freetype · skypher · Dec 20, 2025 · Dec 20, 2025 · Dec 20, 2025 · Dec 20, 2025
diff --git a/external/freetype2 b/external/freetype2
diff --git a/fuzzing/CMakeLists.txt b/fuzzing/CMakeLists.txt
@@ -52,40 +52,23 @@ set(FREETYPE_BASE_DIR       "${SUBMODULES_DIR}/freetype2")
 set(FREETYPE_SRC_DIR        "${FREETYPE_BASE_DIR}/src")
 set(FREETYPE_STATIC_LIBRARY "${FREETYPE_BASE_DIR}/objs/.libs/libfreetype.a")
 
-set(GLOG_BASE_DIR       "${SUBMODULES_DIR}/glog")
-set(GLOG_SRC_DIR        "${GLOG_BASE_DIR}/src")
-set(GLOG_BUILD_DIR      "${GLOG_BASE_DIR}/build")
-set(GLOG_STATIC_LIBRARY "${GLOG_BUILD_DIR}/libglog.a")
+set(GLOG_STATIC_LIBRARY "")
 
 set(LIBARCHIVE_BASE_DIR       "${SUBMODULES_DIR}/libarchive")
 set(LIBARCHIVE_SRC_DIR        "${LIBARCHIVE_BASE_DIR}/src")
 set(LIBARCHIVE_STATIC_LIBRARY "${LIBARCHIVE_BASE_DIR}/.libs/libarchive.a")
 
-set(BZIP2_BASE_DIR       "${SUBMODULES_DIR}/bzip2")
-set(BZIP2_STATIC_LIBRARY "${BZIP2_BASE_DIR}/libbz2.a")
+set(BZIP2_STATIC_LIBRARY "bz2")
 
-set(BROTLI_BASE_DIR  "${SUBMODULES_DIR}/brotli")
-set(BROTLI_BUILD_DIR "${BROTLI_BASE_DIR}/build")
-set(BROTLI_STATIC_LIBRARY
-  "${BROTLI_BUILD_DIR}/libbrotlidec-static.a"
-  "${BROTLI_BUILD_DIR}/libbrotlicommon-static.a")
+set(BROTLI_STATIC_LIBRARY "brotlidec" "brotlicommon")
 
-set(ZLIB_BASE_DIR  "${SUBMODULES_DIR}/zlib")
-set(ZLIB_STATIC_LIBRARY "${ZLIB_BASE_DIR}/usr/lib-asan/libz.a")
+set(ZLIB_STATIC_LIBRARY "z")
 
-set(LIBPNG_BASE_DIR  "${SUBMODULES_DIR}/libpng")
-set(LIBPNG_STATIC_LIBRARY "${LIBPNG_BASE_DIR}/usr/lib-asan/libpng.a")
+set(LIBPNG_STATIC_LIBRARY "png")
+
+set(LIBCXX_STATIC_LIBRARY "")
+add_compile_options("-I${LIBARCHIVE_BASE_DIR}/libarchive")
 
-set(LIBCXX_BASE_DIR  "${SUBMODULES_DIR}/llvm-project")
-set(LIBCXX_BUILD_DIR "${LIBCXX_BASE_DIR}/build")
-set(LIBCXX_STATIC_LIBRARY
-  "${LIBCXX_BUILD_DIR}/lib/libc++.a"
-  "${LIBCXX_BUILD_DIR}/lib/libc++abi.a")
-add_compile_options(
-  "-I${LIBCXX_BUILD_DIR}/include"
-  "-I${LIBCXX_BUILD_DIR}/include/c++/v1"
-  "-nostdinc++")
-add_link_options("-nostdlib++")
 
 # ----------------------------------------------------------------------------
 # functions:
@@ -115,6 +98,16 @@ endfunction()
 # ----------------------------------------------------------------------------
 # fuzz targets:
 
