Patch memory corruption bug in fontforge

Ethan Bishop · Ethan Bishop · commit 56ddb240e96e · 2025-03-13T11:19:18.000Z
This causes some PDFs with certain fonts to explode pdf2htmlEX, due to a incorrect malloc argument
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.2.1
+
+* Patch memory corruption bug in `fontforge` triggered by some fonts.
+
 ## 0.2.0
 
 * Update to .net 8.
diff --git a/src/Pdf2Html/Dockerfile b/src/Pdf2Html/Dockerfile
@@ -3,7 +3,7 @@ FROM ubuntu:noble AS build-pdf2htmlex
 
 # Produces a patched pdf2htmlEX using libopenjp 2.7 instead of libjpeg to get JPEG2000 support.
 
-ENV PDF2HTMLEX_BRANCH=cfl1
+ENV PDF2HTMLEX_BRANCH=cfl2
 ENV UNATTENDED="--assume-yes"
 ENV MAKE_PARALLEL="-j 4"
 ENV PDF2HTMLEX_PREFIX=/usr/local
@@ -32,6 +32,7 @@ RUN patch ./poppler/glib/poppler-enums.c.template ./patches/poppler-enums.c.temp
 RUN patch ./poppler/glib/poppler-private.h ./patches/poppler-private.h.patch
 RUN ./buildScripts/buildPoppler
 RUN ./buildScripts/getFontforge
+RUN patch ./fontforge/fontforge/tottfgpos.c ./patches/fontforge-tottfgpos.c.patch
 RUN ./buildScripts/buildFontforge
 RUN ./buildScripts/buildPdf2htmlEX
 RUN ./buildScripts/installPdf2htmlEX
@@ -49,7 +50,7 @@ RUN apt update && apt install -y wget
 RUN wget http://archive.ubuntu.com/ubuntu/pool/main/libj/libjpeg-turbo/libjpeg-turbo8_2.0.3-0ubuntu1_amd64.deb
 RUN apt install -y ./libjpeg-turbo8_2.0.3-0ubuntu1_amd64.deb
 COPY --from=build-pdf2htmlex /source/pdf2htmlEX/imageBuild/*.deb /pdf2htmlEX/
-RUN apt install -y libjpeg62 libopenjp2-7 /pdf2htmlEX/pdf2htmlEX-0.18.8.rc1-cfl1-*-x86_64.deb
+RUN apt install -y libjpeg62 libopenjp2-7 /pdf2htmlEX/pdf2htmlEX-0.18.8.rc1-cfl2-*-x86_64.deb
 
 WORKDIR /app
 COPY --from=build /app ./
diff --git a/src/Pdf2Html/pdf2htmlEX/patches/fontforge-tottfgpos.c.patch b/src/Pdf2Html/pdf2htmlEX/patches/fontforge-tottfgpos.c.patch
@@ -0,0 +1,13 @@
+@@ -2091,10 +2091,10 @@
+ }
+ 
+ static uint16 *FigureInitialClasses(FPST *fpst) {
+-    uint16 *initial = malloc((fpst->nccnt+1)*sizeof(uint16));
++    uint16 *initial = malloc((fpst->rule_cnt+1)*sizeof(uint16));
+     int i, cnt, j;
+ 
+-    initial[fpst->nccnt] = 0xffff;
++    initial[fpst->rule_cnt] = 0xffff;
+     for ( i=cnt=0; i<fpst->rule_cnt; ++i ) {
+ 	for ( j=0; j<cnt ; ++j )
+ 	    if ( initial[j] == fpst->rules[i].u.class.nclasses[0] )
