diff options
author | Tor Andersson <tor.andersson@artifex.com> | 2018-08-21 16:34:18 +0200 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-22 19:38:10 +0800 |
commit | 61574870c0fbe0bb76ea143f8b1ff38800fcdec7 (patch) | |
tree | 1024fbc5265971d3d88ad0d498243caf53682120 /source/pdf | |
parent | b4a149570a589aa504802ceed22caad13752aa9c (diff) | |
download | mupdf-61574870c0fbe0bb76ea143f8b1ff38800fcdec7.tar.xz |
Bug 699666: Forbid cycles in Type3 font CharProcs.
Thanks to oss-fuzz for reporting.
Diffstat (limited to 'source/pdf')
-rw-r--r-- | source/pdf/pdf-font.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/source/pdf/pdf-font.c b/source/pdf/pdf-font.c index 2d0ae759..001f999b 100644 --- a/source/pdf/pdf-font.c +++ b/source/pdf/pdf-font.c @@ -1387,6 +1387,9 @@ pdf_load_font(fz_context *ctx, pdf_document *doc, pdf_obj *rdb, pdf_obj *dict, i pdf_font_desc *fontdesc = NULL; int type3 = 0; + if (pdf_obj_marked(ctx, dict)) + fz_throw(ctx, FZ_ERROR_SYNTAX, "Recursive Type3 font definition."); + if ((fontdesc = pdf_find_item(ctx, pdf_drop_font_imp, dict)) != NULL) { return fontdesc; @@ -1426,17 +1429,20 @@ pdf_load_font(fz_context *ctx, pdf_document *doc, pdf_obj *rdb, pdf_obj *dict, i fontdesc = pdf_load_simple_font(ctx, doc, dict); } + pdf_mark_obj(ctx, dict); fz_try(ctx) { /* Create glyph width table for stretching substitute fonts and text extraction. */ pdf_make_width_table(ctx, fontdesc); - pdf_store_item(ctx, dict, fontdesc, fontdesc->size); - - /* Load glyphs after storing, in case of cyclical dependencies */ + /* Load CharProcs */ if (type3) pdf_load_type3_glyphs(ctx, doc, fontdesc, nested_depth); + + pdf_store_item(ctx, dict, fontdesc, fontdesc->size); } + fz_always(ctx) + pdf_unmark_obj(ctx, dict); fz_catch(ctx) { pdf_drop_font(ctx, fontdesc); |