Clone this repo:
  1. 6300460 Merge pull request #207 from jfkthame/master by Khaled Hosny · 2 weeks ago master
  2. 373523f Sanitize the PSname to work around buggy consumers by Jonathan Kew · 2 weeks ago
  3. bbd729f Merge pull request #206 from jfkthame/patch-2 by Khaled Hosny · 5 weeks ago
  4. d2648ba Remove spurious component_count check by jfkthame · 5 weeks ago
  5. 968e5f9 [ci] Try to fix macOS build by Khaled Hosny · 5 months ago

Build Status Build status Fuzzing Status

OpenType Sanitizer

The OpenType Sanitizer (OTS) parses and serializes OpenType files (OTF, TTF) and WOFF and WOFF2 font files, validating them and sanitizing them as it goes.

The C library is integrated into Chromium and Firefox, and also simple command line tools to check files offline in a Terminal.

The CSS font-face property is great for web typography. Having to use images in order to get the correct typeface is a great sadness; one should be able to use vectors.

However, on many platforms the system-level TrueType font renderers have never been part of the attack surface before, and putting them on the front line is a scary proposition... Especially on platforms like Windows, where it's a closed-source blob running with high privilege.

Building from source

Instructions below are for building standalone OTS utilities, if you want to use OTS as a library then the recommended way is to copy the source code and integrate it into your existing build system. Our build system does not build a shared library intentionally.

Build OTS:

$ meson build
$ ninja -C build

Run the tests (if you wish):

$ ninja -C build test


See docs

Thanks to Alex Russell for the original idea.