Dealing with malformed/hostile fonts
Created by: SimonSapin
Quoting the README on https://github.com/khaledhosny/ots/:
The CSS font-face property[1] is great for web typography. Having to use images in order to get the correct typeface is a great sadness; one should be able to use vectors.
However, the TrueType renderers on many platforms have never been part of the attack surface before and putting them on the front line is a scary proposition. Esp on platforms like Windows where it's a closed-source blob running with high privilege.
Thus, the OpenType Sanitiser (OTS) is designed to parse and serialise OpenType files, validating them and sanitising them as it goes.
I imagine that “a scary proposition” refers to potential security vulnerabilities in FreeType and similar libraries that could be triggered by a specially-crafted font.
How do you feel about using RustType with untrusted fonts? Using a memory-safe language helps, but it’s still good to be mindful of unexpected input in e.g. parsing code.