[Devel] Re: /UnderlinePosition and /UnderlineThickness

[|Ron|]

> Did not check the other new "FT_Fixed *" variables, maybe there is also
> a hidden multiplication with 1000?

I think you found a long standing bug. It looks like nobody ever examined
the fields parsed with T1_FIELD_FIXED (or T1_FIELD_FIXED_P). The culprit is
in src/psaux/psobjs.c:

>      case T1_FIELD_TYPE_FIXED:
>        val = t1_tofixed( &cur, limit, 3 );
>        goto Store_Integer;
>
>      case T1_FIELD_TYPE_FIXED_P:
>        val = t1_tofixed( &cur, limit, 3 );
>        goto Store_Integer_P;

The '3' is the power of ten the number gets multiplied with *in addition*
to being shifted left 16 bits. So all numbers are multiplied by 65536000.

This just doesn't make sense. And an overflow occurs for values larger than
around +/- 32. E.g. underline_position (supposedly -100) contains complete
nonsense (2036334592 = 0x79600000 = -100*65536*1000+2^32+2^32).

Affected fields are:

type1: italic_angle, underline_position, underline_thickness, blue_scale,
       stroke_width
cid: all type1 stuff plus: expansion_factor, forcebold_threshold

Does anybody see wrong or missing underlining in Type1 fonts? I don't,
but I guess most apps are ignorant about this field since it is absent
for most kinds of fonts (notably TrueType).

Anyway, I think it's a good idea to replace those '3's with '0's.

BTW: The only other place I see a power_ten value other than 0 coming from
is in t1load.c, function parse_font_matrix():
> (void)T1_ToFixedArray( parser, 6, temp, 3 );  <-- 3 means *1000
Has anybody verified that this routine and the following calculations never
overflow?

|Ron|