From 9dc64639333b4290b53753ca27fa693e480ba33a Mon Sep 17 00:00:00 2001
From: Jonas Jenwald <jonas.jenwald@gmail.com>
Date: Fri, 7 Oct 2016 20:51:02 +0200
Subject: [PATCH] Ignore reserved commands when parsing operands in
 `CFFParser_parseDict`, instead of just rejecting the entire font (bug
 1308536)

According to the CFF specification, see http://partners.adobe.com/public/developer/en/font/5176.CFF.pdf#page=11, certain commands are currently reserved.

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1308536.
---
 src/core/cff_parser.js       |  19 +++++++++++--------
 test/pdfs/.gitignore         |   1 +
 test/pdfs/bug1308536.pdf     | Bin 0 -> 6753 bytes
 test/test_manifest.json      |   7 +++++++
 test/unit/cff_parser_spec.js |  35 +++++++++++++++++++++++++++++++----
 5 files changed, 50 insertions(+), 12 deletions(-)
 create mode 100644 test/pdfs/bug1308536.pdf

diff --git a/src/core/cff_parser.js b/src/core/cff_parser.js
index 3de7d3495f6cf..bd7608268dcda 100644
--- a/src/core/cff_parser.js
+++ b/src/core/cff_parser.js
@@ -349,9 +349,9 @@ var CFFParser = (function CFFParserClosure() {
         } else if (value >= 251 && value <= 254) {
           return -((value - 251) * 256) - dict[pos++] - 108;
         } else {
-          error('255 is not a valid DICT command');
+          warn('CFFParser_parseDict: "' + value + '" is a reserved command.');
+          return NaN;
         }
-        return -1;
       }
 