+add_fuzz_target(
+  "cache"
+  "freetype::CacheFuzzTarget"
+  "targets/CacheFuzzTarget.h")
+
+add_fuzz_target(
+  "properties"
+  "freetype::PropertiesFuzzTarget"
+  "targets/PropertiesFuzzTarget.h")
+
 add_fuzz_target(
   "bdf"
   "freetype::BdfFuzzTarget"
@@ -167,6 +160,11 @@ add_fuzz_target(
   "freetype::PcfRenderFuzzTarget"
   "targets/font-drivers/pcf-render.h")
 
+add_fuzz_target(
+  "pfr"
+  "freetype::PfrFuzzTarget"
+  "targets/font-drivers/pfr.h")
+
 add_fuzz_target(
   "truetype"
   "freetype::TrueTypeFuzzTarget"

diff --git a/fuzzing/README.md b/fuzzing/README.md
@@ -87,7 +87,7 @@ https://www.freetype.org/freetype2/docs/reference/ft2-base_interface.html
 | 2.2.2 | `FT_Done_Face`       | :heavy_check_mark: | Face                     | 6.1.1 |                  |
 | 2.2.3 | `FT_Reference_Face`  |                    | Face                     |       |                  |
 | 2.2.4 | `FT_New_Memory_Face` | :heavy_check_mark: | Library <br> Bytes       | 2.2.6 |                  |
-| 2.2.5 | `FT_Face_Properties` |                    | Face                     |       |                  |
+| 2.2.5 | `FT_Face_Properties` | :heavy_check_mark: | Face                     |       |                  |
 | 2.2.6 | `FT_Open_Face`       | :heavy_check_mark: | Library                  | 6.1.2 | 2.2.4 <br> 2.2.8 |
 | 2.2.7 | `FT_Attach_File`     |                    | Face <br> File Path      |       |                  |
 | 2.2.8 | `FT_Attach_Stream`   | :heavy_check_mark: | Face <br> Bytes          | 2.2.6 |                  |
@@ -257,11 +257,11 @@ https://www.freetype.org/freetype2/docs/reference/ft2-cid_fonts.html
 
 https://www.freetype.org/freetype2/docs/reference/ft2-pfr_fonts.html
 
-|        | Function             | Fuzzed |
-| ------ | -------------------- | :----: |
-| 13.1.1 | `FT_Get_PFR_Metrics` |        |
-| 13.1.2 | `FT_Get_PFR_Kerning` |        |
-| 13.1.3 | `FT_Get_PFR_Advance` |        |
+|        | Function             | Fuzzed             |
+| ------ | -------------------- | :----------------: |
+| 13.1.1 | `FT_Get_PFR_Metrics` | :heavy_check_mark: |
+| 13.1.2 | `FT_Get_PFR_Kerning` | :heavy_check_mark: |
+| 13.1.3 | `FT_Get_PFR_Advance` | :heavy_check_mark: |
 
 ### Window FNT Files
 
@@ -318,23 +318,23 @@ https://www.freetype.org/freetype2/docs/reference/ft2-properties.html
 
