From 0bfe9024893ebb1f62108fe6c24410e6ba589c3e Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sat, 5 Oct 2013 11:30:27 -0400
Subject: [PATCH] Security: avoid pre-allocating vectors based on file data

In places where std::vector<T>(size_t) was used, either validate that
the size parameter is sane or refactor code to avoid the need to
pre-allocate the vector.
---
 ChangeLog                                     |   6 +++
 libqpdf/QPDF_linearization.cc                 |  43 ++++++++++++++----
 qpdf/qtest/qpdf.test                          |   9 +++-
 .../qpdf/linearization-large-vector-alloc.out |   6 +++
 .../qpdf/linearization-large-vector-alloc.pdf | Bin 0 -> 12302 bytes
 5 files changed, 55 insertions(+), 9 deletions(-)
 create mode 100644 qpdf/qtest/qpdf/linearization-large-vector-alloc.out
 create mode 100644 qpdf/qtest/qpdf/linearization-large-vector-alloc.pdf

diff --git a/ChangeLog b/ChangeLog
index 124a086d..f87c4418 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2013-10-05  Jay Berkenbilt  <ejb@ql.org>
 
+	* Security fix: In places where std::vector<T>(size_t) was used,
+	either validate that the size parameter is sane or refactor code
+	to avoid the need to pre-allocate the vector.  This reduces the
+	likelihood of allocating a lot of memory in response to invalid
+	data in linearization hint streams.
+
 	* Security fix: sanitize /W array in cross reference stream to
 	avoid a potential integer overflow in a multiplication.  It is
 	unlikely that any exploits were possible from this bug as
diff --git a/libqpdf/QPDF_linearization.cc b/libqpdf/QPDF_linearization.cc
index dd09b1c0..7d2560d3 100644
--- a/libqpdf/QPDF_linearization.cc
+++ b/libqpdf/QPDF_linearization.cc
@@ -23,13 +23,22 @@ static void
 load_vector_int(BitStream& bit_stream, int nitems, std::vector<T>& vec,
 		int bits_wanted, int_type T::*field)
 {
+    bool append = vec.empty();
     // nitems times, read bits_wanted from the given bit stream,
     // storing results in the ith vector entry.
 
     for (int i = 0; i < nitems; ++i)
     {
+        if (append)
+        {
+            vec.push_back(T());
+        }
 	vec[i].*field = bit_stream.getBits(bits_wanted);
     }
+    if (static_cast<int>(vec.size()) != nitems)
+    {
+        throw std::logic_error("vector has wrong size in load_vector_int");
+    }
     // The PDF spec says that each hint table starts at a byte
     // boundary.  Each "row" actually must start on a byte boundary.
     bit_stream.skipToNextByte();
@@ -255,6 +264,17 @@ QPDF::readLinearizationData()
 
     // Store linearization parameter data
 
+    // Various places in the code use linp.npages, which is
+    // initialized from N, to pre-allocate memory, so make sure it's
+    // accurate and bail right now if it's not.
+    if (N.getIntValue() != static_cast<long long>(getAllPages().size()))
+    {
+        throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+                      "linearization hint table",
+                      this->file->getLastOffset(),
+                      "/N does not match number of pages");
+    }
+
     // file_size initialized by isLinearized()
     this->linp.first_page_object = O.getIntValue();
     this->linp.first_page_end = E.getIntValue();
@@ -396,10 +416,9 @@ QPDF::readHPageOffset(BitStream h)
     t.nbits_shared_numerator = h.getBits(16);		    // 12
     t.shared_denominator = h.getBits(16);		    // 13
 
-    unsigned int nitems = this->linp.npages;
     std::vector<HPageOffsetEntry>& entries = t.entries;
-    entries = std::vector<HPageOffsetEntry>(nitems);
-
+    entries.clear();
+    unsigned int nitems = this->linp.npages;
     load_vector_int(h, nitems, entries,
 		    t.nbits_delta_nobjects,
 		    &HPageOffsetEntry::delta_nobjects);
@@ -441,10 +460,9 @@ QPDF::readHSharedObject(BitStream h)
     QTC::TC("qpdf", "QPDF lin nshared_total > nshared_first_page",
 	    (t.nshared_total > t.nshared_first_page) ? 1 : 0);
 
-    int nitems = t.nshared_total;
     std::vector<HSharedObjectEntry>& entries = t.entries;
-    entries = std::vector<HSharedObjectEntry>(nitems);
-
+    entries.clear();
+    int nitems = t.nshared_total;
     load_vector_int(h, nitems, entries,
 		    t.nbits_delta_group_length,
 		    &HSharedObjectEntry::delta_group_length);
@@ -1466,8 +1484,11 @@ QPDF::calculateLinearizationData(std::map<int, int> const& object_stream_data)
     // validation code can compute them relatively easily given the
     // rest of the information.
 
+    // npages is the size of the existing pages vector, which has been
+    // created by traversing the pages tree, and as such is a
+    // reasonable size.
     this->c_linp.npages = npages;
-    this->c_page_offset_data.entries = 	std::vector<CHPageOffsetEntry>(npages);
+    this->c_page_offset_data.entries = std::vector<CHPageOffsetEntry>(npages);
 
     // Part 4: open document objects.  We don't care about the order.
 
