2009-12-02 Yusuke Sato <yusukes@chromium.org>

        Reviewed by Eric Seidel.

        Sanitize web fonts using the OTS library
        https://bugs.webkit.org/show_bug.cgi?id=31106

        Add support for OpenType sanitizer (OTS). It parses OpenType files (from @font-face)
        and attempts to validate and sanitize them. We hope this reduces the attack surface
        of the system font libraries.

        * WebCore.gyp/WebCore.gyp: Added dependency to (chromium_src_dir)/third_party/ots/ library.
        * WebCore.gypi: Added new files below.
        * WebCore.xcodeproj/project.pbxproj: Ditto.
        * platform/graphics/chromium/FontCustomPlatformData.cpp: Validate and transcode a web font.
        (WebCore::createFontCustomPlatformData):
        * platform/graphics/mac/FontCustomPlatformData.cpp: Ditto.
        (WebCore::createFontCustomPlatformData):
        * platform/graphics/opentype/OpenTypeSanitizer.cpp: Added.
        (WebCore::OpenTypeSanitizer::sanitize):
        * platform/graphics/opentype/OpenTypeSanitizer.h: Added.
        (WebCore::OpenTypeSanitizer::OpenTypeSanitizer):
2009-12-02  Yusuke Sato  <yusukes@chromium.org>

        Reviewed by Eric Seidel.

        Sanitize web fonts using the OTS library
        https://bugs.webkit.org/show_bug.cgi?id=31106

        * DEPS: Added dependency to the OpenType sanitizer library.
        * features.gypi: Added ENABLE_OPENTYPE_SANITIZER=1.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51623 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog

+2009-12-02  Yusuke Sato  <yusukes@chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        Sanitize web fonts using the OTS library 
+        https://bugs.webkit.org/show_bug.cgi?id=31106
+
+        Add support for OpenType sanitizer (OTS). It parses OpenType files (from @font-face)
+        and attempts to validate and sanitize them. We hope this reduces the attack surface
+        of the system font libraries.
+
+        * WebCore.gyp/WebCore.gyp: Added dependency to (chromium_src_dir)/third_party/ots/ library.
+        * WebCore.gypi: Added new files below.
+        * WebCore.xcodeproj/project.pbxproj: Ditto.
+        * platform/graphics/chromium/FontCustomPlatformData.cpp: Validate and transcode a web font.
+        (WebCore::createFontCustomPlatformData):
+        * platform/graphics/mac/FontCustomPlatformData.cpp: Ditto.
+        (WebCore::createFontCustomPlatformData):
+        * platform/graphics/opentype/OpenTypeSanitizer.cpp: Added.
+        (WebCore::OpenTypeSanitizer::sanitize):
+        * platform/graphics/opentype/OpenTypeSanitizer.h: Added.
+        (WebCore::OpenTypeSanitizer::OpenTypeSanitizer):
+
 2009-12-02  Oliver Hunt  <oliver@apple.com>
         Reviewed by Sam Weinig.

WebCore/WebCore.gyp/WebCore.gyp

@@ -624,6 +624,7 @@
         '<(chromium_src_dir)/third_party/libxml/libxml.gyp:libxml',
         '<(chromium_src_dir)/third_party/libxslt/libxslt.gyp:libxslt',
         '<(chromium_src_dir)/third_party/npapi/npapi.gyp:npapi',
+        '<(chromium_src_dir)/third_party/ots/ots.gyp:ots',
         '<(chromium_src_dir)/third_party/sqlite/sqlite.gyp:sqlite',
       ],
       'defines': [
@@ -650,6 +651,7 @@
         # filenames.
         ['exclude', '(android|cairo|cf|cg|curl|gtk|haiku|linux|mac|opentype|posix|qt|soup|symbian|win|wx)/'],
         ['exclude', '(?<!Chromium)(SVGAllInOne|Android|Cairo|CF|CG|Curl|Gtk|Linux|Mac|OpenType|POSIX|Posix|Qt|Safari|Soup|Symbian|Win|Wx)\\.(cpp|mm?)$'],
+        ['include', 'platform/graphics/opentype/OpenTypeSanitizer\\.cpp$'],
 