 https://www.freetype.org/freetype2/docs/reference/ft2-cache_subsystem.html
 
-|         | Function                      | Fuzzed |
-| ------- | ----------------------------- | :----: |
-| 18.1.1  | `FTC_Manager_New`             |        |
-| 18.1.2  | `FTC_Manager_Reset`           |        |
-| 18.1.3  | `FTC_Manager_Done`            |        |
-| 18.1.4  | `FTC_Manager_LookupFace`      |        |
-| 18.1.5  | `FTC_Manager_LookupSize`      |        |
-| 18.1.6  | `FTC_Manager_RemoveFaceID`    |        |
-| 18.1.7  | `FTC_Node_Unref`              |        |
-| 18.1.8  | `FTC_ImageCache_New`          |        |
-| 18.1.9  | `FTC_ImageCache_Lookup`       |        |
-| 18.1.10 | `FTC_SBitCache_New`           |        |
-| 18.1.11 | `FTC_SBitCache_Lookup`        |        |
-| 18.1.12 | `FTC_CMapCache_New`           |        |
-| 18.1.13 | `FTC_CMapCache_Lookup`        |        |
-| 18.1.14 | `FTC_ImageCache_LookupScaler` |        |
-| 18.1.15 | `FTC_SBitCache_LookupScaler`  |        |
+|         | Function                      | Fuzzed             |
+| ------- | ----------------------------- | :----------------: |
+| 18.1.1  | `FTC_Manager_New`             | :heavy_check_mark: |
+| 18.1.2  | `FTC_Manager_Reset`           | :heavy_check_mark: |
+| 18.1.3  | `FTC_Manager_Done`            | :heavy_check_mark: |
+| 18.1.4  | `FTC_Manager_LookupFace`      | :heavy_check_mark: |
+| 18.1.5  | `FTC_Manager_LookupSize`      | :heavy_check_mark: |
+| 18.1.6  | `FTC_Manager_RemoveFaceID`    | :heavy_check_mark: |
+| 18.1.7  | `FTC_Node_Unref`              | :heavy_check_mark: |
+| 18.1.8  | `FTC_ImageCache_New`          | :heavy_check_mark: |
+| 18.1.9  | `FTC_ImageCache_Lookup`       | :heavy_check_mark: |
+| 18.1.10 | `FTC_SBitCache_New`           | :heavy_check_mark: |
+| 18.1.11 | `FTC_SBitCache_Lookup`        | :heavy_check_mark: |
+| 18.1.12 | `FTC_CMapCache_New`           | :heavy_check_mark: |
+| 18.1.13 | `FTC_CMapCache_Lookup`        | :heavy_check_mark: |
+| 18.1.14 | `FTC_ImageCache_LookupScaler` | :heavy_check_mark: |
+| 18.1.15 | `FTC_SBitCache_LookupScaler`  | :heavy_check_mark: |
 
 ### Outline Processing
 

diff --git a/fuzzing/corpora/cache/seed_cache.bin b/fuzzing/corpora/cache/seed_cache.bin
diff --git a/fuzzing/corpora/pfr/dummy.pfr b/fuzzing/corpora/pfr/dummy.pfr
@@ -0,0 +1 @@
+DUMMY PFR
diff --git a/fuzzing/corpora/properties/CMap2.ttf b/fuzzing/corpora/properties/CMap2.ttf
diff --git a/fuzzing/scripts/build/freetype.sh b/fuzzing/scripts/build/freetype.sh
@@ -39,11 +39,13 @@ if [[ "${#}" == "0" || "${1}" != "--no-init" ]]; then
     export BROTLI_CFLAGS="-I../brotli/c/include"
     export BROTLI_LIBS="-l../brotli/build/libbrotlidec-static.a"
 
+    lib_suffix=$( bash "$( dirname "$0" )/get_lib_suffix.sh" )
+
     export ZLIB_CFLAGS="-I../zlib/usr/include"
-    export ZLIB_LIBS="-l../zlib/usr/lib-asan/libz.a"
+    export ZLIB_LIBS="-l../zlib/usr/${lib_suffix}/libz.a"
 
     export LIBPNG_CFLAGS="-I../libpng/usr/include"
-    export LIBPNG_LIBS="-l../libpng/usr/lib-asan/libpng.a"
+    export LIBPNG_LIBS="-l../libpng/usr/${lib_suffix}/libpng.a"
 
     # Having additional libraries is pain since they have to be linked
     # statically for OSS-Fuzz.  Should additional libraries be required, they

diff --git a/fuzzing/scripts/build/get_lib_suffix.sh b/fuzzing/scripts/build/get_lib_suffix.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# get_lib_suffix.sh
+# Returns the library directory suffix based on CFLAGS.
+
+if [[ "${CFLAGS:-}" == *"-fsanitize=memory"* ]]; then
+  echo "lib-msan"
+elif [[ "${CFLAGS:-}" == *"-fsanitize=address"* ]]; then
+  echo "lib-asan"
+elif [[ "${CFLAGS:-}" == *"-fsanitize=undefined"* ]]; then
+  echo "lib-ubsan"
+else
+  echo "lib-asan"
+fi
diff --git a/fuzzing/scripts/build/libpng.sh b/fuzzing/scripts/build/libpng.sh
@@ -43,15 +43,17 @@ if [[ "${#}" -lt "1" || "${1}" != "--no-init" ]]; then
 
     mkdir -p "${path_to_build}" && cd "${path_to_build}"
 
