Re: Firefox "Intent to Implement" WOFF2 from Behdad Esfahbod on 2014-10-03 (public-webfonts-wg@w3.org from October 2014)

From: Behdad Esfahbod <behdad@google.com>
Date: Fri, 3 Oct 2014 13:46:58 -0400
To: John Hudson <tiro@tiro.com>
Cc: Jonathan Kew <jfkthame@gmail.com>, David Kuettel <kuettel@google.com>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotype.com>, Chris Lilley <chris@w3.org>, WebFonts WG <public-webfonts-wg@w3.org>
Message-ID: <CAOY=jUSM3+9uBVNSc2BHKQ5oBCbTQjOrbWdRcsdMYgzaMX9y=Q@mail.gmail.com>

On Fri, Oct 3, 2014 at 1:37 PM, John Hudson <tiro@tiro.com> wrote:

> Jonathan,
>
> Out of interest, are you writing your own Brotli decoder, or using open
> source code from Google?

Using Google one I believe.

> I wonder because some of my colleagues have expressed concern about the
> single implementation of Brotli compression/decompression, as compared with
> the variety of libraries available for handling WOFF1 gzip. They wonder how
> robustly tested is the Google code, given how new Brotli is? Also, has it
> undergone security reviews?

Those are very valid concerns.  In fact, when I reviewed the code before I
found a few alarming issues.  In particular, for Brotli itself.  Granted,
this might not be exploitable currently, but definitely should be addressed:

  https://code.google.com/p/font-compression-reference/issues/detail?id=2

Possibly affecting the metadata compression:

  https://code.google.com/p/font-compression-reference/issues/detail?id=4

And a more generic issue in the woff2 implementation:

  https://code.google.com/p/font-compression-reference/issues/list

Now might be a good time to address those.

behdad

Received on Friday, 3 October 2014 17:47:40 UTC