@cj-tech-master/excelts 9.5.5 → 9.5.6

package/dist/cjs/modules/word/security/digital-signatures.js

@@ -52,52 +52,179 @@ function parseSignatureXml(xmlStr, fileName) {
         fileName,
         cryptographicStatus: "not-verified"
     };
-    // Extract Office-specific metadata from <SignatureInfoV1>
-    const sigTextMatch = /<SignatureText[^>]*>([^<]*)<\/SignatureText>/.exec(xmlStr);
-    if (sigTextMatch) {
-        info.signer = (0, encode_1.xmlDecode)(sigTextMatch[1]);
+    // Each `<TagName ...>...</TagName>` lookup used to be a regex of the
+    // form `/<Tag[^>]*>([^<]*)<\/Tag>/.exec(xmlStr)`. Although `[^>]*` and
+    // `[^<]*` are linear in isolation, running ten such regexes against
+    // attacker-controlled signature XML triggers CodeQL's
+    // `js/polynomial-redos` rule. `extractTextElement` performs the same
+    // job in a single linear scan and cannot exhibit super-linear runtime.
+    const signer = extractTextElement(xmlStr, "SignatureText");
+    if (signer !== undefined) {
+        info.signer = (0, encode_1.xmlDecode)(signer);
     }
-    const sigCommentsMatch = /<SignatureComments[^>]*>([^<]*)<\/SignatureComments>/.exec(xmlStr);
-    if (sigCommentsMatch) {
-        info.signatureComments = (0, encode_1.xmlDecode)(sigCommentsMatch[1]);
+    const sigComments = extractTextElement(xmlStr, "SignatureComments");
+    if (sigComments !== undefined) {
+        info.signatureComments = (0, encode_1.xmlDecode)(sigComments);
     }
-    const purposeMatch = /<SignaturePurpose[^>]*>([^<]*)<\/SignaturePurpose>/.exec(xmlStr);
-    if (purposeMatch) {
-        info.purpose = (0, encode_1.xmlDecode)(purposeMatch[1]);
+    const purpose = extractTextElement(xmlStr, "SignaturePurpose");
+    if (purpose !== undefined) {
+        info.purpose = (0, encode_1.xmlDecode)(purpose);
     }
-    const dateMatch = /<SignatureDate[^>]*>([^<]*)<\/SignatureDate>/.exec(xmlStr);
-    if (dateMatch) {
-        info.signDate = (0, encode_1.xmlDecode)(dateMatch[1]);
+    const signDate = extractTextElement(xmlStr, "SignatureDate");
+    if (signDate !== undefined) {
+        info.signDate = (0, encode_1.xmlDecode)(signDate);
     }
-    const providerMatch = /<SignatureProviderUrl[^>]*>([^<]*)<\/SignatureProviderUrl>/.exec(xmlStr);
-    if (providerMatch) {
-        info.providerUrl = (0, encode_1.xmlDecode)(providerMatch[1]);
+    const providerUrl = extractTextElement(xmlStr, "SignatureProviderUrl");
+    if (providerUrl !== undefined) {
+        info.providerUrl = (0, encode_1.xmlDecode)(providerUrl);
     }
-    // Commitment type
-    const commitMatch = /<CommitmentType[^>]*>\s*<CommitmentTypeIndication[^>]*>\s*<CommitmentTypeId>([^<]*)<\/CommitmentTypeId>/.exec(xmlStr);
-    if (commitMatch) {
-        info.commitmentType = (0, encode_1.xmlDecode)(commitMatch[1]);
+    // Commitment type — nested element. Read the full `<CommitmentType>`
+    // body (which contains nested elements, hence `allowAngleBrackets`)
+    // then look for `<CommitmentTypeId>` inside.
+    const commitmentBlock = extractTextElement(xmlStr, "CommitmentType", {
+        allowAngleBrackets: true
+    });
+    if (commitmentBlock !== undefined) {
+        const commitmentId = extractTextElement(commitmentBlock, "CommitmentTypeId");
+        if (commitmentId !== undefined) {
+            info.commitmentType = (0, encode_1.xmlDecode)(commitmentId);
+        }
     }
-    // Extract signature value (base64)
-    const sigValMatch = /<SignatureValue[^>]*>([^]*?)<\/SignatureValue>/.exec(xmlStr);
-    if (sigValMatch) {
-        info.signatureValue = sigValMatch[1].trim();
+    // Signature value (base64 — may legitimately span newlines, so don't strip).
+    const signatureValue = extractTextElement(xmlStr, "SignatureValue", { allowAngleBrackets: true });
+    if (signatureValue !== undefined) {
+        info.signatureValue = signatureValue.trim();
     }
     // Certificate details from <X509Data>
-    const certSubjectMatch = /<X509SubjectName[^>]*>([^<]*)<\/X509SubjectName>/.exec(xmlStr);
-    if (certSubjectMatch) {
-        info.certificateSubject = (0, encode_1.xmlDecode)(certSubjectMatch[1]);
+    const certSubject = extractTextElement(xmlStr, "X509SubjectName");
+    if (certSubject !== undefined) {
+        info.certificateSubject = (0, encode_1.xmlDecode)(certSubject);
     }
-    const certIssuerMatch = /<X509IssuerName[^>]*>([^<]*)<\/X509IssuerName>/.exec(xmlStr);
-    if (certIssuerMatch) {
-        info.certificateIssuer = (0, encode_1.xmlDecode)(certIssuerMatch[1]);
+    const certIssuer = extractTextElement(xmlStr, "X509IssuerName");
+    if (certIssuer !== undefined) {
+        info.certificateIssuer = (0, encode_1.xmlDecode)(certIssuer);