         # JSC-only.
         ['exclude', 'inspector/JavaScript[^/]*\\.cpp$'],

WebCore/WebCore.gypi

@@ -2026,6 +2026,8 @@
             'platform/graphics/mac/WebTiledLayer.h',
             'platform/graphics/mac/WebTiledLayer.mm',
             'platform/graphics/MediaPlayer.cpp',
+            'platform/graphics/opentype/OpenTypeSanitizer.cpp',
+            'platform/graphics/opentype/OpenTypeSanitizer.h',
             'platform/graphics/opentype/OpenTypeUtilities.cpp',
             'platform/graphics/opentype/OpenTypeUtilities.h',
             'platform/graphics/qt/ColorQt.cpp',

WebCore/WebCore.xcodeproj/project.pbxproj

@@ -4748,6 +4748,8 @@
 		ED501DC60B249F2900AE18D9 /* EditorMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = ED501DC50B249F2900AE18D9 /* EditorMac.mm */; };
 		EDE3A5000C7A430600956A37 /* ColorMac.h in Headers */ = {isa = PBXBuildFile; fileRef = EDE3A4FF0C7A430600956A37 /* ColorMac.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		EDEC98030AED7E170059137F /* WebCorePrefix.h in Headers */ = {isa = PBXBuildFile; fileRef = EDEC98020AED7E170059137F /* WebCorePrefix.h */; };
+		F4EAF4AE10C742B1009100D3 /* OpenTypeSanitizer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F4EAF4AC10C742B1009100D3 /* OpenTypeSanitizer.cpp */; };
+		F4EAF4AF10C742B1009100D3 /* OpenTypeSanitizer.h in Headers */ = {isa = PBXBuildFile; fileRef = F4EAF4AD10C742B1009100D3 /* OpenTypeSanitizer.h */; };
 		F5C041DA0FFCA7CE00839D4A /* HTMLDataListElement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F5C041D70FFCA7CE00839D4A /* HTMLDataListElement.cpp */; };
 		F5C041DB0FFCA7CE00839D4A /* HTMLDataListElement.h in Headers */ = {isa = PBXBuildFile; fileRef = F5C041D80FFCA7CE00839D4A /* HTMLDataListElement.h */; };
 		F5C041E30FFCA96D00839D4A /* DOMHTMLDataListElement.h in Headers */ = {isa = PBXBuildFile; fileRef = F5C041DE0FFCA96D00839D4A /* DOMHTMLDataListElement.h */; };
@@ -9952,6 +9954,8 @@
 		ED501DC50B249F2900AE18D9 /* EditorMac.mm */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.objcpp; name = EditorMac.mm; path = mac/EditorMac.mm; sourceTree = "<group>"; };
 		EDE3A4FF0C7A430600956A37 /* ColorMac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ColorMac.h; sourceTree = "<group>"; };
 		EDEC98020AED7E170059137F /* WebCorePrefix.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = WebCorePrefix.h; sourceTree = "<group>"; tabWidth = 4; usesTabs = 0; };
+		F4EAF4AC10C742B1009100D3 /* OpenTypeSanitizer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = OpenTypeSanitizer.cpp; path = opentype/OpenTypeSanitizer.cpp; sourceTree = "<group>"; };
+		F4EAF4AD10C742B1009100D3 /* OpenTypeSanitizer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OpenTypeSanitizer.h; path = opentype/OpenTypeSanitizer.h; sourceTree = "<group>"; };
 		F523D23B02DE4396018635CA /* HTMLDocument.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HTMLDocument.cpp; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
 		F523D23C02DE4396018635CA /* HTMLDocument.h */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = HTMLDocument.h; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
 		F523D23E02DE4396018635CA /* HTMLElement.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HTMLElement.cpp; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
@@ -14151,6 +14155,7 @@
 		B2A015910AF6CD53006BCE0E /* graphics */ = {
 			isa = PBXGroup;
 			children = (
+				F4EAF4AB10C74268009100D3 /* opentype */,
 				B27535290B053814002CE64F /* cg */,
 				A75E8B7F0E1DE2B0007F2481 /* filters */,
 				B27535490B053814002CE64F /* mac */,
@@ -15133,6 +15138,15 @@
 			name = mac;
 			sourceTree = "<group>";
 		};
+		F4EAF4AB10C74268009100D3 /* opentype */ = {
+			isa = PBXGroup;
+			children = (
+				F4EAF4AC10C742B1009100D3 /* OpenTypeSanitizer.cpp */,
+				F4EAF4AD10C742B1009100D3 /* OpenTypeSanitizer.h */,
+			);
+			name = opentype;
+			sourceTree = "<group>";
+		};
 		F523D18402DE42E8018635CA /* css */ = {
 			isa = PBXGroup;
 			children = (
@@ -18208,6 +18222,7 @@
 				7A0E76FA10BF08ED00A0276E /* InjectedScriptHost.h in Headers */,
 				7A0E770F10C00A8800A0276E /* InspectorFrontendHost.h in Headers */,
 				7A0E771F10C00DB100A0276E /* JSInspectorFrontendHost.h in Headers */,
+				F4EAF4AF10C742B1009100D3 /* OpenTypeSanitizer.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -20359,6 +20374,7 @@
 				7A0E76F910BF08ED00A0276E /* InjectedScriptHost.cpp in Sources */,
 				7A0E770E10C00A8800A0276E /* InspectorFrontendHost.cpp in Sources */,
 				7A0E771E10C00DB100A0276E /* JSInspectorFrontendHost.cpp in Sources */,
+				F4EAF4AE10C742B1009100D3 /* OpenTypeSanitizer.cpp in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