       function parseFloatOperand() {
@@ -1000,19 +1000,22 @@ var CFFDict = (function CFFDictClosure() {
       if (!(key in this.keyToNameMap)) {
         return false;
       }
+      var valueLength = value.length;
       // ignore empty values
-      if (value.length === 0) {
+      if (valueLength === 0) {
         return true;
       }
+      // Ignore invalid values (fixes bug1068432.pdf and bug1308536.pdf).
+      for (var i = 0; i < valueLength; i++) {
+        if (isNaN(value[i])) {
+          warn('Invalid CFFDict value: "' + value + '" for key "' + key + '".');
+          return true;
+        }
+      }
       var type = this.types[key];
       // remove the array wrapping these types of values
       if (type === 'num' || type === 'sid' || type === 'offset') {
         value = value[0];
-        // Ignore invalid values (fixes bug 1068432).
-        if (isNaN(value)) {
-          warn('Invalid CFFDict value: ' + value + ', for key: ' + key + '.');
-          return true;
-        }
       }
       this.values[key] = value;
       return true;
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
index f07e5921fe392..18ec5b402b829 100644
--- a/test/pdfs/.gitignore
+++ b/test/pdfs/.gitignore
@@ -54,6 +54,7 @@
 !bug1068432.pdf
 !bug1146106.pdf
 !bug1252420.pdf
+!bug1308536.pdf
 !issue5564_reduced.pdf
 !canvas.pdf
 !bug1132849.pdf
diff --git a/test/pdfs/bug1308536.pdf b/test/pdfs/bug1308536.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..a5d0afe28250ecb237405ba3f476a5b2c6e4fdb4
GIT binary patch
literal 6753
zcmeHMi9giq_fKRQq7c&JgA^5?Ss7WfW#9KG8e@jB%rG<7aP6{WNp?!MEGbvkk`xKa
z60%&Bl-q`)ENy<DG3C1VcfY^yKk%EEXP)PCp65B|Jm;L}e4O`4nQCdvBIFccQZJ@^
z2Ve*Q4p5xj0GP5e4AiEO>Bcxu0sv~LYnvFHIAY~Nr{XjzWM=}IMsT*kk!hBG6c}hh
zCwN)|XbcS0bj49E2y{Ri^deA66laj;g~Jm-O^^V3fH;tV!~4()AoH6Jl0iJh(-Q}h
zKpIE|DWD7J4f=pY5Dz+o-aZsMfkq;`co0A<&=vFqEx{9@FK7hng4)nN4+@#N#@Wfk
zgFvK%PE;J;oj_k76FfXfUNjQz7m-SGaixRCpcm)_Qt%`y-p7;ZLGTCNK-T~-R{|OI
z2LnKY3l--}01ZKNP#rV@i6rR30K_?y2vkTB8n`haY~o-6Qpki2MVNB5KnnAOfuIhE
zV{-MvQ3>RA-AuvtF>@*1j{?$NsRRP34{FFTEv`-SAfNyw<Op*Zs7}KZ$aFvfgMubK
za4s|e4Fhd;35)|lR0IsvA~2UA;E?_G=r|7&UY%hz0M2xbE`WqqF<hykLGcIdWzh&g