     }
-    const certSerialMatch = /<X509SerialNumber[^>]*>([^<]*)<\/X509SerialNumber>/.exec(xmlStr);
-    if (certSerialMatch) {
-        info.certificateSerialNumber = (0, encode_1.xmlDecode)(certSerialMatch[1]);
+    const certSerial = extractTextElement(xmlStr, "X509SerialNumber");
+    if (certSerial !== undefined) {
+        info.certificateSerialNumber = (0, encode_1.xmlDecode)(certSerial);
     }
     return info;
 }
+/**
+ * Find the first occurrence of `<tagName ...>...</tagName>` in `xml` and
+ * return the inner text (verbatim — the caller is responsible for entity
+ * decoding via `xmlDecode`).
+ *
+ * Implemented as a linear index scan rather than a regex match. The previous
+ * regex-based implementation tripped CodeQL's polynomial-regex detector
+ * because the input is attacker-controlled signature XML.
+ *
+ * @param xml - The XML text to search.
+ * @param tagName - Local element name (no namespace prefix). The match
+ *   ignores any namespace prefix actually present in the document.
+ * @param options.allowAngleBrackets - When true, the inner text is read up
+ *   to the literal `</tagName>` close tag rather than the next `<`. This
+ *   is appropriate for elements like `SignatureValue` where the body is
+ *   base64 and cannot legitimately contain `<` anyway, but lets the function
+ *   tolerate accidental whitespace/newlines that some signers insert.
+ */
+function extractTextElement(xml, tagName, options = {}) {
+    const n = xml.length;
+    let from = 0;
+    while (from < n) {
+        const lt = xml.indexOf("<", from);
+        if (lt < 0) {
+            return undefined;
+        }
+        // Skip an optional namespace prefix: <ns:Tag ...>.
+        let nameStart = lt + 1;
+        // Look ahead for either the bare tag name or `prefix:tagName`. We do
+        // a forward scan rather than an unbounded regex match.
+        const colon = xml.indexOf(":", nameStart);
+        const ws = findTagNameEnd(xml, nameStart);
+        if (colon > 0 && colon < ws) {
+            nameStart = colon + 1;
+        }
+        if (xml.slice(nameStart, nameStart + tagName.length) !== tagName ||
+            !isTagNameBoundary(xml.charCodeAt(nameStart + tagName.length))) {
+            from = lt + 1;
+            continue;
+        }
+        // Found `<…tagName`. Find the closing `>` of the open tag.
+        const openEnd = xml.indexOf(">", nameStart + tagName.length);
+        if (openEnd < 0) {
+            return undefined;
+        }
+        // Self-closing? Then the element has no text content.
+        if (xml.charCodeAt(openEnd - 1) === 0x2f /* '/' */) {
+            return "";
+        }
+        const bodyStart = openEnd + 1;
+        if (options.allowAngleBrackets) {
+            // Search for the matching close tag (allowing namespace prefix).
+            const closeIdx = findCloseTag(xml, bodyStart, tagName);
+            if (closeIdx < 0) {
+                return undefined;
+            }
+            return xml.slice(bodyStart, closeIdx);
+        }
+        // Default behaviour: text content has no `<`. Stop at the next `<`.
+        const lt2 = xml.indexOf("<", bodyStart);
+        if (lt2 < 0) {
+            return undefined;
+        }
+        return xml.slice(bodyStart, lt2);
+    }
+    return undefined;
+}
+function findTagNameEnd(xml, start) {
+    const n = xml.length;
+    let i = start;
+    while (i < n) {
+        const c = xml.charCodeAt(i);
+        if (c === 0x20 || c === 0x09 || c === 0x0a || c === 0x0d || c === 0x2f || c === 0x3e) {
+            return i;
+        }
+        i++;
+    }
+    return n;
+}
+function isTagNameBoundary(c) {
+    return (c === 0x20 || // space
+        c === 0x09 || // tab
+        c === 0x0a || // LF
+        c === 0x0d || // CR
+        c === 0x2f || // '/'
+        c === 0x3e // '>'
+    );
+}
+function findCloseTag(xml, from, tagName) {
+    const n = xml.length;
+    let i = from;
+    while (i < n) {
+        const lt = xml.indexOf("</", i);
+        if (lt < 0) {
+            return -1;
+        }
+        let p = lt + 2;
+        // Optional namespace prefix
+        const colon = xml.indexOf(":", p);
+        const gt = xml.indexOf(">", p);
+        if (gt < 0) {
+            return -1;
+        }
+        if (colon > 0 && colon < gt) {
+            p = colon + 1;
+        }
+        if (xml.slice(p, p + tagName.length) === tagName &&
+            // Allow trailing whitespace before '>' but require a boundary char.
+            isTagNameBoundary(xml.charCodeAt(p + tagName.length))) {
+            return lt;
+        }
+        i = lt + 2;
+    }
+    return -1;
+}
 /**
  * Extract all digital signatures from opaque parts of a document.
  *