WebCore/platform/graphics/chromium/FontCustomPlatformData.cpp

@@ -42,6 +42,7 @@
 
 #include "FontPlatformData.h"
 #include "NotImplemented.h"
+#include "OpenTypeSanitizer.h"
 #include "SharedBuffer.h"
 
 #if PLATFORM(WIN_OS)
@@ -171,6 +172,14 @@ FontCustomPlatformData* createFontCustomPlatformData(SharedBuffer* buffer)
 {
     ASSERT_ARG(buffer, buffer);
 
+#if ENABLE(OPENTYPE_SANITIZER)
+    OpenTypeSanitizer sanitizer(buffer);
+    RefPtr<SharedBuffer> transcodeBuffer = sanitizer.sanitize();
+    if (!transcodeBuffer)
+        return 0; // validation failed.
+    buffer = transcodeBuffer.get();
+#endif
+
 #if PLATFORM(WIN_OS)
     // Introduce the font to GDI. AddFontMemResourceEx should be used with care, because it will pollute the process's
     // font namespace (Windows has no API for creating an HFONT from data without exposing the font to the

WebCore/platform/graphics/mac/FontCustomPlatformData.cpp

@@ -24,6 +24,7 @@
 #include <ApplicationServices/ApplicationServices.h>
 #include "SharedBuffer.h"
 #include "FontPlatformData.h"
+#include "OpenTypeSanitizer.h"
 
 namespace WebCore {
 
@@ -43,6 +44,14 @@ FontCustomPlatformData* createFontCustomPlatformData(SharedBuffer* buffer)
 {
     ASSERT_ARG(buffer, buffer);
 
+#if ENABLE(OPENTYPE_SANITIZER)
+    OpenTypeSanitizer sanitizer(buffer);
+    RefPtr<SharedBuffer> transcodeBuffer = sanitizer.sanitize();
+    if (!transcodeBuffer)
+        return 0; // validation failed.
+    buffer = transcodeBuffer.get();
+#endif
+
     ATSFontContainerRef containerRef = 0;
     ATSFontRef fontRef = 0;
 