z7NLLy<Q0(s0*=O<hJls=UXYU+YZ%<9BriIJ3ON(!^-~ZQBM(zmg%QZk>#@PmZ6io5
ze4Oa(+Zjv{nvf`x2c1BL*m>aS1T6xd;!J>nh6J(;-4#Hg6%-hpXmlz8=Lyq|4YE3G
zYT+VuSNK9uXmY7i##^Ih_Ie+B{p|_2+I_onua5|cUAu`ta!hikmP3~$A3u+Xgzo<F
zvjPDy7ICf)CG|d`f|~`X30(ZsI``Z9J6)do49~syb*V>9ge+%kE#Kyn&hzwJaBQaa
zD&AfEn)mD;!b~uFdL^m;``b#D+mk_WCJK;7zHX$>lyQE~xs*GjQe%Ey22oq$Qm4mh
z5_797ZLMJnD>XV1PAdgG`%lX+eyh%UWh<Dt=49_y)|D^Q4N4o><tz>q`Q*q~nv9v{
z=3UOYXji0^`>F1ry_IQZ;rD<ii5GG+?%v%IT_`3LkLNNQS&%-uv-PFOl0fL41NR)x
zw_iYb9EtXffAD0wiq*`PB{2=3$<mr2;tOlNK0R^>>&x9r^m;GL1{1*Xd+<Gto@krH
zn|SdnXg|=BDa<ZZjaA*NaxjixDz+|eZvl4!#|y0Y1?=f-0w((WQarX?@}Z|px7pou
zK{O)pzxV&{jvsJRa=Otz85bXy`mp#x*$X)^MYhusDZFMJ<Q?Sl&4z1~YceuPV5W$o
zA5)Y>_*iW@YJ9RXA>|I3bMls389T53u<pP@UQ&^9(74$4-_lL6VY4FB*DVL-?d@|9
zJli%l+tW_$8hTd?cixka%ElDK(h^l%B{dJ8x%rCMRmO8|h}~LlVwWCWSjx^f>$y=2
zZn@&Dw8<!?yQT?N)%w}3zTo$Eva)*gt<ZkE)ApKgjwB)F8+TR>cdLAl3)}xFGveaG
z{`!xxi~WAR0{gCwT1Y8m`J|<7|6=`slwJGBXy&mmMYDodF27r&oMpZ06nF#mNQ(6n
zNhU2){aym~d6}FC_HKP5d|9g6zg&VuuRJ<5_I%D%m+!+t;Se#OuY21#f9RZv7|Wig
z@N>+wyaC#R#)kvHh5sgW=TGWofy?1~i)n)CWB0RB$c~{9-7PV*V=DnVDbZsv%O%*&
zxbl&#OV%l3g*IagyeVO9nOps2Slun=B4nP15JTTK|M+P6)dlfcWoc=@x%5=@-T5ed
zAUg1hKFhdHi)CN;r>tXT*>z*u_<_-qlJuFx%y!?pKh*C_X>i-0bVIqT%Qj7|iGCX5
zOE4|0xnrxzZXF?DnANYFl@OI+<xsT$0=CI8&7vRYJb0+HMLoab*!7YcdT~Wg<nLXz
zz(A@Wek}MSzto95FIw{h&%rRgM;tOj<;E^*<M;ARmG|0;m2ym+=k?96eRyl3{^~W3
zTIc-PHRs^4=Itj^RyAjpS-y0^+6v(zhpTix1sB2P$Pr1BpH|LJkr(&_Pz_F5f(I!*
zBR4pQzBJa1o)LYX7<XZ+rsxK)Md3J$%=C=!yT**mJ&R&&*Elqn=BEEFefxCUQ~qhs
zQe8d04PC2b*K@&iThme)Qh2CPt}5@sp_u)XDd<b}pSH`K%B$(sJluFE@@ct-C}v2c
z;xkoNc;X1j{pQK+U9+{k5$QaT$B~E1D`fC#V-APFw7&6U-bqD;Wj!w~u|`*G-L$Gl
zANO)0`O_tq<yf9Q<`HDc>&!2Z@hpB+_?&i6f-}s~F?^3uq)_zNV;%2%ZW|j7T#C=o
zE6ea*y!`fKEWG*tT><4??axbYVFK#xBByTDOC@r-J6<lRNc|kxVaRHBFSoR;q`chn
zsHV`O!1oJ12P=xX)T?X?Qmo*r<nw$#24Y%gV<m4;D_nFgOx^tf8GC0SXA$OH!ugb8
z%aAzEwId0R=hT(V-_0CQo%0MU2ig2@vIVVl^&5mK<}2*8aX)<fmdp>%@ZsagE+O|F
zQy~qAZmG1r4h4Pgy0WXoB)2gY)$7T;F%{lOVcyhj{;}U$yYr7`rOHH=D-k1<)ch~`
zom#Q=-=c_OoA2fc2<x%EZk2UQS@4@C@i`Lvx-*Mdwr8&2AUt=)UJkwHYMa}TuCyd|
zNI+QEf$QM8#z?O*^apt6!E{j(u{9-|5mtpmiA5j8q_=%@)NbCt+&c6c$BDVfeIY`@
