From 15e8692eff6bb71f28c3521e3bd64dc19834f523 Mon Sep 17 00:00:00 2001 From: Jonas Jenwald Date: Fri, 13 Mar 2020 22:09:27 +0100 Subject: [PATCH] Don't accidentally accept invalid glyphNames which *appear* to follow the Cdd{d}/cdd{d} format in `PartialEvaluator._buildSimpleFontToUnicode` (issue 11697) The /Differences array of the problematic font contains a `/c.1` entry, which is consequently detected as a *possible* Cdd{d}/cdd{d} glyphName by the existing heuristics. Because of how the base 10 conversion is implemented, which is necessary for the base 16 special case, the parsed charCode becomes `0.1` thus causing `String.fromCodePoint` to throw since that obviously isn't a valid code point. To fix the referenced issue, and to hopefully prevent similar ones in the future, the patch adds *additional* validation of the charCode found by the heuristics. --- src/core/evaluator.js | 2 +- test/pdfs/.gitignore | 1 + test/pdfs/issue11697_reduced.pdf | Bin 0 -> 10007 bytes test/test_manifest.json | 9 ++++++++- 4 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 test/pdfs/issue11697_reduced.pdf diff --git a/src/core/evaluator.js b/src/core/evaluator.js index 87cf0f70c..471132b75 100644 --- a/src/core/evaluator.js +++ b/src/core/evaluator.js @@ -2574,7 +2574,7 @@ var PartialEvaluator = (function PartialEvaluatorClosure() { code = unicode; } } - if (code) { + if (code > 0 && Number.isInteger(code)) { // If `baseEncodingName` is one the predefined encodings, and `code` // equals `charcode`, using the glyph defined in the baseEncoding // seems to yield a better `toUnicode` mapping (fixes issue 5070). diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore index d02f26c7e..93b088f00 100644 --- a/test/pdfs/.gitignore +++ b/test/pdfs/.gitignore @@ -288,6 +288,7 @@ !issue2537r.pdf !bug946506.pdf !issue3885.pdf +!issue11697_reduced.pdf !bug859204.pdf !annotation-tx.pdf !annotation-tx2.pdf diff --git a/test/pdfs/issue11697_reduced.pdf b/test/pdfs/issue11697_reduced.pdf new file mode 100644 index 0000000000000000000000000000000000000000..3c23403e6c0550adebf0100062daf8f698eae421 GIT binary patch literal 10007 zcmch7bzGEP)4xc%fYOMB3rNQWEG!