+    lib_suffix=$( bash "$( dirname "$0" )/get_lib_suffix.sh" )
+
     # Depending on the OS, the library gets installed in `.../lib` or
     # `.../lib64` (or maybe even somewhere else).  For simplicity, however,
     # we want a location that is independent of the OS, thus the `--libdir`
     # argument.
     CPPFLAGS="-I${path_to_zlib}/usr/include" \
-    LDFLAGS="-L${path_to_zlib}/usr/lib-asan" \
+    LDFLAGS="-L${path_to_zlib}/usr/${lib_suffix}" \
     sh ../configure --with-libpng-prefix=OSS_FUZZ_ \
                     --prefix="${path_to_install}" \
-                    --libdir="${path_to_install}/lib-asan" \
+                    --libdir="${path_to_install}/${lib_suffix}" \
                     --enable-static \
                     --disable-shared
 fi

diff --git a/fuzzing/scripts/build/zlib.sh b/fuzzing/scripts/build/zlib.sh
@@ -29,12 +29,15 @@ if [[ "${#}" -lt "1" || "${1}" != "--no-init" ]]; then
     git rev-parse HEAD
 
     mkdir -p "${path_to_build}" && cd "${path_to_build}"
+
+    lib_suffix=$( bash "$( dirname "$0" )/get_lib_suffix.sh" )
+
     # 'zlib' is a dependency of 'libpng'; the library must thus be installed
     # in the same directory as 'libpng'.  See `libpng.sh` for more
     # information why `--libdir` is necessary.
     sh ./configure --zprefix \
                    --prefix="${path_to_install}" \
-                   --libdir="${path_to_install}/lib-asan" \
+                   --libdir="${path_to_install}/${lib_suffix}" \
                    --static
 fi
 

diff --git a/fuzzing/scripts/generate_cache_seed.py b/fuzzing/scripts/generate_cache_seed.py
@@ -0,0 +1,37 @@
+import os
+
+def create_cache_seed():
+    # Command sequence
+    # 1 (LookupFace)
+    # 2 (LookupSize) -> 16, 16
+    # 4 (ImageLookup) -> 3, 0, 16, 16
+    # 6 (CMapLookup) -> 65, 0, 0
+    # 9 (Unref)
+    commands = bytes([
+        1,
+        2, 16, 16,
+        4, 3, 0, 16, 16,
+        6, 65, 0, 0,
+        9,
+        9
+    ])
+
+    # Read CMap2.ttf
+    try:
+        with open("freetype-testing/fuzzing/corpora/truetype/bungeman/CMap2.ttf", "rb") as f:
+            ttf_data = f.read()
+
+        # Write combined file
+        with open("seed_cache.bin", "wb") as f:
+            f.write(ttf_data)
+            f.write(commands)
+
+        print("Created seed_cache.bin")
+
+    except FileNotFoundError:
+        print("CMap2.ttf not found, creating dummy seed")
+        with open("seed_cache.bin", "wb") as f:
+            f.write(b"DUMMY_TTF_HEADER" + commands)
+
+if __name__ == "__main__":
+    create_cache_seed()
diff --git a/fuzzing/scripts/prepare-oss-fuzz.sh b/fuzzing/scripts/prepare-oss-fuzz.sh
@@ -20,6 +20,9 @@ settings_base_dir=$( readlink -f "../settings/oss-fuzz"  )
 fuzzers=(
     "legacy"
 
+    "cache"
+    "properties"
+
     "bdf"
     "bdf-render"
 
@@ -38,6 +41,8 @@ fuzzers=(
     "pcf"
     "pcf-render"
 