package/dist/cjs/modules/word/security/encryption.js

@@ -334,13 +334,17 @@ function bytesEqual(a, b) {
  * @returns Parsed agile encryption info.
  */
 function parseEncryptionInfoXml(xmlStr) {
-    // Simple regex-based extraction for the key <keyEncryptors><keyEncryptor>... element
-    const keyDataMatch = /<keyData\s([\s\S]*?)\/>/.exec(xmlStr);
-    const pwdEncryptorMatch = /<p:encryptedKey\s([\s\S]*?)\/>/.exec(xmlStr);
-    if (!keyDataMatch || !pwdEncryptorMatch) {
+    // Locate the `<keyData ... />` and `<p:encryptedKey ... />` elements
+    // with a linear scan. Using regular expressions with lazy `[\s\S]*?`
+    // quantifiers triggers CodeQL's polynomial-regex warning because the
+    // input is attacker-controlled (a hostile EncryptionInfo XML stream
+    // with very long unterminated tags caused catastrophic backtracking).
+    const keyDataAttrs = extractSelfClosingTagAttrs(xmlStr, "keyData");
+    const pwdAttrs = extractSelfClosingTagAttrs(xmlStr, "p:encryptedKey");
+    if (!keyDataAttrs || !pwdAttrs) {
         throw new errors_1.DocxDecryptionError("Invalid EncryptionInfo XML - missing keyData or encryptedKey");
     }
-    const pwdData = parseAttrs(pwdEncryptorMatch[1]);
+    const pwdData = pwdAttrs;
     // Required cryptographic fields — empty/missing values cannot decrypt and
     // produce confusing CryptoOperation errors downstream. Fail fast with a
     // clear message instead.
@@ -403,12 +407,108 @@ function parseEncryptionInfoXml(xmlStr) {
         blockSize
     };
 }
+/**
+ * Find a `<tagName ... />` element and return its parsed attributes, or
+ * `null` if no such self-closing element exists.
+ *
+ * Uses a linear scan instead of a regex with `[\s\S]*?` to avoid
+ * catastrophic backtracking on adversarial EncryptionInfo XML.
+ */
+function extractSelfClosingTagAttrs(xml, tagName) {
+    const needle = `<${tagName}`;
+    let from = 0;
+    while (from <= xml.length) {
+        const start = xml.indexOf(needle, from);
+        if (start < 0) {
+            return null;
+        }
+        const after = start + needle.length;
+        const ch = xml.charCodeAt(after);
+        // Require a whitespace, '/' or '>' after the tag name so `<keyDataExtra`
+        // does not match `<keyData`.
+        if (ch !== 0x20 && ch !== 0x09 && ch !== 0x0a && ch !== 0x0d && ch !== 0x2f && ch !== 0x3e) {
+            from = after;
+            continue;
+        }
+        // Find the closing '>' from `start`. Bail out if there isn't one.
+        const close = xml.indexOf(">", after);
+        if (close < 0) {
+            return null;
+        }
+        // The element must be self-closing: the char before '>' is '/'.
+        if (xml.charCodeAt(close - 1) !== 0x2f) {
+            from = close + 1;
+            continue;
+        }
+        const inner = xml.slice(after, close - 1);
+        return parseAttrs(inner);
+    }
+    return null;
+}
+/**
+ * Parse XML-style attributes (`name="value"`) from a fragment. Implemented
+ * as a single linear scan rather than a global regex so attacker-controlled
+ * input cannot trigger polynomial-time backtracking (CodeQL js/polynomial-redos).
+ */
 function parseAttrs(str) {
     const attrs = {};
-    const re = /(\w+)="([^"]*)"/g;
-    let match;
-    while ((match = re.exec(str)) !== null) {
-        attrs[match[1]] = match[2];
+    const n = str.length;
+    let i = 0;
+    while (i < n) {
+        // Skip whitespace.
+        while (i < n) {
+            const c = str.charCodeAt(i);
+            if (c !== 0x20 && c !== 0x09 && c !== 0x0a && c !== 0x0d) {
+                break;
+            }
+            i++;
+        }
+        if (i >= n) {
+            break;
+        }
+        // Read attribute name (\w+ equivalent: [A-Za-z0-9_]+).
+        const nameStart = i;
+        while (i < n) {
+            const c = str.charCodeAt(i);
+            const isWord = (c >= 0x30 && c <= 0x39) || // 0-9
+                (c >= 0x41 && c <= 0x5a) || // A-Z
+                (c >= 0x61 && c <= 0x7a) || // a-z
+                c === 0x5f; // _
+            if (!isWord) {
+                break;
+            }
+            i++;
+        }
+        if (i === nameStart) {
+            // Not at an attribute — advance one char so we make progress.
+            i++;
+            continue;
+        }
+        const name = str.slice(nameStart, i);
+        // Expect `="` exactly. Anything else means we resync to the next
+        // whitespace and try again — robust to malformed input.
+        if (i + 1 >= n || str.charCodeAt(i) !== 0x3d || str.charCodeAt(i + 1) !== 0x22) {
+            // Skip to next whitespace.
+            while (i < n) {
+                const c = str.charCodeAt(i);
+                if (c === 0x20 || c === 0x09 || c === 0x0a || c === 0x0d) {
+                    break;
+                }
+                i++;
+            }
+            continue;
+        }
+        i += 2; // past `="`
+        // Read until next `"`.
+        const valStart = i;
+        const valEnd = str.indexOf('"', i);
+        if (valEnd < 0) {
+            // Unterminated value — store what we have and stop.
+            attrs[name] = str.slice(valStart);
+            break;
+        }
+        attrs[name] = str.slice(valStart, valEnd);
+        i = valEnd + 1;
     }
     return attrs;
 }

package/dist/esm/modules/excel/worksheet.js

@@ -907,6 +907,19 @@ class Worksheet {
         // return true if this._merges has a merge object
         return Object.values(this._merges).some(Boolean);
     }
+    /**
+     * Read-only enumeration of every merged region on this sheet
+     * (1-based, inclusive). Consumed by the formula engine's snapshot
+     * builder to detect `#SPILL!` conflicts. See issue #162 follow-up.
+     */
+    get mergedRegions() {
+        return Object.values(this._merges).map(merge => ({
+            top: merge.top,
+            left: merge.left,
+            bottom: merge.bottom,
+            right: merge.right
+        }));
+    }
     /**
      * Scan the range and if any cell is part of a merge, un-merge the group.
      * Note this function can affect multiple merges and merge-blocks are

