Commit 1da3d318 authored by eric@webkit.org's avatar eric@webkit.org
Browse files

2009-12-02 Yusuke Sato <yusukes@chromium.org>

        Reviewed by Eric Seidel.

        Sanitize web fonts using the OTS library
        https://bugs.webkit.org/show_bug.cgi?id=31106

        Add support for OpenType sanitizer (OTS). It parses OpenType files (from @font-face)
        and attempts to validate and sanitize them. We hope this reduces the attack surface
        of the system font libraries.

        * WebCore.gyp/WebCore.gyp: Added dependency to (chromium_src_dir)/third_party/ots/ library.
        * WebCore.gypi: Added new files below.
        * WebCore.xcodeproj/project.pbxproj: Ditto.
        * platform/graphics/chromium/FontCustomPlatformData.cpp: Validate and transcode a web font.
        (WebCore::createFontCustomPlatformData):
        * platform/graphics/mac/FontCustomPlatformData.cpp: Ditto.
        (WebCore::createFontCustomPlatformData):
        * platform/graphics/opentype/OpenTypeSanitizer.cpp: Added.
        (WebCore::OpenTypeSanitizer::sanitize):
        * platform/graphics/opentype/OpenTypeSanitizer.h: Added.
        (WebCore::OpenTypeSanitizer::OpenTypeSanitizer):
2009-12-02  Yusuke Sato  <yusukes@chromium.org>

        Reviewed by Eric Seidel.

        Sanitize web fonts using the OTS library
        https://bugs.webkit.org/show_bug.cgi?id=31106

        * DEPS: Added dependency to the OpenType sanitizer library.
        * features.gypi: Added ENABLE_OPENTYPE_SANITIZER=1.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51623 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent bdf38888
2009-12-02 Yusuke Sato <yusukes@chromium.org>
Reviewed by Eric Seidel.
Sanitize web fonts using the OTS library
https://bugs.webkit.org/show_bug.cgi?id=31106
Add support for OpenType sanitizer (OTS). It parses OpenType files (from @font-face)
and attempts to validate and sanitize them. We hope this reduces the attack surface
of the system font libraries.
* WebCore.gyp/WebCore.gyp: Added dependency to (chromium_src_dir)/third_party/ots/ library.
* WebCore.gypi: Added new files below.
* WebCore.xcodeproj/project.pbxproj: Ditto.
* platform/graphics/chromium/FontCustomPlatformData.cpp: Validate and transcode a web font.
(WebCore::createFontCustomPlatformData):
* platform/graphics/mac/FontCustomPlatformData.cpp: Ditto.
(WebCore::createFontCustomPlatformData):
* platform/graphics/opentype/OpenTypeSanitizer.cpp: Added.
(WebCore::OpenTypeSanitizer::sanitize):
* platform/graphics/opentype/OpenTypeSanitizer.h: Added.
(WebCore::OpenTypeSanitizer::OpenTypeSanitizer):
2009-12-02 Oliver Hunt <oliver@apple.com>
 