}2AxNh*3oOm<(%mH?At}%c3c-$ivSo3}RVW{4@;W2lIhltsKB0 zad8kJ54W|2Az&`nFeKPSKoAU|>=7^+ud5pvu!VyGSC`*oB;5Nip673dFAU-Oo8#(% z_%*QR#eu>%3JmPpv&GcaHPcad>H!vAJ~Bqc#G7n@(s2>jD4 zMOPP;hNUw`lcKzWj2f3B+{Mzx8V*C~!n{#D+Aup0Crbnf&_ThR^}!+{AVALE5}^Y_ zf!P5WK!z7-4anG_rC~@o^1nyF*a);+fGi*f$OG~ih614Qi+CVh0YyLwPzIDSa}_`Z zLsS7(3{eBrFytO^4@1-ebqvt}G%(~oaQ_$i+a6}3320)7HlU3mI)Dy_=mNSJq6g?< zh(4f?AqIdUU<4RphL(Wk-#P#*z{(N`~}|1L(k6 zBJBZNz}EcN&m4}vG4%J>1p&5BfbH*_0qg*Kz~0Br9_9kT0SCYlZ~~kG7r+Jn>uv#8 z0DV<|h3fZp18#tuB|0aZV792=BLv1M;08m$U2On&4;T^!M?2;2;fjLUSULS({WbeN zL;y$t33G=3_8kfHgt=fm{+&bs(h1`?(#_Hu2B7}r8-Vh{BoyEQc(}m%_+1hwo$;!HVgH3q&g+##^88AN|6oT>TPcdMGFj^3BH4sPP%s1-b5ayc9)>P37znrrbFo9&gN6A-`7oN0XzwkZ zLCP`VI>fpqV~J7)4M(z$^2)oaz9oLrX{7jIvH=WZzU+;^-41=wG8XMA%-#e(OK zcQiXyF-!2sZHkw=w4q%0A3S%gyF_Ujl<6Pm#pP0s*Ol`|Zv~)4K0b-A%^gD?^_{E? zd~G@&Xq$b)c+E>V^iFq2#>8qySL2}JtAycKLobLq9FQ|bcRUmWsqEZna0vDltJ&$& z&PQf~(n90Ru5R)W?ayO}5^Gx#sc19244PZ5B4_P4BWXbyeQx2>5i)9uP+)w08Z(Xc^L0ArJ<4p^I+@!gpSmGUD-I`WLEm2M)9d@hiqv;RosVf+s#h3wyh>12K>BBvNjhjxv-Fx4dr^(8DMDPS>zf)ubYE;&xVyH4)0_47S@wmie#Z)1ur04=LnFLv(1=wI6hqt7K;B#yUTSl?5;{+ti69AE z-&OH;8cFz%)A<`pee_kI*?)CaAQjE=vEu-4LTN#dsaBk(996e9Q#v9 zMo6~aj}kP@;^Ik}v6`_fPvoRId>C)j(A{biX9Jy7pB0~Fot1q3;I-75-w$B_XV*`Y zpA08cd&VamJ`J5pmYTKfTlm}{_8X1V_6DaM;~aN&+c}$hNGb5z*oP*zos%Wm5{#q2 zg^vjJSCMEQou4c)zTXdgscdp#^%m7(TV%=D8fjJjpv->82+_J=HJo|7dHs0XC32pm z`EdByVHUE!$5G;U$f*-(mRaml_}0^h+{VT8@#d7Ffv)rOiN@|m<3xx3@{Fer7WH){ z&#Ir*KAW&D?<#S4^pj0%imC+LQZg;*>(|RD-x`>s24R-Vw~eg(W6r$nlP>429d813 zDtl||CXBNJ8B{n*zU`b#TvL+e3~X?2N-K0rsM73V)y;5}bmBPE(c5qT@>)+!^#!+{ z=aVaQHaTqZ!0*{eOY={$ zR(c*$9WA`<0@0MRt&I2dQ`ajTZF-YymYHInW#s&7)!lckJmJ{4S81oOij)ib(8; zJ<1!}ptHoaK zY)*+Z2rH_1e&8;8Bj%OG8mF*|mo%p;rU1qsDPHeSU*ZXPu7z);2If+ zasf~%&lwxWB$=xSmn9TRROG@lekO8V8{X|gSDA#*4B#$E-tj6uPw@eLw3!>-_n3Vp z{5t3Gc`T`hp6SI4xf$VldLNEQxh+r&ldhpWO5=&_bRvi?cXw8W@ioQM>o4pwONDu1 z)_O-*NAIy0vDA&F>=2Pv8^2d>vilhkP3ELFoa`W+a*ct%+2%R)D=&yy~aiynE0)LfPy~|Z%?O z#dgk|@s^m3^s8ry`s@cmlW+u0VU4s+R)#wnZ4waClSdG0J!PTwh3OndWKog{Ex7KZ z<17db5ykGs2gucW_!