From cb37f7c0f818f79ae1ad92f71b0cf2c513d43ae8 Mon Sep 17 00:00:00 2001
From: Paul Flo Williams <paul@frixxon.co.uk>
Date: Feb 07 2013 17:57:01 +0000
Subject: Array bounds patch for reading PDFs


---

diff --git a/fontforge-20120731-pdf-bounds.patch b/fontforge-20120731-pdf-bounds.patch
new file mode 100644
index 0000000..400ece4
--- /dev/null
+++ b/fontforge-20120731-pdf-bounds.patch
@@ -0,0 +1,37 @@
+--- fontforge-20120731-b/fontforge/parsepdf.c	2012-08-02 16:09:09.000000000 +0100
++++ fontforge-20120731-b-new/fontforge/parsepdf.c	2013-02-07 17:44:05.371466086 +0000
+@@ -1691,9 +1691,9 @@
+     /* to "Unicode" values it specifies rather than to the real order in which the glyphs are */
+     /* stored in the file */
+     pos = cmap_from_cid || sf->map == NULL ? gid : sf->map->map[gid];
+-    sc = sf->glyphs[pos];
+     
+-    if (pos >= 0 && pos < sf->glyphcnt && (sc->unicodeenc != uvals[0] || nuni > 1)) {
++    if (pos >= 0 && pos < sf->glyphcnt && (sf->glyphs[pos]->unicodeenc != uvals[0] || nuni > 1)) {
++	sc = sf->glyphs[pos];
+ 	/* Sometimes FF instead of assigning proper Unicode values to TTF glyphs keeps */
+ 	/* them encoded to the same codepoint, but creates for each glyph an alternate */
+ 	/* encoding, corresponding to the position this glyph has in the font's encoding */
+@@ -1723,6 +1723,7 @@
+     FILE *file;
+     int i, j, gid, start, end, uni, cur=0, nuni, nhex, nchars, lo, *uvals;
+     long *mappings;
++    size_t num_mappings;
+     char tok[200], *ccval, prevtok[200];
+     SplineFont *sf = basesf->subfontcnt > 0 ? basesf->subfonts[0] : basesf;
+ 
+@@ -1733,9 +1734,14 @@
+ return;
+     rewind(file);
+     
++    num_mappings = sf->glyphcnt;
+     mappings = gcalloc(sf->glyphcnt,sizeof(long));
+     while ( pdf_getprotectedtok(file,tok) >= 0 ) {
+ 	if ( strcmp(tok,"beginbfchar") == 0 && sscanf(prevtok,"%d",&nchars)) {
++	    if (cur + nchars >= num_mappings) {
++		num_mappings = cur + nchars;
++		mappings = grealloc(mappings, num_mappings * sizeof(long));
++	    }
+ 	    for (i=0; i<nchars; i++) {
+ 		if (pdf_skip_brackets(file,tok) >= 0 && sscanf(tok,"%x",&gid) &&
+ 		    pdf_skip_brackets(file,tok) >= 0 && sscanf(tok,"%lx",&mappings[cur])) {
diff --git a/fontforge.spec b/fontforge.spec
index 77f4e75..0ffa719 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -5,7 +5,7 @@
 
 Name:           fontforge
 Version:        20120731b
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Outline and bitmap font editor
 
 Group:          Applications/Publishing
@@ -14,6 +14,7 @@ URL:            http://fontforge.sourceforge.net/
 Source0:        http://downloads.sourceforge.net/fontforge/fontforge_full-%{archive_version}.tar.bz2
 Source2:        http://downloads.sourceforge.net/fontforge/fontforge_htdocs-%{archive_version}.tar.bz2
 Patch1:         fontforge-20090224-pythondl.patch
+Patch2:         fontforge-20120731-pdf-bounds.patch
 
 Requires:       xdg-utils
 Requires:       autotrace
@@ -54,6 +55,7 @@ to compile applications against fontforge.
 %setup -q -n %{name}-%{archive_version}
 
 %patch1 -p1
+%patch2 -p1
 
 mkdir htdocs
 tar xjf %{SOURCE2} -C htdocs
@@ -146,6 +148,9 @@ fi
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Thu Feb 07 2013 Paul Flo Williams <paul@frixxon.co.uk> - 20120731b-4
+- Patch for bug #902089, out-of-bounds errors while reading PDFs
+
 * Fri Jan 18 2013 Adam Tkac <atkac redhat com> - 20120731b-3
 - rebuild due to "jpeg8-ABI" feature drop