Chrome Shifts from FreeType to Rust-Based Skrifa for Enhanced Font Rendering Security

The developers of the Google Chrome web browser have announced their decision to abandon the FreeType font rendering library, opting instead for the open-source Skrifa project, which is written in Rust. This transition aims to enhance memory safety during font processing on the web and supports OpenType font handling.

Skrifa provides a subset of the font engine capabilities originally found in FreeType, which are necessary for the 2D graphics library Skia used in both Chrome and Chromium. To detach the Skia library from the FreeType engine, a new font backend based on Skrifa has been created.

According to OpenNET, the Rust-based backend was included in experimental mode for rarely used font formats, such as CFF2 and color fonts, in Chrome version 128. From Chrome version 133 onwards, this new backend will be utilized for all web fonts in builds for Linux, Android, and ChromeOS platforms. On Windows and macOS, the new engine is currently available as a fallback option, activated only when the system cannot support the font format the browser is attempting to render.

The Skrifa code was developed by Google engineers as part of the Fontations toolkit and is available under the MIT and Apache 2.0 licenses. Approximately 700 unit tests have been prepared to validate the functionality of Skrifa. The project library supports glyph decoding in formats such as glyf, CFF, CFF2, COLRv0, COLRv1, EBDT, CBDT, and sbix, as well as variable fonts in glyf, CFF2, and COLRv1 formats, and font hinting in glyf, CFF, and CFF2 formats.

In addition to the Skrifa library, which offers an API for accessing font metadata and loading glyph outlines, the Fontations toolkit includes low-level libraries for reading, parsing, modifying, and creating OpenType font data. Moreover, Fontations is part of the Oxidize project, aimed at translating text and font-related utilities and libraries from Python (fonttools, fontmake, nanoemoji) and C++ (HarfBuzz, FreeType) into new implementations crafted in Rust.

Development of the Skrifa components in Rust arose from the challenges of effectively identifying bugs through fuzz testing, as font formats are too intricate to cover all possible combinations. Leveraging Rust helps minimize memory-related issues, improve code quality, reduce the time spent on addressing security vulnerabilities, and accelerate enhancements to Chrome’s font-related features. According to statistics from Google and Microsoft, approximately 70% of critical vulnerabilities stem from memory management issues that can be avoided using Rust without unsafe blocks.

For instance, employing Rust has helped eliminate previously discovered problems in FreeType’s code, which were associated with accessing freed memory regions, buffer overflows, unchecked array index access, integer overflows, improper use of uninitialized memory, and type casting errors.