zq9NzS-l^%N1D83t*E)8^MToJK`H5q%sR&l^)P)W=rt7{I==6YF?DgNS+k4^wLd-AY
zxk7mS3|~}j-TO|MK%zY7&N=PKBab*wr>Wo3J<==W5SZw#el;h@KRez4z#=|WhnEgb
zjQa4zvQ5P_i^qNswx=9_61k70K?01cwGaFO)8u-bEPCBtjat{~<Y|pHQDigv)ORk%
zLC!3xRaV0;J9Ld*(`QcLj-`)IfWbro=Geea2gy3e<a|3);VVjh+_-T@(RBAWA=l(`
zG1j?)((VEz_ig7=nT&T+sj7PR6;%d3V*?uf%^j9<+TVmc=d|Itxof+N%XLh6Y|d8S
zwZrX2-tKM|Sri!v4r|)lqsXpv((NTZR)6QnY|OisqR(%Mhoj`hMofqiTeXLiO)!Fk
z@5Yjhubu4AI$Lt>jhA6Wd2{teo+8%mr*m~Iw#|g8ZtLEvZ?|`ZcS*r{ytw(yyF)jU
zpV+m%D&@Ny6F4d?^kWIHpkWab0*l;pN3u^@vLQ8JtvJ7>oO=EiOeT3*M$<(|a70Sl
z%P~D^EeWJL+&q^;|M3T3jE%}9ThUiZKEA%zuA?vdOROH2Xg(_u2BN%3s;^IDRdxEj
zUudU@=@{aEi<a=8<olD@pMCFP2kXt|>9G4|tEu~qRg@0La5e-^ZgaPLwDxct{?aks
zkdbW}&r;CmZNIe2z4l4fU#XwJ1-!R?8NN#tSt?+qb*it(i4?$<`!=NptZTVM84nt?
z;Ep^Sdo~L^iUm%;SxVl^8n}l&m@X2YK2CijN>y{_Pchij&7<_Z#%0PhN=S3sw{S`F
z?UB+P%Ckfs(;Z5ZHIC|*NBz<Ehrp>H66YpFpPsgT&wlRfbAs5l&r|d2C((vcSVZ;y
zFWZt($3L)JN2hNs3;Sa#VrKQ6XA?h{6T!7nZEIY$gw2=s?e@VRCY>%;eaq;8#fR)5
z#m;b~Bqpt8e4uW3D~x-AjhfSZu#a%7TZEW?Y+q%oPGy9($Sc_bWjp(0vTRkp(t=TH
z+?E{?#8kC|$vXfxPNV!OGl#Ic!hRucPW-+8W9Ap_+;=;EH`P|E4D_48`p-uvyK&D<
zPuyHqUV7>GBjyTw$|F@VSc)oFr_h%IwabEv%|9x)oanmQbietHq+g%WM??^yeV=1Q
zJlRZS708<@saCepQtQ%En;~$?B*QuWoVlfqQ-5^k%Q(eBO}k*Qu)(qTx8uD1F>^~{
zCQV{jK#A=5P-Sj!TI`PCFz!>pjNXCL5a;*v)~W||G9@JL2`&jCt)_?BxDO8Q_+kCQ
zZmy(}we95WHQUg^@!GAxXFx@p(kCe>;_dY&<bxR+D-+%u)?yRi!cid@(Q-B7`OV8(
zt)_N*!{?q?C_7vmZVlKkvlK2Cbaj4qFnj(rx0W~9-Z}qO+tqoyue`m|{rI~@d<l5P
zwp9<qG7Fou$k^N;lqzGnMvjJWo_o|-eOXUy@V8c|Jq}X~-c4Azv#-8(CG>DA=Xth_
zn$=R{_NUiahQ{LSPnsfU-$uJ-cE1+mRpnf53L}awqg1$dQa?)R>I(5M7-`tsjORYI
zoxU;S*QA#1{Mibrhc>f|X|Qe4kek%9H55la&Kl<FF1UyO@w;=}N`BpJ8>fZ0RAv1)
z+JY7(*st)V&=gvNpD$-JC2IbF^uEiOqj7J)2l1)^ZNkAbjngx8YF>f%v|YJQ?)ql#
zUphKvbybAT+<SUPAC4!~mz|RKcTg9*U#s_}e(1(wHpB1Pr&<yt9+z)hy1rCBXE;kh
z?xCEk=tVvBftd-3d+DB&%4-m4^O^JwZ75ldUVglIz=!uV$Kf*{tukyg-de0Sz4aKf
znT?m7TRO3rS$3P0pq${o;PdMJR5nkYX_|w|1Kx5~+(Y{5F;tNtr3;fT|7z5?X0Bf4
zMu(|z2TG8X9YhdSOvt%v$eJFT&OM|0F2EqMu}IHtlyDe6FHt7`@{>tst68R|`1Qww
zLS@S`g;rn7r^}m(6LA!`gYFzPsc@Eo{dlv*{eKLkCtR8>Y6;;)Yb{q3#_GnE@q6JW
zsg@w;>nSWYmG7QlAX~yp-ZWgi;Jr}u<3(Y1-xq@xO)ut3#8w?$-_)t*c1^$1J*#wD
z{kdLq&RpL}8oRbj-|)~Iy@)HdS7OT)cIRy8M~UAcK9jxJbd_?nJ~~!ZS@sjlQ}$HS