|^ngL+Vwo+sU}6Bun7UK0%+I)wL*L6sMF+0HZHkROjVi?qrR z_+78w8Gth^y9sN)Y#b@#GOdti{&>`h$~a9_l75k~{@5hQh_XiQJ<25VS)06t%WLKb zODjc!yn1=F%%g+|a!XD`6r7XpMD^oVTdV5T8uOwXkutVZKUqRA#AzcSu1X4oqU`g9 zI8z=BX>Q|5Sao4o6|cf#!qOh+eSO*zN)H3#U&*EA%L*>q2NB$tYy!lhZ7Zd|Zd{RN zq4S0#jaxMf{butTTmfw=M|Q_2!w7jspHsEMMaByu%Lv|=q=h_g6eE?7*Os)zyh0Rl zyRM4qDk&gq->s~9&>h^UFRG0fWu@r433)ev{q|I_qE6Qj2W8`{cYA%FXo-AKJC?rQ z^Bs_Tui0k<+KcBN2F2mpt#?G}65+o;znVqvG@{4AGN>%dhkrtdWUoy=yL<5_I3Dy3 z9Q9Ovzws3Z; zJ+ou=+)^i^Y6qS&JyMef{mT)K%DDMz9yZ)3sV!kSGWBd;rui))u>*TK=%^@>ck zG1UI6f&vYxfxD2yZvCNp{n7fa^2@rTZwIX(k0md}Kb?8(UBT5zoO&vrIh2qSSXxM- za^7~Up}2i5%^$p!RIOG)IpO;eOSLFNl5R1~`rN%QZ?q#rUj_l-O0E)MZIwtp>LM42 zS^p@Ob@@EWxAkrQ%k+*jdv*6pN@y$ibrbaHb{>N<+tANo`i&v}b${AOh>utoZ$n75 zj0rB8l+=Xs9X-MKht-L$=Lb8ghMUGArG(U?77JIU;I>%hZc~`~ql;{BaRQds@M3?5JwCu!w z4?;_^i`7Z|LxkKTYMaifq$oj>=yYugC{c1d;Z_m>FZ-h%ec4>NP>gI|avuI0^5hr> za?ra&lBn|`zq$LUEX|VYr#Sa(sb}Xk**R08dh8r$C$N;Sq5RnLg9h)32TE`&X;ZEx zkWI5voo7a_K8`~y67D|XOLwfl{^W*nqb)GqMRKYp*pCAg_>kBqEEX^Jlq2Dc31QZ)l z+$4~-E1AZ4Il;HyCwmz4pIZ)obI-zISQ}*0drkT5;nDV9)?~8^$9Hq;qWwV?z1$JX zkxJo*Tjk323!ln-CN-Snw1dqZ-Bo=0+20xREnd1D4G2L0K@S#w=PF*)LS~C~r!gsfqAWe)3zrnlN>Ew#Y=3AYl z`)@xC+8p4g)2vDeF1Oz$p_7<7yolMi^Vv8z2k|jV7g+>-T)2X5C7f~$n`sv>--~0u z5nZU_KC4(W+(vEDq5{(O$cvGtEV{9oWeO6OG19Ecx@@D zg-nQU5*Hbz!@IbNM?68+W?dg1{%rm1tZd!H*rDDVd7uoff5+B`J4&TG4b&_d z);;L$)-|%P?@qYj-jo7{=Ie3&`G_X3k`rt$(X_R9bzK_Px??8_>@1l?NOzS+F8ESc z5GKazxqBb0;xutwM5Nn4C+^Y8Tf*L|Z22J(d;@wHPNSNa&ttMZS(d-qxqmTaDm8rS7uq&F ze3U`0!)|o6pMJ}h)?UEL^GbysGGq37oJpwm`;L2W66GB&*xEB*t399^wABM*z7ElK zLLYkT^aRP36D52hnd0u+Rt|o1D`s2treJbA-sXtfS6Mz6qY5{!NrSy{s{u_Dojd2B zf}r=p3e!{va-NT!)Ij~Kh{S@zVv+-Pjdhym6+V`^g^0ZxzkMF$8tdZyN;_$cJz4QA zi+>_vTdv7?Ww+3TkGQ12S;+bWx3D0wy5Cadqa3N{QyWoqkE|P?J~j6i76~nEYROJ7 z&UeG2Ql$#LfmB0~hL7ADM^$I^&iUzrufNo+{?Dl8H_l^B}&o8K-vb|<>FOy2^82kVCDd}xh%2XV zsj|nxtR-jZD7%Lvdn;D%y=8e&r?_$0flbZU@ZPO+A#qtohE7DL+syV@Kyq9x2yUP3BE6Z)s-HstzPw*D=uwn5E!D{g;>q@AIbNaJoQ-AF zu)JC2?2WacuPi%My)3On>2gUL8TXjMO+Bus~YbV zuoRvdt9VntN*?2g@{ft<)TWB`|NQQeaIR`(){dP%xx0!OnMpaR7gm9Ka5rRm;? z_4`2CrWxp_=sHN-KGjMkRV zwn$`!arYLY?Yqlobt^4H`Z9ugkf~wS0_{~08R^h!#9p#ec%BAVjAtz&kK;Od)ge}$ zRq97#CPNY}!VUJ=8~UC_RArhT0lJ%~(_88EM>sZ5rt9eM-u;$%PeWtiSmgEg@kP7p zk<4<$b)Mr3xSwpei`+~k@!IG378x1Ut`^k zoz$dYwd9_FNjtW%=ql}-Fg#BqvF?u*hPRRnrypyGd0jT0WHoa<7vUFT=JLs$);=Uv zFI-~_GMFh9<1YXq%9p=Az-m%reD}U151RBE*RiQgzRJaIWtRUgNhSwEWptNOHO;=57U&4TDH=R`|d1hu#w!BIQYa z!