package/dist/esm/modules/formula/integration/apply-writeback-plan.js

@@ -136,8 +136,14 @@ function applySpillWrite(workbook, op) {
                 }
             }
             else {
-                // Ghost cell: set value (not result)
+                // Ghost cell: set value (not result). Defence in depth — the
+                // plan builder rejects spills onto merged regions, so a Merge
+                // type here is unreachable; guard anyway because writing
+                // through `MergeValue`'s setter would clobber the master.
                 const targetCell = ws.getCell(targetRow, targetCol);
+                if (targetCell.type === CellValueTypeLike.Merge) {
+                    continue;
+                }
                 targetCell.value = snapshotValueToRaw(val);
             }
         }
@@ -160,9 +166,17 @@ function applyCleanupWrite(workbook, op) {
     }
     for (const { row, col } of op.cells) {
         const cell = ws.findCell(row, col);
-        if (cell) {
-            cell.value = null;
+        if (!cell) {
+            continue;
+        }
+        // Defence in depth: writing `null` to a merge slave would forward
+        // through `MergeValue`'s setter and wipe the master's value. The
+        // plan builder already skips merged regions in `collectStaleGhosts`,
+        // so this guard is belt-and-suspenders.
+        if (cell.type === CellValueTypeLike.Merge) {
+            continue;
         }
+        cell.value = null;
     }
 }
 // ============================================================================

package/dist/esm/modules/formula/integration/workbook-adapter.js

@@ -95,13 +95,24 @@ function buildWorksheetSnapshot(ws, date1904) {
         ? { top: dims.top, left: dims.left, bottom: dims.bottom, right: dims.right }
         : null;
     const tables = buildTables(ws);
+    // Defensive copy — snapshot must not alias host-owned arrays.
+    const hostMergedRegions = ws.mergedRegions;
+    const mergedRegions = hostMergedRegions
+        ? hostMergedRegions.map(r => ({
+            top: r.top,
+            left: r.left,
+            bottom: r.bottom,
+            right: r.right
+        }))
+        : [];
     return {
         id: ws.id,
         name: ws.name,
         dimensions,
         cells,
         hiddenRows,
-        tables
+        tables,
+        mergedRegions
     };
 }
 // ============================================================================
@@ -113,6 +124,14 @@ function buildCellSnapshot(cell, row, col, date1904) {
     if (cellType === CellValueTypeLike.Null) {
         return null;
     }
+    // Skip merge slaves — Excel treats them as blank for formula
+    // purposes, but the host's `MergeValue` proxy would forward
+    // `cell.value` from the master, so letting them into `cells` would
+    // double-count master values in range aggregates. See issue #162
+    // and the `Merge` case in `CellValueTypeLike`.
+    if (cellType === CellValueTypeLike.Merge) {
+        return null;
+    }
     // ── Formula cells ──
     if (cellType === CellValueTypeLike.Formula) {
         return buildFormulaCellSnapshot(cell, row, col, date1904);

package/dist/esm/modules/formula/materialize/build-writeback-plan.js

@@ -247,6 +247,14 @@ activeSpillTargets) {
     if (inst.row + arr.height - 1 > 1048576 || inst.col + arr.width - 1 > 16384) {
         return "error";
     }
+    // Reject if the source cell itself sits inside a merged region.
+    // Excel reports #SPILL! whenever a dynamic-array formula is placed
