Sanitizer for OpenType (OTS) is a small library which parses OpenType (TTF/OTF) and WOFF/WOFF2 files
(usually from @font-face) and attempts to validate and sanitize them. This
library is primarily intended to be used with Chromium. We hope this reduces
the attack surface of the system font libraries.
What the sanitizer does is as follows:
- Parses an original font. If the parsing fails, OTS rejects the original font.
- Validates the parsed data structure. If the validation fails, it rejects the original font as well.
- Creates a new font on memory by serializing the data structure, and we call this "transcoding".
By transcoding fonts in this way, it is ensured that:
- All information in an original font that OTS doesn't know or can't parse is dropped from the transcoded font.
- All information in the transcoded font is valid (standard compliant). Particularly 'length' and 'offset' values, that are often used as attack vectors, are ensured to be correct.
| Name | Mandatory table? | Supported by OTS? | Note |
|---|---|---|---|
sfnt |
Yes | Yes | Overlapped tables are not allowed; it is treated as a fatal parser error. |
maxp |
Yes | Yes | |
head |
Yes | Yes | |
hhea |
Yes | Yes | |
hmtx |
Yes | Yes | |
name |
Yes | Yes | |
OS/2 |
Yes | Yes | |
post |
Yes | Yes | |
cmap |
Yes | Partially | see below |
glyf |
Yes, for TrueType fonts | Yes | TrueType bytecode is supported, but OTS does not validate it. |
loca |
Yes, when glyf table exists | Yes | |
CFF |
Yes, for OpenType fonts | Yes | OpenType bytecode is also supported, and OTS does validate it. |
cvt |
No | Yes | Though this table is not mandatory, OTS can't drop the table from a transcoded font since it might be referred from other hinting-related tables. Errors on this table should be treated as fatal. |
fpgm |
No | Yes | Ditto. |
prep |
No | Yes | Ditto. |
VDMX |
No | Yes | This table is important for calculating the correct line spacing, at least on Chromium Windows and Chromium Linux. |
hdmx |
No | Yes | |
gasp |
No | Yes | |
VORG |
No | Yes | |
LTSH |
No | Yes | |
kern |
No | Yes | |
GDEF |
No | Yes | |
GSUB |
No | Yes | |
GPOS |
No | Yes | |
morx |
No | No | |
jstf |
No | No | |
vmtx |
No | Yes | |
vhea |
No | Yes | |
EBDT |
No | No | We don't support embedded bitmap strikes. |
EBLC |
No | No | Ditto. |
EBSC |
No | No | Ditto. |
bdat |
No | No | Ditto. |
bhed |
No | No | Ditto. |
bloc |
No | No | Ditto. |
DSIG |
No | No | |
| All other tables | - | No |
Please note that OTS library does not parse "unsupported" tables. These unsupported tables never appear in a transcoded font.
The following 9 formats are supported:
- "MS Unicode" (platform 3 encoding 1 format 4)
- BMP
- "MS UCS-4" (platform 3 encoding 10 format 12)
- "MS UCS-4 fallback" (platform 3 encoding 10 format 13)
- "MS Symbol" (platform 3 encoding 0 format 4)
- "Mac Roman" (platform 1 encoding 0 format 0)
- 1-0-0 format is supported while 1-0-6 is not.
- "Unicode default" format (platform 0 encoding 0 format 4)
- treated as 3-1-4 format
- "Unicode 1.1" format (platform 0 encoding 1 format 4)
- ditto
- "Unicode 2.0+" format (platform 0 encoding 3 format 4)
- "Unicode UCS-4" format (platform 0 encoding 4 format 12)
- treated as 3-10-12 format
- Unicode Variation Sequences (platform 0 encoding 5 format 14)
All other types of subtables are not supported and do not appear in transcoded fonts.
With regards to 8 mandatory tables, glyph-related tables (glyf, loca and CFF),
and hinting-related tables (cvt, prep, and fpgm):
- If OTS finds table-length, table-offset, or table-alignment errors, in other words it cannot continue parsing, OTS treats the error as fatal.
- If OTS finds simple value error which could be automatically fixed (e.g., font weight is greater than 900 - that's undefined), and if the error is considered common among non-malicious fonts, OTS rewrites the value and continues transcoding.
- If OTS finds a value error which is hard to fix (e.g., values which should be sorted are left unsorted), OTS treats the error as fatal.
With regards to optional tables (VORG, gasp, hdmx, LTSH, and VDMX):
- If OTS finds table-length, table-offset, or table-alignment errors, OTS treats the error as fatal.
- If OTS finds other errors, it simply drops the table from a transcoded font.
- include/opentype-sanitiser.h
- Declaration for the public API,
ots::Process(). - Definition of the
OTSStreaminterface, a write-only memory stream.
- Declaration for the public API,
- include/ots-memory-stream.h
- Definition of the
MemoryStreamclass which implements theOTSStreaminterface above.
- Definition of the
- src/ots.h
- Debug macros.
- Definition of a
Bufferclass which is a read-only memory stream.
- src/ots.cc
- Definition of the
ots::Process()function. sfnttable parser.
- Definition of the
- test/*.cc
- test tools. see test/README for details.
Please check the issues page.