seen this in the
> > wild, what kind of values are out there?
> 
> To be honest only saw it through looking through source code changes,

Oh that's really comforting to know someone's reading the code :).

> haven't hit it with any fonts yet. Looks like my bug though is a duplicate,
> just noticed bug 82220 which appears to be the same issue and has sample
> font attached that triggers it.

Ok, I'll do a survey of fonts I have access to and adjust.  Fix the crash for now:

commit 01bb6978b6389852c5259b135af45ecdfe9f42f8
Author: Behdad Esfahbod <behdad@behdad.org>
Date:   Wed Aug 6 12:23:24 2014 -0400

    Fix assertion failure
    
    https://bugs.freedesktop.org/show_bug.cgi?id=82220
    https://bugs.freedesktop.org/show_bug.cgi?id=82228

diff --git a/src/fcweight.c b/src/fcweight.c
index c62f807..313f3f2 100644
--- a/src/fcweight.c
+++ b/src/fcweight.c
@@ -45,7 +45,7 @@ static int lerp(int x, int x1, int x2, int y1, int y2)
 {
   int dx = x2 - x1;
   int dy = y2 - y1;
-  assert (dx > 0 && dy > 0 && x1 <= x && x <= x2);
+  assert (dx > 0 && dy >= 0 && x1 <= x && x <= x2);
   return y1 + (dy*(x-x1) + dx/2) / dx;
 }
Comment 4 Behdad Esfahbod 2014-08-06 16:31:06 UTC
Indeed, the font in bug 82220 had a value of 5 which I suppose the author meant MEDIUM by which.  Adjusted:

commit 80edaccc3cbd77434718e8f4731a20b410f9d10a
Author: Behdad Esfahbod <behdad@behdad.org>
Date:   Wed Aug 6 12:29:35 2014 -0400

    If OS/2 table says weight is 1 to 9, multiply by 100
    
    https://bugs.freedesktop.org/show_bug.cgi?id=82228

diff --git a/src/fcweight.c b/src/fcweight.c
index 313f3f2..77b78ad 100644
--- a/src/fcweight.c
+++ b/src/fcweight.c
@@ -53,7 +53,14 @@ int
 FcWeightFromOpenType (int ot_weight)
 {
        int i;
-       if (ot_weight <= 0 || ot_weight > 1000)
+
+       /* Follow WPF Font Selection Model's advice. */
+       if (1 <= ot_weight && ot_weight <= 9)
+           ot_weight *= 100;
+
+       /* WPF Font Selection Model rejects 1000, we allow it
+        * because Pango uses that number. */
+       if (ot_weight < 1 || ot_weight > 1000)
            return -1;

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.