Prevent adding invalid values in CFFDict_setByKey (bug 1068432)

In the font in question, there are a couple of `topDict` entries that have invalid values (`0xF 0xF`, i.e. just eof markers without any actual numbers). This causes the `parseFloatOperand` function, inside `CFFParser_parseDict`, to return `NaN`. Currently we pass this broken font onto the browser, which OTS unsurprisingly rejects. Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1068432.
2016-05-07 18:23:47 +02:00 · 2016-05-07 18:23:47 +02:00 · c9b6de3b16
commit c9b6de3b16
parent 8b605b6980
5 changed files with 22 additions and 0 deletions
--- a/src/core/cff_parser.js
+++ b/src/core/cff_parser.js
@ -995,6 +995,11 @@ var CFFDict = (function CFFDictClosure() {
      // remove the array wrapping these types of values
      if (type === 'num' || type === 'sid' || type === 'offset') {
        value = value[0];
+        // Ignore invalid values (fixes bug 1068432).
+        if (isNaN(value)) {
+          warn('Invalid CFFDict value: ' + value + ', for key: ' + key + '.');
+          return true;
+        }
      }
      this.values[key] = value;
      return true;
--- a/test/pdfs/.gitignore
+++ b/test/pdfs/.gitignore
@ -35,6 +35,7 @@
 !bug1020858.pdf
 !bug1050040.pdf
 !bug1200096.pdf
+!bug1068432.pdf
 !issue5564_reduced.pdf
 !canvas.pdf
 !bug1132849.pdf
--- a/test/pdfs/bug1068432.pdf
+++ b/test/pdfs/bug1068432.pdf
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@ -203,6 +203,13 @@
       "lastPage": 1,
       "type": "eq"
    },
+    {  "id": "bug1068432",
+       "file": "pdfs/bug1068432.pdf",
+       "md5": "b76ac8d7d0ef471f28535c881f421e33",
+       "rounds": 1,
+       "link": false,
+       "type": "eq"
+    },
    {  "id": "issue1512",
       "file": "pdfs/issue1512r.pdf",
       "md5": "af48ede2658d99cca423147085c6609b",
--- a/test/unit/cff_parser_spec.js
+++ b/test/unit/cff_parser_spec.js
@ -95,6 +95,15 @@ describe('CFFParser', function() {
    expect(topDict.getByName('Private')).toEqual([45, 102]);
  });

+  it('refuses to add topDict key with invalid value (bug 1068432)',
+      function () {
+    var topDict = cff.topDict;
+    var defaultValue = topDict.getByName('UnderlinePosition');
+
+    topDict.setByKey(/* [12, 3] = */ 3075, [NaN]);
+    expect(topDict.getByName('UnderlinePosition')).toEqual(defaultValue);
+  });
+
  it('parses a CharString having cntrmask', function() {
    var bytes = new Uint8Array([0, 1, // count
                                1,  // offsetSize