zV>?G(jop-81ZBGOvQl=5r)W&+Vt;e{H+RPY_uA&*%4cw`lISs>KKX8!ra9^`U&ig7
z4IO#3E6>vTfyEoNgyt?DKMwN*B{}*XyivwNGybr!a;xLjB%ZeRu_JIt(W_@f?N@hu
zf3%F2u@*L=ocz>LX)fM=mgkaBE$Sj|@D@+C^v8;PnaVv$cE9OMzF|+RDiVOxyEXb#
z_LP|hT&kXAKPw}vtF{u%+i)XMi}f*|rm6dJ?NI*^g_<^phj{$^G=q%v=iG<q6BbTh
z?~x9TPoGqpdiGA;<FhAm&&|(h-A_Wr{Dry6)@vrDQWJyuMv_)<Lt9RBD5+iUjEwY3
zT=8hJ0z7V&<fN116ZMfzs(yEtZEt+1Z@b0q&#}9R^EJ1IIC~vO_xJegzw3IEnHAR(
zp`V+j3w`XkLOMQHecc&@!Hx{={U!}3haGu!oOO#!{*_J`qs(L0XTV0qhuU26X_1IT
zs3s=k2{gbSg#?&IK7djLHdpNcv(9DIyg!HQB`<(R1I)4?_*r~Iv+Gy^fQA@A)ieM?
zRWbC%D2o9M3Rthi0SuP04XXM9c?<xmLy!ajY674Z0G@zKO#svZKwUrq;;j#W1^{RX
zfJOjl41gv8XbNB<CCvfQ0st)m&<apQ0Kbrdb@db>AwS^*rjCjV0EmNVkVpV@20%zB
zA^^HT8Ur8+0NtRv8B)gs06hVa3@HsA0XjPXLRBvf(i{MN0MHjeAmIS$4}bvx7ziLx
zkkDVa1b~2w@D0>}X`*$&0|GOc8X%F-QJB~PfJ8#VHgE_4$uKz+tbqD;qyg&x!XyAB
z8afXXf`IzJCN>KF6J)3;hoF_sH9dN>hyTwK9;5iT3f|J(h!O$kx$~#ZN&|_bc`Kb?
zW9*Cg=PJI+i8*v8FDX*GPjl`2dl8>8mW2hUKUW_lKK=T5atWn1AA;t{z4FfUowq1B
z3FLklx7RgyJ&OWwe^Ahz1`1xb`eb{L{6UT^H}B`zXMFSS{R!jaZOc3EtO^BFdcFJ%
zRqvj|p341tk7bqzF^H)dDRce)q+yt-b`Cq6q~x$qLv*QALb(px*q%>$zx#^*v}n2U
zaA@84-%6}6c)#uTn@-beN640UErgQ9$2mhJaxZV~xxBkRTp`lt<YRM^y2z_bvd<#y
zs;=*P1L}V|6<;-IRxIUmJT6F&REFCcWlP)6HFY#qgI@wI5V(tTALn(XFlnE@QPvKz
zNGmHZeQ_epSjM*aXylo+3-d>$!r`M%@ke+j`4iO=)nZ4eS{bsv25oZor{ZKoye@^?
z&v!pK>*g+!)~7OOPx&ZsM5d1){4scA3+tAJ+m&nodM7cPJ!Xn?fo`KbM1nvgCY+;*
zgTNrl-<-^t-vDlm2+kzjIwS;#$VfCCz`&spF(5fZ*II$W33}3`_(1Rz1Rybau8Y|m
zHjH%}98DP@7yXwO|AD_bfkyG6GIGZT#`trD0I&?H4EE3;B$`Zz*wFyRb?PP!HY>o`
zvY~)BiAtk0Fh~G}gjA+jkx2~r319>_WS74KTmS>>gs8u61Hedf(6a`PMqsS`uc+tW
zfG-H*!u^zuL_-*z4au4A3K<fCL_v0C*!F)n1QG!tF!E4S+?Yoo<N+icwVphF?LjC&
zcp#Js8I3_hVh|haH`XBj;_-|2t7oidHU<v{f2bkQ>->-y%uk+-IcOam1E3HX<~lSM
ziVG}r9<2b;AlVH4p#B%{%{@YaNoSyoo9PT5>%7-_Fl8|0Fwca6awAh0#vX*C;!pWV
zNH#+zLw86w1`m0Ld`0M)VFRWNq&#Eqf7a=5dO$Cc&Cma7jKD&Ef!cqX|9|?w`~TnU
z!tmc_`mcEUMMEMWKQm$h@!x&Jj3MmCdyH{QH|GLIqS(j<KM`l_I&%FJZ`QDcA)wHK
z1D0A)HeduIU`d2Y%K?BU!2<`pq2tK(qX5YRpb@Az5*->r36$jRLjV}f1Ik%M3K>r)
zQOGpF`H&1?=>|Jt`ESYDpGqLYpkRi>;2R(49~TS?0}z1?8g$LpX94mC4FiSqKWJ#i
z_4p@E9=eAApkd(9wfH9u0f(|2<MWpc3<3*fx_{76kQ@F%lSe^UZi5E>@B{rWL4~a+
nZF35R4lv$7P`b1r1ritsT}SnCRQmeS<<XGcrKC=nXv6*oTy{_+

