Table of Contents

Namespace NetPdf.Text.Fonts

Classes

FontSafetyValidator

Per Phase C C-2 — pre-decode font safety gate. Routes incoming font bytes through a magic-byte sniffer + size + sfnt-header sanity check before they reach OpenTypeFont.Parse / HarfBuzz. Defends against:

  • HarfBuzz CVE-class bugs. CVE-2024-56732 type — malformed cmap / GSUB / GPOS / glyf tables triggering buffer overruns in the shaper. The validator can't fix the bug, but it bounds the attack surface by rejecting obviously-malformed sfnt headers before HarfBuzz sees the bytes.
  • DomPDF @font-face cache poisoning. Once Phase 5 wires @font-face, an attacker who can serve a font URL could pick the filename + content. The validator's format-magic check + size cap stop the cache from accepting non-fonts.

The validator does NOT replace the structural validation in OpenTypeFont.Parse — it just bounds the attack surface before parse runs. Parse is still authoritative for table-by-table integrity.

What this validator does NOT inspect: sfnt table tags (cmap / glyf / SVG / etc.) — only the numTables count + directory bounds. SVG-in-OpenType fonts are accepted by this gate; future hardening could walk the table tags to reject SVG-only fonts (a real attack surface) but that work is not in Phase C. Per PR #17 Copilot review #2 the docs were over-claiming; they now state actual coverage.

Structs

FontSafetyValidator.ValidationResult

Enums

FontSafetyValidator.FontFormat

Recognized font formats. Anything else routes to Unknown and is rejected.

FontSafetyValidator.FontSafetyVerdict

Two-state verdict. Mirror of ImageSafetyValidator + the Phase B UriSafetyValidator for consistency.