+    // in a merged cell, even when the ghosts land outside the merge.
+    // The ghost loop below skips `(r=0, c=0)` and the master's value is
+    // already in `cells`, so it would not catch this case.
+    if (isInMergedRegion(ws, inst.row, inst.col)) {
+        return "error";
+    }
     // Check spill availability: verify all target ghost cells are unoccupied
     for (let r = 0; r < arr.height; r++) {
         for (let c = 0; c < arr.width; c++) {
@@ -261,6 +269,16 @@ activeSpillTargets) {
             if (activeSpillTargets.has(targetKey)) {
                 return "error";
             }
+            // Refuse to spill onto any cell that belongs to a merged region.
+            // The cell itself may be a merge slave — which the snapshot
+            // builder filters out of `ws.cells`, so the value/formula checks
+            // below would treat it as empty — but writing there would mutate
+            // the master via `MergeValue`'s setter in `@excel/cell` and
+            // silently corrupt the merge. Excel reports `#SPILL!` whenever a
+            // dynamic-array result tries to land in a merge.
+            if (isInMergedRegion(ws, targetRow, targetCol)) {
+                return "error";
+            }
             // Check if the cell is a ghost from ANY previous spill.
             // If the user hasn't modified it, it's safe to overwrite — the
             // originating formula will clean it up (or we'll overwrite it).
@@ -349,6 +367,19 @@ function collectStaleGhosts(region, previousGhosts, snapshot) {
             }
             const targetRow = region.sourceRow + r;
             const targetCol = region.sourceCol + c;
+            // If the user (or a previous edit) has placed this former ghost
+            // inside a merged region, skip it. The cell is now either a merge
+            // master (carrying the user's intentional value) or a merge slave
+            // (whose `cell.value = null` writeback would forward through
+            // `MergeValue`'s setter and clobber the master). Either way,
+            // cleanup must not touch it. The snapshot builder filters merge
+            // slaves out of `ws.cells` (see issue #162), so the
+            // `isGhostUnmodified` check below would otherwise miss this case
+            // — `cell` would be `undefined`, which currently means
+            // "unmodified, safe to wipe".
+            if (isInMergedRegion(ws, targetRow, targetCol)) {
+                continue;
+            }
             const targetKey = spillCellKeyFromId(region.worksheetId, targetRow, targetCol);
             const cell = ws.cells.get(snapshotCellKey(targetRow, targetCol));
             if (isGhostUnmodified(cell, targetKey, previousGhosts)) {
@@ -380,6 +411,22 @@ function emitPreviousSpillCleanup(previousRegion, previousGhosts, snapshot, oper
         cells: cleanupCells
     });
 }
+/**
+ * Test whether `(row, col)` falls inside any merged region of `ws`.
+ *
+ * Linear scan — merge counts per sheet are small in practice. The
+ * snapshot builder filters merge slaves out of `ws.cells`, so callers
+ * use this helper to recover the "is this cell part of a merge?"
+ * signal that the cell map alone no longer carries.
+ */
+function isInMergedRegion(ws, row, col) {
+    for (const region of ws.mergedRegions) {
+        if (row >= region.top && row <= region.bottom && col >= region.left && col <= region.right) {
+            return true;
+        }
+    }
+    return false;
+}
 function isGhostUnmodified(cell, ghostKey, previousGhosts) {
     if (!cell) {
         return true;

