Alert January 24, 2003 OpenType crashes Windows
.....	¶ It is no secret that I do not like the concept and the design of OpenType. Type 1 fonts, invented by Adobe, are like passive little teddy bears, just data sitting on the computer to be interpreted by programs and applications, yet powerful enough to hold the finest artistic expressions in their sleek cubic Bezier curves. OpenType, in comparison, is a sleeping monster, ready to pounce on the weak and the defenseless. One of its weakest victims is the crash-prone Windows operating system. OpenType too contains passive data, but it is loaded--overloaded, really-- with features that should not be the responsibility of a font, but rather of the application. This creates a beast that is less and less controllable, and to no one's surprise, I am here to report how certain OpenType fonts cause a major crash of Windows, simply by clicking on the font icon. What is truly amazing is that the monster was created by the same people whose system it crashes. I know that I am going to stir up controversy by telling you how this is possible, but I will do so merely by referring to publically available specifications. Let us call these Window-crashing OpenType files "monsters". Mean-spirited people could plant monsters on font archives, and create havoc. I am sure that the good people at Microsoft will fix this defect in Windows, but I am equally sure that other defects are just waiting to be discovered. My (predictable) recommendation is to stick to type one fonts: simple is beautiful! In fact, I have used type 1 mainly in a UNIX/Linux environment since it was invented, and have never experienced a computer crash as a result, even on the most outrageous experimental type 1 fonts. It's Volvo against Ford Explorer.
The specs	¶ OpenType can place a wrapper around a PostScript-based font. Type 2 is the way character strings are encoded in OpenType fonts. It looks very much like the old type 1, but is of course different. Adobe's type 2 specs describe how to proceed. In appendix B, page 33, we find a table of six implementation limits, things like maximum charstring length (65536). Of interest to us is the argument stack limit (48). CFF (Compact Font Format) is a format that uses type 2, and is in fact the way these fonts can be wrapped into an OpenType font. A glyph in these formats consists of a sequence of operations like rmoveto, hmoveto, and hlineto. If one uses more than 48 hlineto's in a single glyph, then interesting things can happen.
The crash	¶ In this experimental OpenType font, the character "o" has way more than 48 "hlineto" operators. This ends up leading to a page fault (blue screen of death!!!!) in ATMFD.DLL, which is the CFF font driver that ships with the Windows 2000, ME, and XP, and used to ship with ATM for legacy versions of Windows (95 and 98). Please, please, please, do not click on the font icon if you download this font. I tried it on my Windows XP machine at the university after having killed all running applications. The machine died, and rebooted after 30 seconds, without any harm. But I cannot guarantee the same behavior on your machine, so do not come crying if bad things happen. I told you not to do it.
Making monsters	¶ How to make monsters? You can use Just van Rossum's font assembly/dissasembly TTX tool to disassemble the font and take a look at the "o" charstring. You will find the following: 10 290 rmoveto 6 -1 7 1 2 -1 -1 -1 -1 -4 1 -4 1 -3 1 -5 1 -3 1 -5 1 -3 1 -4 1 -1 1 1 1 4 1 2 1 5 1 2 1 4 1 5 -1 5 -1 2 -1 2 -1 1 14 -1 -1 -7 1 -5 1 -4 1 -5 1 -3 1 -4 1 -4 2 2 1 4 1 4 1 3 1 5 1 4 1 4 1 6 -1 1 10 -1 -1 -2 -1 -1 -1 -5 -1 -2 -1 -4 -1 -3 -1 -4 -1 -3 -1 -3 -1 -4 -1 -3 -1 -4 -1 -3 -1 -3 -1 -1 -8 2 -1 3 -1 5 -1 3 -1 4 -1 3 -1 4 -2 -2 -1 -4 -1 -3 -1 -4 -1 -3 -1 -4 -1 -3 -1 -1 -8 1 -1 4 -1 3 -1 4 -1 3 -1 4 -1 3 -1 3 -1 4 -1 3 -1 4 -1 3 -1 4 -1 2 -1 1 -1 1 hlineto 69 hmoveto 8 -1 28 -9 -1 2 -1 1 -3 1 -17 -1 -1 -13 14 2 1 1 1 -12 -2 2 -1 1 -13 -16 20 1 1 1 1 1 1 2 1 2 1 -8 -1 -4 -37 1 1 1 1 43 -2 2 hlineto 223 hmoveto 16 -1 4 -1 2 -10 1 -3 -2 3 -1 1 -1 1 -1 1 -1 1 -2 1 -2 1 -11 -1 -2 -1 -2 -1 -1 -1 -1 -1 -1 -1 -1 -2 -1 -2 -1 -7 -1 -2 1 -6 1 -3 1 -1 1 -2 1 -1 1 -1 1 -1 1 -1 2 -1 3 -1 4 1 3 1 1 1 1 1 1 3 1 6 -1 2 -2 1 -2 1 7 -1 1 1 2 -1 1 1 6 -1 -1 -1 -1 -2 -1 -17 -4 2 -1 2 -2 -1 -1 -1 -1 -1 -2 -1 -2 -1 -4 -1 -7 1 -4 1 -3 1 -2 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 2 -1 2 -1 3 -1 14 1 3 1 2 1 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 2 1 2 1 3 1 hlineto [some more hmoveto/hlineto stuff] endchar ¶ You can experiment with changing the number of hlineto operators in that string. Once you reduce them to under 48 operators, double-clicking the font icon does nothing to the operating system. Once you go back to over 48, Windows is toast. For initial caps fonts, 48 hlineto's in a glyph is almost nothing. This means that CFF-based OpenType cannot handle those gorgeous initial caps. ¶ This explanation is for educational purposes only, and is directed to the general public and to the Microsoft and Adobe programmers. I am totally against swamping the net with "monsters". Even without them, OpenType will die a peaceful death.
Conclusion	¶ It looks like any type 2 or CFF-based OpenType fonts will be bad news for Windows for some time to come.
	Copyright © 2003 Luc Devroye School of Computer Science McGill University Montreal, Canada H3A 2K6 luc@cs.mcgill.ca http://luc.devroye.org/index.html