=jCQ&B`smrnC6*LPqIP@iRpF_fUjIZ_TsimO)O51swsYn%h4%kS%R@BzWHEWERw{ z;uE7sdnTjd9Q3=ap@`8i;y7nJ! zPjP3X&TziJxi#Mkv535ar++PMPk}G?s{dy%bK#fU`2qQwOT-r8hxSC&U>QMWtbQUd z<##w@2?Xl)9fuZq!q+zh?_v`j(3QQci_y+dmRZvZsHg;Jrf#b5u$l=5&x;VgmLm)qTDXTN@kW`~UpuH)FW_y1M#cMgSV1$DqWaPVKf+vn zS?C{__`-4pQ)kxojqcuS5!lvTlNrB~t=FT}Pdzo`aoBt;pB%~<^#FTgj8k?#)7^L& zdD0h;R8##nWs1F#>cF%S^RrgbROh5=5w*Ox^Q2tAfhCO&#~iI=sWM^ZNI6)k9A=GAvM#O$~skcwV-(qxuui089A3B zS)`6dek@G$&|jl=HXkhrWy_N8VSvZ#I|%2q`AWPRgGPT_5EjgzIaB06Ys>l3m9=GYvh> z^9^+mN{dPjZJWe6u9%gKHq)CkUElHeP*4#zzvkJYhNC+W3y? z`-dn3`LNlpk0Q$3cWI)0%$|%QU-$$qTGB_p%I~HL9TwbXDH!KTy?S#wWRr?xTsEcUrZ}TKquyr-QzU_bA)Sm~0oA3-DiWZ&bu${pnj(PL zS!`4Aut87GojiknFN=3#Lgn`R4^mA&#E}w#HKTUzjLe)W_?9iwGLCLpC6%EkJJVj0 zhGlQO=@J=l#s?;fTPBs~Wjz%-6KGt&d^fgrxBj*Ma3Is^;dr4nvDk8bdmejwQLEQJ z3C^&Fs^iKrNq?tflAK2LP3{L)jV3<`iHi4tk!9;xw@#rC@gMbYsByIHSDJl4W$^BD zdP_JLKU^eKD(TWQDK@0EtLnTNvfT61QA@_{+GhE^Mr>B@8>QU#7L5oRdA_e&lh-A9 zG=OhhL=vJ`e22!aK;G-`Ub(4VW`CDGN~Li7VH^JFvPx9bl<)I`cym+L1*%L0wLR;7 zDeSNsRGt+`A=EmfwV>6s1-cwmt3oVO&a*Yfkn=v+$uHm|asP5*6{CXKR(@cd^!1k3 z)!aSk+v!Xzp+^^7)@nqzQ2R%6&XHR@A^DL5{60-SO-&9a?VH%yk6Q|#vYe}>PXs!0 zpA9%&K2f^$Y;LS7-UQmU?<3@LS>+lxxWe@){WV)oOe1K+X+$vgY72w-xQo=?+ie^c zVg5Z<`t!7d9-1fbXiQIQv725qJ9gX!B1&qd?7RzB&BP=`etv>&XkY)6TK`0c&3qVXD?f8$F|1G^_wU+ku%i; zJYBgttWT2kbqJg)TQgIhh(SoRv2T@LR%ZM9t}Q?RR$6_bk$tKI z-QJG)*3-_nXKnYFK7zD@uV7#CB~tr@X@mc6-huyg#0CG^4*Y+0{{(-x5&vrbdFPm> zOecKdBZ=6)plJWvX1I*+_n?R%rW))%bUW<`OV-N1C|REM!Oqc>6msWcric?Jzk!@8 z$mG_Kz>St}+u7m4oCO=ebhgC%HpBCnBf1Jx*VxbXrVt+2{UBtSQVM+UyU){w%?Wcn z9X;q-e%vvK#Aa_j{lM<1&8#-9&bawzZ^iWYQQOjwB9}1@6ZfGF+40Vc3K8uii{qzM z&d|~}dK1&_l5g27=Tp1;qKYO1+qnILavL6`ti zh#g`O_FP|Wng{*=>fUlsrVx8Y*PvG}k(5T)&i9E#IUwOuhiG%MN~`8`<~B{(d_uTcoqnJ5TE7mz z{8U4hlUAuDli10CD*^JOIA9mIdn4M5P!gHyn8EhFaX>Q%sXPvz!Ir@HzJ5SACpw4> z{wD2;H8VD0zJj|}9zpa(!sBRAl+OTLa%{Qmon6^5Ov<*vr>JO=FL6#BKO?w2@wSfG z^}`>zo{Smc*S z=sq?23#h|v;FiC7=X_|k03RP%=)ZgB7}FTbE-18WBv|zCjeny>Fq-~2pa@4GQ5XOS zSODGs*LBr%K_d@rU|>uEp#$)*{dX`1XoBYcjX?op;4tVp2B`AO+5Zi4@-KaPbO+w@ zk8L!*;CHYwdO&Efiw(*i9aKRm`e+acSdbqI78Df(3knH=g#<;=Jb_<40SG1l|LGAB z;sZnYMZg&PpPzrOK!h;>0<