Reviewed by Sam Weinig.
......@@ -624,6 +624,7 @@
'<(chromium_src_dir)/third_party/libxml/libxml.gyp:libxml',
'<(chromium_src_dir)/third_party/libxslt/libxslt.gyp:libxslt',
'<(chromium_src_dir)/third_party/npapi/npapi.gyp:npapi',
'<(chromium_src_dir)/third_party/ots/ots.gyp:ots',
'<(chromium_src_dir)/third_party/sqlite/sqlite.gyp:sqlite',
],
'defines': [
......@@ -650,6 +651,7 @@
# filenames.
['exclude', '(android|cairo|cf|cg|curl|gtk|haiku|linux|mac|opentype|posix|qt|soup|symbian|win|wx)/'],
['exclude', '(?<!Chromium)(SVGAllInOne|Android|Cairo|CF|CG|Curl|Gtk|Linux|Mac|OpenType|POSIX|Posix|Qt|Safari|Soup|Symbian|Win|Wx)\\.(cpp|mm?)$'],
['include', 'platform/graphics/opentype/OpenTypeSanitizer\\.cpp$'],
# JSC-only.
['exclude', 'inspector/JavaScript[^/]*\\.cpp$'],
......
......@@ -2026,6 +2026,8 @@
'platform/graphics/mac/WebTiledLayer.h',
'platform/graphics/mac/WebTiledLayer.mm',
'platform/graphics/MediaPlayer.cpp',
'platform/graphics/opentype/OpenTypeSanitizer.cpp',
'platform/graphics/opentype/OpenTypeSanitizer.h',
'platform/graphics/opentype/OpenTypeUtilities.cpp',
'platform/graphics/opentype/OpenTypeUtilities.h',
'platform/graphics/qt/ColorQt.cpp',
......
......@@ -4748,6 +4748,8 @@
ED501DC60B249F2900AE18D9 /* EditorMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = ED501DC50B249F2900AE18D9 /* EditorMac.mm */; };
EDE3A5000C7A430600956A37 /* ColorMac.h in Headers */ = {isa = PBXBuildFile; fileRef = EDE3A4FF0C7A430600956A37 /* ColorMac.h */; settings = {ATTRIBUTES = (Private, ); }; };
EDEC98030AED7E170059137F /* WebCorePrefix.h in Headers */ = {isa = PBXBuildFile; fileRef = EDEC98020AED7E170059137F /* WebCorePrefix.h */; };
F4EAF4AE10C742B1009100D3 /* OpenTypeSanitizer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F4EAF4AC10C742B1009100D3 /* OpenTypeSanitizer.cpp */; };
F4EAF4AF10C742B1009100D3 /* OpenTypeSanitizer.h in Headers */ = {isa = PBXBuildFile; fileRef = F4EAF4AD10C742B1009100D3 /* OpenTypeSanitizer.h */; };
F5C041DA0FFCA7CE00839D4A /* HTMLDataListElement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F5C041D70FFCA7CE00839D4A /* HTMLDataListElement.cpp */; };
F5C041DB0FFCA7CE00839D4A /* HTMLDataListElement.h in Headers */ = {isa = PBXBuildFile; fileRef = F5C041D80FFCA7CE00839D4A /* HTMLDataListElement.h */; };
F5C041E30FFCA96D00839D4A /* DOMHTMLDataListElement.h in Headers */ = {isa = PBXBuildFile; fileRef = F5C041DE0FFCA96D00839D4A /* DOMHTMLDataListElement.h */; };
......@@ -9952,6 +9954,8 @@
ED501DC50B249F2900AE18D9 /* EditorMac.mm */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.objcpp; name = EditorMac.mm; path = mac/EditorMac.mm; sourceTree = "<group>"; };
EDE3A4FF0C7A430600956A37 /* ColorMac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ColorMac.h; sourceTree = "<group>"; };
EDEC98020AED7E170059137F /* WebCorePrefix.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = WebCorePrefix.h; sourceTree = "<group>"; tabWidth = 4; usesTabs = 0; };
F4EAF4AC10C742B1009100D3 /* OpenTypeSanitizer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = OpenTypeSanitizer.cpp; path = opentype/OpenTypeSanitizer.cpp; sourceTree = "<group>"; };
F4EAF4AD10C742B1009100D3 /* OpenTypeSanitizer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OpenTypeSanitizer.h; path = opentype/OpenTypeSanitizer.h; sourceTree = "<group>"; };
F523D23B02DE4396018635CA /* HTMLDocument.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HTMLDocument.cpp; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
F523D23C02DE4396018635CA /* HTMLDocument.h */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = HTMLDocument.h; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
F523D23E02DE4396018635CA /* HTMLElement.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HTMLElement.cpp; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
......@@ -14151,6 +14155,7 @@
B2A015910AF6CD53006BCE0E /* graphics */ = {
isa = PBXGroup;
children = (
F4EAF4AB10C74268009100D3 /* opentype */,
B27535290B053814002CE64F /* cg */,
A75E8B7F0E1DE2B0007F2481 /* filters */,
B27535490B053814002CE64F /* mac */,
......@@ -15133,6 +15138,15 @@
name = mac;
sourceTree = "<group>";
};
F4EAF4AB10C74268009100D3 /* opentype */ = {
isa = PBXGroup;
children = (
F4EAF4AC10C742B1009100D3 /* OpenTypeSanitizer.cpp */,
F4EAF4AD10C742B1009100D3 /* OpenTypeSanitizer.h */,
);
name = opentype;
sourceTree = "<group>";
};
F523D18402DE42E8018635CA /* css */ = {
isa = PBXGroup;
children = (
......@@ -18208,6 +18222,7 @@
7A0E76FA10BF08ED00A0276E /* InjectedScriptHost.h in Headers */,
7A0E770F10C00A8800A0276E /* InspectorFrontendHost.h in Headers */,
