RE: WOFF-ACTION-196: Review treatment of empty glyphs vs 0-contour glyphs

Rod wrote:
> I'm OK with just rejecting glyphs with bounding boxes for 0 contours.
It is a possibility but when I considered different options (such as attempting to fix a font instead of rejecting it outright) my preference was to simply reject a whole font – we don’t do (or require doing) an exhaustive font validation prior to encoding so if you see something funny happening in one portion of a font there is a risk that there may be something else we missed. Rejecting it as junk seems like a safe bet.

> Another option might be to require encoder to zero out BB for glyphs with 0 contours.
This is in essence what we started with. By requiring the encoder to clear the bbox flag for both empty and 0-contour glyphs we’d force the decoder to reconstruct the empty glyph in both cases. It is a viable option but, like I mentioned earlier, I am not sure it the approach to fix a problem you see (and knowing you may’ve missed something you didn’t see) is a good idea – what if the ‘irregularities’ of the font data is an indication of the malicious intent. So again, it’s really about a general approach of whether we should be trying to fix what we can (and miss out on what we didn’t see) or reject a font if it has “funny data”.

Thank you,
Vlad


From: Roderick Sheeter [mailto:rsheeter@google.com]
Sent: Wednesday, February 17, 2016 6:30 PM
To: Levantovsky, Vladimir
Cc: WebFonts Working Group
Subject: Re: WOFF-ACTION-196: Review treatment of empty glyphs vs 0-contour glyphs

I'm OK with just rejecting glyphs with bounding boxes for 0 contours. Another option might be to require encoder to zero out BB for glyphs with 0 contours.

On Tue, Feb 16, 2016 at 1:18 PM, Levantovsky, Vladimir <Vladimir.Levantovsky@monotype.com<mailto:Vladimir.Levantovsky@monotype.com>> wrote:
Folks,

After spending some time musing on the subject matter I decided it might be a good idea (but you be the judge) to at least mention the degenerate case of "glyph with zero outlines" in the spec. One thing leads to another and I ended up adding a new conformance test case where an authoring tool would have to check that glyph with zero contours has no bounding box (i.e. all values are zeros) and reject the input font if this is not the case. (see http://dev.w3.org/webfonts/WOFF2/spec/#conform-mustRejectNonEmptyBBox)
Once this check is performed, the existing test case (http://dev.w3.org/webfonts/WOFF2/spec/#conform-mustClearEmptyBBox) is now extended to cover both empty glyph records and glyphs with zero contours.

I realize that having a glyph record with zero contours is highly unlikely (but not impossible) so having the spec mention both cases would be justified, if only to prevent an uncertainty associated with the undefined cases and possible malicious content.
Comments?
(Once I hear you say "Yeah, let's keep this in the spec", my next step would be to come up with the test descriptions for both cases.)

On a separate issue regarding our scheduled telcon tomorrow - any progress to talk about? Considering that some folks are on vacation this week and the low level of WG activities that require group discussions - should we cancel the call tomorrow and postpone it until March 2nd? (Reminder - I will be traveling next week.)

Thank you,
Vlad


-----Original Message-----
From: WebFonts Working Group Issue Tracker [mailto:sysbot+tracker@w3.org<mailto:sysbot%2Btracker@w3.org>]
Sent: Wednesday, February 10, 2016 4:44 PM
To: public-webfonts-wg@w3.org<mailto:public-webfonts-wg@w3.org>
Subject: WOFF-ACTION-196: Review treatment of empty glyphs vs 0-contour glyphs

WOFF-ACTION-196: Review treatment of empty glyphs vs 0-contour glyphs

http://www.w3.org/Fonts/WG/track/actions/196


Assigned to: Vladimir Levantovsky