The loader is designed to temporarily install a specific font in Windows, and test the built-in rasterization code present in the operating system against the (potentially malformed) file. The purpose of the program is to stress-test as much font-handling code as possible, and to execute it for all glyphs found in the font file instead of a limited charset such as just the ASCII characters.
The font-related GDI calls made by the loader are listed below:
- AddFontResourceW
- RemoveFontResourceW
- GetFontResourceInfoW
- CreateFontIndirectW
- GetKerningPairs
- GetFontUnicodeRanges
- GetGlyphOutline
- DrawTextW
Furthermore, the program also invokes a number of Uniscribe API functions:
- ScriptCacheGetHeight
- ScriptGetFontProperties
- ScriptGetGlyphABCWidth
- ScriptGetCMap
- ScriptGetFontScriptTags
- ScriptGetFontLanguageTags
- ScriptGetFontFeatureTags
- ScriptGetFontAlternateGlyphs
- ScriptSubstituteSingleGlyph
The application can be compiled with Microsoft Visual Studio after importing ttf-otf-windows-loader.cpp and config.h into a new project.
Using the tool is as simple as passing the path of the tested TTF/OTF font in the first argument, for example:
c:\ttf-otf-windows-loader>ttf-otf-windows-loader.exe C:\Windows\Fonts\arial.ttf
[+] Extracted 1 logfonts.
[+] Installed 1 fonts.
[+] Starting to test font 1 / 1, variation 1 / 5
[+] Getting kerning pairs
[+] Getting unicode ranges
[+] Getting glyph outlines and drawing them on screen
[+] Testing the Uniscribe user-mode library
[+] Starting to test font 1 / 1, variation 2 / 5
[+] Getting kerning pairs
[+] Getting unicode ranges
[+] Getting glyph outlines and drawing them on screen
[+] Testing the Uniscribe user-mode library
[+] Starting to test font 1 / 1, variation 3 / 5
[+] Getting kerning pairs
[+] Getting unicode ranges
[+] Getting glyph outlines and drawing them on screen
[+] Testing the Uniscribe user-mode library
[+] Starting to test font 1 / 1, variation 4 / 5
[+] Getting kerning pairs
[+] Getting unicode ranges
[+] Getting glyph outlines and drawing them on screen
[+] Testing the Uniscribe user-mode library
[+] Starting to test font 1 / 1, variation 5 / 5
[+] Getting kerning pairs
[+] Getting unicode ranges
[+] Getting glyph outlines and drawing them on screen
[+] Testing the Uniscribe user-mode library
c:\ttf-otf-windows-loader>
In addition to the standard output, you should also observe the font's glyphs being drawn in the upper left corner of the screen:
When fuzzing fonts in Windows 7 and 8.1, we recommend enabling the Special Pool mechanism for the win32k.sys and atmfd.dll kernel modules. On Windows 10, it is a good idea to enable Page Heap for the fontdrvhost.exe process, as font processing was moved to user space in the latest version of the system.