From c9b6de3b16d9ebecd7caf27b606cfc9eb45d086d Mon Sep 17 00:00:00 2001
From: Jonas Jenwald <jonas.jenwald@gmail.com>
Date: Sat, 7 May 2016 18:23:47 +0200
Subject: [PATCH] Prevent adding invalid values in `CFFDict_setByKey` (bug
 1068432)

In the font in question, there are a couple of `topDict` entries that have invalid values (`0xF 0xF`, i.e. just eof markers without any actual numbers).
This causes the `parseFloatOperand` function, inside `CFFParser_parseDict`, to return `NaN`. Currently we pass this broken font onto the browser, which OTS unsurprisingly rejects.

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1068432.
---
 src/core/cff_parser.js       |   5 +++++
 test/pdfs/.gitignore         |   1 +
 test/pdfs/bug1068432.pdf     | Bin 0 -> 2360 bytes
 test/test_manifest.json      |   7 +++++++
 test/unit/cff_parser_spec.js |   9 +++++++++
 5 files changed, 22 insertions(+)
 create mode 100644 test/pdfs/bug1068432.pdf

diff --git a/src/core/cff_parser.js b/src/core/cff_parser.js
index d2beed37c..2a9f3cb0e 100644
--- a/src/core/cff_parser.js
+++ b/src/core/cff_parser.js
@@ -995,6 +995,11 @@ var CFFDict = (function CFFDictClosure() {
       // remove the array wrapping these types of values
       if (type === 'num' || type === 'sid' || type === 'offset') {
         value = value[0];
+        // Ignore invalid values (fixes bug 1068432).
+        if (isNaN(value)) {
+          warn('Invalid CFFDict value: ' + value + ', for key: ' + key + '.');
+          return true;
+        }
       }
       this.values[key] = value;
       return true;
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
index 82bc7d131..496abf638 100644
--- a/test/pdfs/.gitignore
+++ b/test/pdfs/.gitignore
@@ -35,6 +35,7 @@
 !bug1020858.pdf
 !bug1050040.pdf
 !bug1200096.pdf
+!bug1068432.pdf
 !issue5564_reduced.pdf
 !canvas.pdf
 !bug1132849.pdf
diff --git a/test/pdfs/bug1068432.pdf b/test/pdfs/bug1068432.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..da128bbab63170793c2a85b47657e2672398f188
GIT binary patch
literal 2360
zcmaJ@3se+k6c&l%j66J)$Ldi0_`o%RnSHUlf^0l39xJernh?&iv&+!33p2C8DoWHz
zJw}B+ND`q;ds&)1d?Y5c(sF#@F)WeH%?F{TsA(kf>i>5c7V^~WnX~`g@8193``tTp
z|G6o#@gc%c8K#f}0+=*;SVRPdr&|grfX9#=X)x(AJcZO#EKn$*Mj93wiBU!^(sT$W
zn>aKvJektcWVERStbis25D^5B5+Do1V@zfv2ZR`&NNZV$3LyeFg^+7or|iLfQ5*~f
z&Bp@4(<s(tW^!O?DCT$*gd7VY+*ZiPiZ(`mjT|&(AtK_Du`HarygRj7!#R>i6u>y+
zX@=!ua!CddJT1r(hDVbu<#35dp-Z(OSsj%ugi1&lOR+f&UBH<bAeT7&;c><sla@B>
zfjrD9NH=8|X(*$BT;`M{kz=kz(D71Q%jF`9WHJO3<Ns*=Uq8864A4E9PLwg9UlL{1
zbGbkwM!c{bLy`GdbUG$PMFQ!uFnpn7rNac71R>5OL=t#Q=Y#Y-EG`{Ye#~f$Jx6-{
z=7=XX#Q_1%7MfwLaIMBbGK{I%Trj@W78~codXNRrQM5jnL$s<nD*pu_8RIUVHc&7N
zDGWLd!<V_#5V6tDrjmmYNthT2#bQ)z0wwI=J)X>`4Hh7XGaD!dx<Pe79fP!?hJn<x
zKrC|Vs>poU<Nqq&^RVOToG7E-K%vN@oaV@d(?|^&<8pEVt}-$Cq`@g%>dZt+5EHuC
zQD&YP=ljIBfU|k{Cjd)rj54w`FMwgwIvoXD9kn)kgU0C8nm8clA5fLXNi`R^){x*y
z^>=g^9|$CuqZojw;HX#%wI7C$^@Ipkz||BbHCZW9c~)Y2^Rz$LFA7=@6tppVdfL>;
z?IGsDDa&6x`06sh`qEoB4_5v1*s98+s;y7xKFGe-+kMb$D8!?4<+={bmI5!e$TOtB
zqv6_=pR0#D-?w`$6sa!io)-Hw-JJTa-@R~eTaB)(Hb1w}cJJl-%{4d4K?_~fvSt1c
z;XYTyo+(&xk(TSc9p~%W+}_``<G`^ywUV-mw-vMe6SBW1lfIG1=M%Jj_Pf!7$}>B=
ziM##wTl*8bJ4&xM2KH^*ADu$huX<)PcA<0Ql04zS4t#B+IO3fT=g-BK`>1~mIZ$J>
z-Oy}!_RF3<CTkGu_F!kD4&-^8{8@;Bb^jkC!z7YPMCNE$lA4uT?Pc~MH)Xzk<>KrZ
z_sR`+UwU1Ds6wf&UfV7lovz<Bc+%>1B)Hxyavo>txonYNzTZ<jXY_+d!-nvAEkkt~
zRpsTWn*w6<Jf}YY@EXwCnB+MJ%x-DvXm3At`c$~34|8|VS>*0MyLaf-quY+(t?=`B
zQ=9A&lbFap<uTjcJ<-E<?)0|fmybkv*pIwZar)d5KQM1`pj@dCH*HUgvIc#!eS1qn
z_TlE{OkB8c8Gcyst4h82<A{biF@b_6dDG{?(zw<T<?h&4Tqw(MyBN4A`J>k!k0>ws
zeuivA<;%1xFSU@QHK}<CX(~->>RJo!R`GsX?IY>Ojt9>=+R}BR%i1-~Cup5u-PMZY
z6>-YmBGbtE(Z5#Pbw60Q9Nt$te7?DQK!0tC$El2`hR-r(wGBOu#oA+|1J>GK&wLl(
zXH)N$u359QXS9CgUf}&peRU_x`s&w|{XM+l%EpUr7E2qv-*{u`SIe49UiS}Z|1F>{
z>eG?^iC=CiRqh_~S#hhg@TcP20~PiKvNC&9^?+?KKpE#dSR=?xJ-KJ&qN2Ah{oK{N
zytcfx-x7MP)K{04wD<3~?+Pxqlgj3To82eE<s+(`-B)(iC=ajh&pc4q&^5E_`o`w!
zVzzD9p=mP<hqku8bT-TTy)EHOd^Bf@_hcxyR$jmV#WM?cuQpmN#pWIUDdwx&HXqu%
zz;H)1D=|_2%BLr8)Ox?S^Q%htZokr_Ci*=0QCs-VT|s@Pv)TSD7yeifI-|xb>(bFv
z*1f~Gdv2`mb<6V4e6qUQ-`2YH+gr9Dzp&5HHw>#j><G2BX(G$ZFDQLKtFe}ag5Rsu
z!}z@Wb?YBVxHEOi@_^vR2b#Ntp>!Al2Qe{zfiS65ECo7m41Uvv-aI0e!Fh!)V1$U&
zg$TvOL?q0G5OOITS>rac35Y@g$03ivBZtcmLBQk1IHH({gu!vgBj|A8G7?HAI6{Nm
z1&O5aK;yC!O@JhFI1zb>V@Nn~7{{?kO|PPW0>jfx@Js7B5IK%JEJre&gE0{yR$z1I
I#x05e2g+wi&;S4c

