Your Fonts Can Run Doom

原始 JSON

{
  "kind": 30023,
  "id": "69cc235e762a831f2c215f14622e8536b12beaad1626f7bd8a5e7dea29ad776b",
  "pubkey": "66675158e6338fe89fda418e42a0bf2a7a2b132504dd347f015a18971b644430",
  "created_at": 1775547287,
  "tags": [
    [
      "d",
      "your-fonts-can-run-doom"
    ],
    [
      "title",
      "Your Fonts Can Run Doom"
    ],
    [
      "published_at",
      "1775547287"
    ],
    [
      "summary",
      "TrueType fonts contain a Turing-complete virtual machine that has been exploited to run everything from Doom to large language models, and your system has hundreds of these arbitrary code execution environments installed right now."
    ],
    [
      "image",
      "https://cdn.nostrcheck.me/e4e74c20bc350b1d9da8fe5742c417c0a7497b1da8cac6d1f388d2413e391224.webp"
    ],
    [
      "t",
      "cursed knowledge"
    ],
    [
      "t",
      "fonts"
    ],
    [
      "t",
      "virtual machine"
    ],
    [
      "t",
      "ttf"
    ],
    [
      "t",
      "large language model"
    ],
    [
      "t",
      "llm"
    ],
    [
      "t",
      "vibing"
    ],
    [
      "client",
      "Ditto",
      "31990:781a1527055f74c1f70230f10384609b34548f8ab6a0a6caa74025827f9fdae5:ditto"
    ]
  ],
  "content": "There's a category of information I think of as cursed knowledge. Facts that make your day measurably worse just by learning them. You can't unlearn them. You just carry them now.\n\nHere's one: TrueType fonts have a virtual machine inside them. A real one. With an instruction set, a stack, and the ability to execute arbitrary code.\n\nI know. I'm sorry.\n\nIf your first reaction is \"that can't be right,\" I get it. Mine was too. Then I saw someone run Doom inside a font.\n\n\u003chttps://4rh1t3ct0r7.github.io/ttf-doom/\u003e\n\nThat's Doom. In a TTF file. Rendered through the font engine on your machine.\n\nNow, you might be thinking: \"Sure Danny, but that probably needs JavaScript to handle character positioning and input. The font isn't really doing the work.\" Fair point. Reasonable objection.\n\nSo here's Fontemon, a legally distinct Pokemon-like game, running entirely inside a font file. You can download it and play it in... Vim or something, but I guess any text field works. You don't need a browser or javascript, all you need is your operating system's font renderer doing things font renderers were never meant to do.\n\n\u003chttps://www.coderelay.io/fontemon.html\u003e\n\nAt this point you might be reaching for a justification. \"OK but this isn't really a virtual machine. Fonts need to support complex scripts, right? Arabic, Devanagari, CJK layouts. It makes sense that there's some programmability in there for handling all the world's writing systems.\"\n\nAnd yeah, I don't speak every language. But I'm fairly confident that no human writing system requires the computational power to run a large language model.\n\nBecause someone did that too.\n\n\u003chttps://fuglede.github.io/llama.ttf/\u003e\n\nThat's llama.cpp, the inference engine behind a lot of local LLM setups, compiled to run inside the TrueType instruction set. An AI model running inside a font. The text is generating itself.\n\nYour system has hundreds of these files installed right now. You load them when you open a PDF, visit a website, read a document. Each one contains a Turing-complete execution environment. Font rendering is, by specification, arbitrary code execution.\n\nThere is no patch for this. It's not a bug. It's the spec. It's been the spec since 1994.\n\nYou now know this, and you will never look at a .ttf file the same way again.\n\nNow ask yourself how carefully you've vetted the fonts you've installed.\n\nWelcome to cursed knowledge.\n",
  "sig": "1bccd3b8259c0b830f51c3480bbc8a2127a495f9d28e3982f9857bb97812e813f7cdc508d2c1f08e457ff4ac6c2f54df379b3b8322c6c599c5f304df7fffa991"
}