Namespace NetPdf.Text.Fonts
Classes
- FontSafetyValidator
Per Phase C C-2 — pre-decode font safety gate. Routes incoming font bytes through a magic-byte sniffer + size + sfnt-header sanity check before they reach
OpenTypeFont.Parse/ HarfBuzz. Defends against:- HarfBuzz CVE-class bugs. CVE-2024-56732 type — malformed
cmap/GSUB/GPOS/glyftables triggering buffer overruns in the shaper. The validator can't fix the bug, but it bounds the attack surface by rejecting obviously-malformed sfnt headers before HarfBuzz sees the bytes. - DomPDF @font-face cache poisoning. Once Phase 5 wires
@font-face, an attacker who can serve a font URL could pick the filename + content. The validator's format-magic check + size cap stop the cache from accepting non-fonts.
The validator does NOT replace the structural validation in
OpenTypeFont.Parse— it just bounds the attack surface before parse runs. Parse is still authoritative for table-by-table integrity.What this validator does NOT inspect: sfnt table tags (
cmap/glyf/SVG/ etc.) — only thenumTablescount + directory bounds. SVG-in-OpenType fonts are accepted by this gate; future hardening could walk the table tags to reject SVG-only fonts (a real attack surface) but that work is not in Phase C. Per PR #17 Copilot review #2 the docs were over-claiming; they now state actual coverage.- HarfBuzz CVE-class bugs. CVE-2024-56732 type — malformed
Structs
Enums
- FontSafetyValidator.FontFormat
Recognized font formats. Anything else routes to Unknown and is rejected.
- FontSafetyValidator.FontSafetyVerdict
Two-state verdict. Mirror of
ImageSafetyValidator+ the Phase BUriSafetyValidatorfor consistency.