package/dist/esm/modules/formula/materialize/types.js

@@ -13,17 +13,27 @@
 // ValueType — numeric mirror of `@excel/enums` ValueType
 // ============================================================================
 /**
- * Numeric cell-type tag exposed by host cells. The engine only compares
- * against `Null` and `Formula`; any other value is treated as a scalar
- * literal.
+ * Numeric cell-type tag exposed by host cells. The engine compares
+ * against `Null`, `Merge`, and `Formula`; any other value is treated as
+ * a scalar literal.
+ *
+ * `Merge` identifies a non-master cell inside a merged region. The
+ * host's in-memory model may proxy `cell.value` from slaves to the
+ * master (see `MergeValue` in `@excel/cell`), so the snapshot builder
+ * must filter merge slaves out — otherwise range aggregates count the
+ * master's value once per slave. See issue #162.
  *
  * Kept as inline numeric literals (not an enum) so this file stays free
  * of runtime dependencies. The `const` object and `type` alias share a
  * name via TypeScript's declaration merging — the value form
  * (`CellValueTypeLike.Null`, `CellValueTypeLike.Formula`) is used at
  * comparison sites, the type form annotates `CellLike.type`.
+ *
+ * The numeric values must stay in sync with `ValueType` in
+ * `@excel/enums`, which is what `@excel/cell` writes into `cell.type`.
  */
 export const CellValueTypeLike = {
     Null: 0,
+    Merge: 1,
     Formula: 6
 };

package/dist/esm/modules/pdf/builder/document-builder.js

@@ -24,7 +24,7 @@ import { PdfContentStream } from "../core/pdf-stream.js";
 import { PdfWriter } from "../core/pdf-writer.js";
 import { writePdfAMetadata, writePdfAOutputIntent } from "../core/pdfa.js";
 import { FontManager } from "../font/font-manager.js";
-import { discoverSystemFontCandidates } from "../font/system-fonts.js";
+import { iterateSystemFontCandidates } from "../font/system-fonts.js";
 import { parseTtf } from "../font/ttf-parser.js";
 import { wrapTextLines, emitTextWithMatrix, alphaGsName } from "../render/page-renderer.js";
 import { writeImageXObject } from "./image-utils.js";
@@ -839,7 +839,7 @@ export class PdfDocumentBuilder {
             if (nonWinAnsi.size > 0) {
                 // Try auto-discovery unless the caller opted out.
                 if (!this._disableFontAutoDiscovery) {
-                    for (const candidate of discoverSystemFontCandidates()) {
+                    for (const candidate of iterateSystemFontCandidates()) {
                         try {
                             const testTtf = parseTtf(candidate);
                             const allCovered = [...nonWinAnsi].every(cp => testTtf.cmap.has(cp));