literal 0
HcmV?d00001

diff --git a/test/test_manifest.json b/test/test_manifest.json
index 35ea04fd3a42a..e877ae3528f03 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -784,6 +784,13 @@
        "link": false,
        "type": "load"
     },
+    {  "id": "bug1308536",
+       "file": "pdfs/bug1308536.pdf",
+       "md5": "cc2258981e33ad8d96acbf87318716d5",
+       "rounds": 1,
+       "link": false,
+       "type": "eq"
+    },
     {  "id": "bug1252420",
        "file": "pdfs/bug1252420.pdf",
        "md5": "f21c911b9b655972b06ef782a1fa6a17",
diff --git a/test/unit/cff_parser_spec.js b/test/unit/cff_parser_spec.js
index 754f4630eb517..38f630000db1f 100644
--- a/test/unit/cff_parser_spec.js
+++ b/test/unit/cff_parser_spec.js
@@ -1,5 +1,6 @@
-/* globals describe, it, expect, beforeAll, afterAll, Stream, CFFParser,
-           SEAC_ANALYSIS_ENABLED, CFFIndex, CFFStrings, CFFCompiler */
+/* globals describe, it, expect, beforeAll, afterAll, beforeEach, afterEach,
+           Stream, CFFParser, SEAC_ANALYSIS_ENABLED, CFFIndex, CFFStrings,
+           CFFCompiler */
 
 'use strict';
 
@@ -33,14 +34,22 @@ describe('CFFParser', function() {
       fontArr.push(parseInt(hex, 16));
     }
     fontData = new Stream(fontArr);
+    done();
+  });
 
+  afterAll(function () {
+    fontData = null;
+  });
+
+  beforeEach(function (done) {
     parser = new CFFParser(fontData, {}, SEAC_ANALYSIS_ENABLED);
     cff = parser.parse();
     done();
   });
 
-  afterAll(function () {
-    fontData = parser = cff = null;
+  afterEach(function (done) {
+    parser = cff = null;
+    done();
   });
 
   it('parses header', function() {
@@ -104,6 +113,24 @@ describe('CFFParser', function() {
     expect(topDict.getByName('UnderlinePosition')).toEqual(defaultValue);
   });
 
+  it('ignores reserved commands in parseDict, and refuses to add privateDict ' +
+     'keys with invalid values (bug 1308536)', function () {
+    var bytes = new Uint8Array([
+      64, 39, 31, 30, 252, 114, 137, 115, 79, 30, 197, 119, 2, 99, 127, 6
+    ]);
+    parser.bytes = bytes;
+    var topDict = cff.topDict;
+    topDict.setByName('Private', [bytes.length, 0]);
+
+    var parsePrivateDict = function () {
+      parser.parsePrivateDict(topDict);
+    };
+    expect(parsePrivateDict).not.toThrow();
+
+    var privateDict = topDict.privateDict;
+    expect(privateDict.getByName('BlueValues')).toBeNull();
+  });
+
   it('parses a CharString having cntrmask', function() {
     var bytes = new Uint8Array([0, 1, // count
                                 1,  // offsetSize