+    "pfr"
+
     "truetype"
     "truetype-render"
     "truetype-render-i35"

diff --git a/fuzzing/settings/oss-fuzz/cache.options b/fuzzing/settings/oss-fuzz/cache.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 2000000
diff --git a/fuzzing/settings/oss-fuzz/pfr.dict b/fuzzing/settings/oss-fuzz/pfr.dict
@@ -0,0 +1,3 @@
+# PFR Fuzzing Dictionary
+
+"PFR0"
diff --git a/fuzzing/settings/oss-fuzz/pfr.options b/fuzzing/settings/oss-fuzz/pfr.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+dict = pfr.dict
+max_len = 100000
diff --git a/fuzzing/settings/oss-fuzz/properties.options b/fuzzing/settings/oss-fuzz/properties.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 1000000
diff --git a/fuzzing/src/driver/DriverInternals.cpp b/fuzzing/src/driver/DriverInternals.cpp
@@ -34,6 +34,8 @@
 #include "targets/font-drivers/pcf.h"
 #include "targets/font-drivers/pcf-render.h"
 
+#include "targets/font-drivers/pfr.h"
+
 #include "targets/font-drivers/truetype.h"
 #include "targets/font-drivers/truetype-render.h"
 #include "targets/font-drivers/truetype-render-i35.h"
@@ -59,6 +61,9 @@
 #include "targets/support/GzipFuzzTarget.h"
 #include "targets/support/LzwFuzzTarget.h"
 
+#include "targets/CacheFuzzTarget.h"
+#include "targets/PropertiesFuzzTarget.h"
+
 
   // The legacy fuzzer is a monolith but it is the only target that calls
   // LLVMFuzzerTestOneInput( ... ) directly which is why we get away with
@@ -90,6 +95,8 @@
     (void) add<PcfFuzzTarget>(       "pcf" );
     (void) add<PcfRenderFuzzTarget>( "pcf-render" );
 
+    (void) add<PfrFuzzTarget>( "pfr" );
+
     (void) add<TrueTypeFuzzTarget>(          "truetype" );
     (void) add<TrueTypeRenderFuzzTarget>(    "truetype-render" );
     (void) add<TrueTypeRenderI35FuzzTarget>( "truetype-render-i35" );
@@ -114,6 +121,9 @@
     (void) add<GzipFuzzTarget>(  "gzip" );
     (void) add<LzwFuzzTarget>(   "lzw" );
     (void) add<Bzip2FuzzTarget>( "bzip2" );
+
+    (void) add<CacheFuzzTarget>( "cache" );
+    (void) add<PropertiesFuzzTarget>( "properties" );
   }
 
 

diff --git a/fuzzing/src/targets/CMakeLists.txt b/fuzzing/src/targets/CMakeLists.txt
@@ -22,6 +22,8 @@ add_library(fuzztargets
   "${FUZZING_SRC_DIR}/iterators/glyphrenderiterator-allmodes.cpp"
 
   "${FUZZING_SRC_DIR}/targets/FaceFuzzTarget.cpp"
+  "${FUZZING_SRC_DIR}/targets/PropertiesFuzzTarget.cpp"
+  "${FUZZING_SRC_DIR}/targets/CacheFuzzTarget.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/bdf.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/bdf-render.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/cff.cpp"
@@ -35,6 +37,7 @@ add_library(fuzztargets
   "${FUZZING_SRC_DIR}/targets/font-drivers/colrv1.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/pcf.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/pcf-render.cpp"
+  "${FUZZING_SRC_DIR}/targets/font-drivers/pfr.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/truetype.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/truetype-render.cpp"
   "${FUZZING_SRC_DIR}/targets/font-drivers/truetype-render-i35.cpp"
@@ -73,6 +76,8 @@ add_library(fuzztargets
   "${FUZZING_SRC_DIR}/visitors/facevisitor-loadglyphs-bitmaps.cpp"
   "${FUZZING_SRC_DIR}/visitors/facevisitor-loadglyphs-outlines.cpp"
   "${FUZZING_SRC_DIR}/visitors/facevisitor-multiplemasters.cpp"
+  "${FUZZING_SRC_DIR}/visitors/facevisitor-pfr.cpp"
+  "${FUZZING_SRC_DIR}/visitors/facevisitor-properties.cpp"
   "${FUZZING_SRC_DIR}/visitors/facevisitor-renderglyphs.cpp"
   "${FUZZING_SRC_DIR}/visitors/facevisitor-sfntnames.cpp"
   "${FUZZING_SRC_DIR}/visitors/facevisitor-subglyphs.cpp"