WebCore/platform/graphics/opentype/OpenTypeSanitizer.cpp

+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#if ENABLE(OPENTYPE_SANITIZER)
+#include "OpenTypeSanitizer.h"
+
+#include "SharedBuffer.h"
+#include "opentype-sanitiser.h"
+#include "ots-memory-stream.h"
+#include <wtf/OwnArrayPtr.h>
+
+namespace WebCore {
+
+PassRefPtr<SharedBuffer> OpenTypeSanitizer::sanitize()
+{
+    if (!m_buffer)
+        return 0;
+
+    // This is the largest web font size which we'll try to transcode.
+    static const size_t maxWebFontSize = 30 * 1024 * 1024; // 30 MB
+    if (m_buffer->size() > maxWebFontSize)
+        return 0;
+
+    // A transcoded font is usually smaller than an original font.
+    // However, it can be slightly bigger than the original one due to
+    // name table replacement and/or padding for glyf table.
+    static const size_t padLen = 20 * 1024; // 20 kB
+
+    OwnArrayPtr<unsigned char> transcodeRawBuffer(new unsigned char[m_buffer->size() + padLen]);
+    ots::MemoryStream output(transcodeRawBuffer.get(), m_buffer->size() + padLen);
+    if (!ots::Process(&output, reinterpret_cast<const uint8_t*>(m_buffer->data()), m_buffer->size()))
+        return 0;
+
+    const size_t transcodeLen = output.Tell();
+    return SharedBuffer::create(transcodeRawBuffer.get(), transcodeLen);
+}
+
+} // namespace WebCore
+
+#endif // ENABLE(OPENTYPE_SANITIZER)

WebCore/platform/graphics/opentype/OpenTypeSanitizer.h

+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef OpenTypeSanitizer_h
+#define OpenTypeSanitizer_h
+
+#if ENABLE(OPENTYPE_SANITIZER)
+#include <wtf/Forward.h>
+
+namespace WebCore {
+
+class SharedBuffer;
+
+class OpenTypeSanitizer {
+public:
+    explicit OpenTypeSanitizer(SharedBuffer* buffer)
+        : m_buffer(buffer)
+    {
+    }
+
+    PassRefPtr<SharedBuffer> sanitize();
+
+private:
+    SharedBuffer* const m_buffer;
+};
+
+} // namespace WebCore
+
+#endif // ENABLE(OPENTYPE_SANITIZER)
+#endif // OpenTypeSanitizer_h

WebKit/chromium/ChangeLog

+2009-12-02  Yusuke Sato  <yusukes@chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        Sanitize web fonts using the OTS library 
+        https://bugs.webkit.org/show_bug.cgi?id=31106
+
+        * DEPS: Added dependency to the OpenType sanitizer library.
+        * features.gypi: Added ENABLE_OPENTYPE_SANITIZER=1.
+
 2009-12-02  Evan Stade  <estade@chromium.org>
 
         Reviewed by Darin Fisher.

WebKit/chromium/DEPS

@@ -41,6 +41,7 @@ vars = {
   'gyp_rev': '751',
   'icu_rev': '31724',
   'openvcdiff_rev': '28',
+  'ots_rev': '19',
   'skia_rev': '424',
   'v8_rev': '3276',
 
@@ -118,6 +119,9 @@ deps = {
   'third_party/npapi':
     Var('chromium_svn')+'/third_party/npapi@'+Var('chromium_rev'),
 
+  'third_party/ots':
+    'http://ots.googlecode.com/svn/trunk@'+Var('ots_rev'),
+
   'third_party/sqlite':
     Var('chromium_svn')+'/third_party/sqlite@'+Var('chromium_rev'),
 

WebKit/chromium/features.gypi

@@ -50,6 +50,7 @@
         'ENABLE_JSC_MULTIPLE_THREADS=0',
         'ENABLE_ICONDATABASE=0',
         'ENABLE_NOTIFICATIONS=1',
+        'ENABLE_OPENTYPE_SANITIZER=1',
         'ENABLE_ORIENTATION_EVENTS=0',
         'ENABLE_XSLT=1',
         'ENABLE_XPATH=1',