7A0E771F10C00DB100A0276E /* JSInspectorFrontendHost.h in Headers */,
F4EAF4AF10C742B1009100D3 /* OpenTypeSanitizer.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
......@@ -20359,6 +20374,7 @@
7A0E76F910BF08ED00A0276E /* InjectedScriptHost.cpp in Sources */,
7A0E770E10C00A8800A0276E /* InspectorFrontendHost.cpp in Sources */,
7A0E771E10C00DB100A0276E /* JSInspectorFrontendHost.cpp in Sources */,
F4EAF4AE10C742B1009100D3 /* OpenTypeSanitizer.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
......@@ -42,6 +42,7 @@
#include "FontPlatformData.h"
#include "NotImplemented.h"
#include "OpenTypeSanitizer.h"
#include "SharedBuffer.h"
#if PLATFORM(WIN_OS)
......@@ -171,6 +172,14 @@ FontCustomPlatformData* createFontCustomPlatformData(SharedBuffer* buffer)
{
ASSERT_ARG(buffer, buffer);
#if ENABLE(OPENTYPE_SANITIZER)
OpenTypeSanitizer sanitizer(buffer);
RefPtr<SharedBuffer> transcodeBuffer = sanitizer.sanitize();
if (!transcodeBuffer)
return 0; // validation failed.
buffer = transcodeBuffer.get();
#endif
#if PLATFORM(WIN_OS)
// Introduce the font to GDI. AddFontMemResourceEx should be used with care, because it will pollute the process's
// font namespace (Windows has no API for creating an HFONT from data without exposing the font to the
......
......@@ -24,6 +24,7 @@
#include <ApplicationServices/ApplicationServices.h>
#include "SharedBuffer.h"
#include "FontPlatformData.h"
#include "OpenTypeSanitizer.h"
namespace WebCore {
......@@ -43,6 +44,14 @@ FontCustomPlatformData* createFontCustomPlatformData(SharedBuffer* buffer)
{
ASSERT_ARG(buffer, buffer);
#if ENABLE(OPENTYPE_SANITIZER)
OpenTypeSanitizer sanitizer(buffer);
RefPtr<SharedBuffer> transcodeBuffer = sanitizer.sanitize();
if (!transcodeBuffer)
return 0; // validation failed.
buffer = transcodeBuffer.get();
#endif
ATSFontContainerRef containerRef = 0;
ATSFontRef fontRef = 0;
......
/*
* Copyright (C) 2009 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#if ENABLE(OPENTYPE_SANITIZER)
#include "OpenTypeSanitizer.h"
#include "SharedBuffer.h"
#include "opentype-sanitiser.h"
#include "ots-memory-stream.h"
#include <wtf/OwnArrayPtr.h>
namespace WebCore {
PassRefPtr<SharedBuffer> OpenTypeSanitizer::sanitize()
{
if (!m_buffer)
return 0;
// This is the largest web font size which we'll try to transcode.
static const size_t maxWebFontSize = 30 * 1024 * 1024; // 30 MB
if (m_buffer->size() > maxWebFontSize)
return 0;
// A transcoded font is usually smaller than an original font.
// However, it can be slightly bigger than the original one due to
// name table replacement and/or padding for glyf table.
static const size_t padLen = 20 * 1024; // 20 kB
OwnArrayPtr<unsigned char> transcodeRawBuffer(new unsigned char[m_buffer->size() + padLen]);
ots::MemoryStream output(transcodeRawBuffer.get(), m_buffer->size() + padLen);
if (!ots::Process(&output, reinterpret_cast<const uint8_t*>(m_buffer->data()), m_buffer->size()))
return 0;
const size_t transcodeLen = output.Tell();
return SharedBuffer::create(transcodeRawBuffer.get(), transcodeLen);
}
} // namespace WebCore
#endif // ENABLE(OPENTYPE_SANITIZER)
/*
* Copyright (C) 2009 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef OpenTypeSanitizer_h
#define OpenTypeSanitizer_h
#if ENABLE(OPENTYPE_SANITIZER)
#include <wtf/Forward.h>
namespace WebCore {
class SharedBuffer;
class OpenTypeSanitizer {
public:
explicit OpenTypeSanitizer(SharedBuffer* buffer)
: m_buffer(buffer)
{
}
PassRefPtr<SharedBuffer> sanitize();
private:
SharedBuffer* const m_buffer;
};
} // namespace WebCore
#endif // ENABLE(OPENTYPE_SANITIZER)
#endif // OpenTypeSanitizer_h
2009-12-02 Yusuke Sato <yusukes@chromium.org>
Reviewed by Eric Seidel.
Sanitize web fonts using the OTS library
https://bugs.webkit.org/show_bug.cgi?id=31106
* DEPS: Added dependency to the OpenType sanitizer library.
* features.gypi: Added ENABLE_OPENTYPE_SANITIZER=1.
2009-12-02 Evan Stade <estade@chromium.org>
Reviewed by Darin Fisher.
......
......@@ -41,6 +41,7 @@ vars = {
'gyp_rev': '751',
'icu_rev': '31724',
'openvcdiff_rev': '28',
'ots_rev': '19',
'skia_rev': '424',
'v8_rev': '3276',
......@@ -118,6 +119,9 @@ deps = {
'third_party/npapi':
Var('chromium_svn')+'/third_party/npapi@'+Var('chromium_rev'),
'third_party/ots':
'http://ots.googlecode.com/svn/trunk@'+Var('ots_rev'),
'third_party/sqlite':
Var('chromium_svn')+'/third_party/sqlite@'+Var('chromium_rev'),
......
......@@ -50,6 +50,7 @@
'ENABLE_JSC_MULTIPLE_THREADS=0',
'ENABLE_ICONDATABASE=0',
'ENABLE_NOTIFICATIONS=1',
'ENABLE_OPENTYPE_SANITIZER=1',
'ENABLE_ORIENTATION_EVENTS=0',
'ENABLE_XSLT=1',
'ENABLE_XPATH=1',
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment