fofi/FoFiTrueType.cc | 30 +++++++++++------------------- poppler/Parser.cc | 3 ++- 2 files changed, 13 insertions(+), 20 deletions(-)
New commits: commit 9b981f9123fe8c3c8662015de341cff76aa28b07 Author: Thomas Freitag <[email protected]> Date: Thu Dec 28 00:55:39 2017 +0100 FoFiTrueType::readPostTable() from xpdf 4.00 Bug #102880 diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc index 2bbf0468..c663249d 100644 --- a/fofi/FoFiTrueType.cc +++ b/fofi/FoFiTrueType.cc @@ -1451,7 +1451,7 @@ void FoFiTrueType::parse() { void FoFiTrueType::readPostTable() { GooString *name; - int tablePos, postFmt, stringIdx, stringPos, savedStringIdx; + int tablePos, postFmt, stringIdx, stringPos; GBool ok; int i, j, n, m; @@ -1481,38 +1481,30 @@ void FoFiTrueType::readPostTable() { stringIdx = 0; stringPos = tablePos + 34 + 2*n; for (i = 0; i < n; ++i) { + ok = gTrue; j = getU16BE(tablePos + 34 + 2*i, &ok); if (j < 258) { nameToGID->removeInt(macGlyphNames[j]); nameToGID->add(new GooString(macGlyphNames[j]), i); } else { - savedStringIdx = stringIdx; j -= 258; if (j != stringIdx) { for (stringIdx = 0, stringPos = tablePos + 34 + 2*n; stringIdx < j; ++stringIdx, stringPos += 1 + getU8(stringPos, &ok)) ; if (!ok) { - goto err; + continue; } } m = getU8(stringPos, &ok); if (!ok || !checkRegion(stringPos + 1, m)) { - stringIdx = savedStringIdx; - if (j < 258) { - ok = gTrue; - nameToGID->removeInt(macGlyphNames[j]); - nameToGID->add(new GooString(macGlyphNames[0]), i); - } else { - goto err; - } - } else { - name = new GooString((char *)&file[stringPos + 1], m); - nameToGID->removeInt(name); - nameToGID->add(name, i); - ++stringIdx; - stringPos += 1 + m; - } + continue; + } + name = new GooString((char *)&file[stringPos + 1], m); + nameToGID->removeInt(name); + nameToGID->add(name, i); + ++stringIdx; + stringPos += 1 + m; } } } else if (postFmt == 0x00028000) { @@ -1520,7 +1512,7 @@ void FoFiTrueType::readPostTable() { for (i = 0; i < nGlyphs; ++i) { j = getU8(tablePos + 32 + i, &ok); if (!ok) { - goto err; + continue; } if (j < 258) { nameToGID->removeInt(macGlyphNames[j]); commit 00fc829352716b04d9ab59552daefffed20e2852 Author: Thomas Freitag <[email protected]> Date: Thu Dec 28 00:55:00 2017 +0100 Break loop if recursionLimit is reached diff --git a/poppler/Parser.cc b/poppler/Parser.cc index 4b399028..3aee5f0d 100644 --- a/poppler/Parser.cc +++ b/poppler/Parser.cc @@ -89,10 +89,11 @@ Object Parser::getObj(GBool simpleOnly, if (!simpleOnly && buf1.isCmd("[")) { shift(); obj = Object(new Array(xref)); - while (!buf1.isCmd("]") && !buf1.isEOF()) { + while (!buf1.isCmd("]") && !buf1.isEOF() && recursion + 1 < recursionLimit) { Object obj2 = getObj(gFalse, fileKey, encAlgorithm, keyLength, objNum, objGen, recursion + 1); obj.arrayAdd(std::move(obj2)); } + if (recursion + 1 >= recursionLimit && strict) goto err; if (buf1.isEOF()) { error(errSyntaxError, getPos(), "End of file inside array"); if (strict) goto err; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