literal 0
HcmV?d00001

diff --git a/test/test_manifest.json b/test/test_manifest.json
index 68f6e4557..adea6848a 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -203,6 +203,13 @@
        "lastPage": 1,
        "type": "eq"
     },
+    {  "id": "bug1068432",
+       "file": "pdfs/bug1068432.pdf",
+       "md5": "b76ac8d7d0ef471f28535c881f421e33",
+       "rounds": 1,
+       "link": false,
+       "type": "eq"
+    },
     {  "id": "issue1512",
        "file": "pdfs/issue1512r.pdf",
        "md5": "af48ede2658d99cca423147085c6609b",
diff --git a/test/unit/cff_parser_spec.js b/test/unit/cff_parser_spec.js
index a0e8cf2be..67594d3f3 100644
--- a/test/unit/cff_parser_spec.js
+++ b/test/unit/cff_parser_spec.js
@@ -95,6 +95,15 @@ describe('CFFParser', function() {
     expect(topDict.getByName('Private')).toEqual([45, 102]);
   });
 
+  it('refuses to add topDict key with invalid value (bug 1068432)',
+      function () {
+    var topDict = cff.topDict;
+    var defaultValue = topDict.getByName('UnderlinePosition');
+
+    topDict.setByKey(/* [12, 3] = */ 3075, [NaN]);
+    expect(topDict.getByName('UnderlinePosition')).toEqual(defaultValue);
+  });
+
   it('parses a CharString having cntrmask', function() {
     var bytes = new Uint8Array([0, 1, // count
                                 1,  // offsetSize