@@ -1861,6 +1882,7 @@ QPDF::calculateHPageOffset(
 
     HPageOffset& ph = this->page_offset_hints;
     std::vector<HPageOffsetEntry>& phe = ph.entries;
+    // npages is the size of the existing pages array.
     phe = std::vector<HPageOffsetEntry>(npages);
 
     for (unsigned int i = 0; i < npages; ++i)
@@ -1935,7 +1957,7 @@ QPDF::calculateHSharedObject(
     std::vector<CHSharedObjectEntry>& csoe = cso.entries;
     HSharedObject& so = this->shared_object_hints;
     std::vector<HSharedObjectEntry>& soe = so.entries;
-    soe = std::vector<HSharedObjectEntry>(cso.nshared_total);
+    soe.clear();
 
     int min_length = outputLengthNextN(
 	csoe[0].object, 1, lengths, obj_renumber);
@@ -1948,8 +1970,13 @@ QPDF::calculateHSharedObject(
 	    csoe[i].object, 1, lengths, obj_renumber);
 	min_length = std::min(min_length, length);
 	max_length = std::max(max_length, length);
+        soe.push_back(HSharedObjectEntry());
 	soe[i].delta_group_length = length;
     }
+    if (soe.size() != static_cast<size_t>(cso.nshared_total))
+    {
+        throw std::logic_error("soe has wrong size after initialization");
+    }
 
     so.nshared_total = cso.nshared_total;
     so.nshared_first_page = cso.nshared_first_page;
diff --git a/qpdf/qtest/qpdf.test b/qpdf/qtest/qpdf.test
index 87c9d8c1..d07a54c5 100644
--- a/qpdf/qtest/qpdf.test
+++ b/qpdf/qtest/qpdf.test
@@ -199,7 +199,7 @@ $td->runtest("remove page we don't have",
 show_ntests();
 # ----------
 $td->notify("--- Miscellaneous Tests ---");
-$n_tests += 69;
+$n_tests += 70;
 
 $td->runtest("qpdf version",
 	     {$td->COMMAND => "qpdf --version"},
@@ -537,6 +537,13 @@ $td->runtest("bounds check linearization data 2",
              {$td->FILE => "linearization-bounds-2.out",
               $td->EXIT_STATUS => 2},
              $td->NORMALIZE_NEWLINES);
+# Throws logic error, not bad_alloc
+$td->runtest("sanity check array size",
+             {$td->COMMAND =>
+                  "qpdf --check linearization-large-vector-alloc.pdf"},
+             {$td->FILE => "linearization-large-vector-alloc.out",
+              $td->EXIT_STATUS => 2},
+             $td->NORMALIZE_NEWLINES);
 
 show_ntests();
 # ----------
diff --git a/qpdf/qtest/qpdf/linearization-large-vector-alloc.out b/qpdf/qtest/qpdf/linearization-large-vector-alloc.out
new file mode 100644
index 00000000..2c807d3c
--- /dev/null
+++ b/qpdf/qtest/qpdf/linearization-large-vector-alloc.out
@@ -0,0 +1,6 @@
+checking linearization-large-vector-alloc.pdf
+PDF Version: 1.3
+File is not encrypted
+File is linearized
+WARNING: linearization-large-vector-alloc.pdf (linearization hint stream: object 62 0, file position 1183): attempting to recover stream length
+overflow reading bit stream
diff --git a/qpdf/qtest/qpdf/linearization-large-vector-alloc.pdf b/qpdf/qtest/qpdf/linearization-large-vector-alloc.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..1807b08f8950586aa9242ba3f5066e782223d9b7
GIT binary patch
literal 12302
zcmc&)&5I;S72kDq4h0K>H&21<EIlkU8DE)^DNVCG)6>l2e6-c&x;l(hc2!nSt<_aa
zRrWF}ii02uf`hjO@!-+3coSVj@Fe~L9z1vwyoj>P3gUb5QJoo)+0b3RW<hmVzKVF?
z@0YJ4-?jbSy&LSN=w18m2fz4lFQJ5z#o^n%?QIg>o6d`TIsH~KCJe3!<AQP$-6f9*
zV@wj3aq^f%4@n|ObccvUz_JHKP!bIYqgg7*&Q7nGkC7qyzrK1;m&F9FVOfvb7mJDh
zMCQcNR3d$vw#-|{1Wkf<G7k5~G58N(r!rU)ry(uP0-6FZ`g=3UeHy1q1vD;#y*y?t
zSeGQ>-joMA^DGN!f~i1fA$TA|NLBGwxy+}tVo5Na`in(L64*fcBsze!BET`)Ul#9T
zvM3oONc6@od9<CgG-fg#jc7hj;;|}}ifNh)I--Y(6k=za$*~%9DaOe-$;aYwBqk~z
zsZpF|QpjYy^BD7RRp!f5rv>d@yLRW{UQg@dlKtUHIfHy(5p)r1xSt;t_wvJHw$j=^
zI5}QH;!}OGPqwZDPr~)p0g0AiQ3+K7G*w%X)mJ3A0s@2na7@^m%dY0a^_tjiG(@w}
zaB~|WaL5P5n>D})b@JG;gvOcvLb&BdTgX*h?r8{F4OH})al!q?xFFG&SH;>v+A}Kx
zOtqf|-+Tua+|J8<wm5=quHX|$-8Gc#O=l&fL9{o^%VM_}X{HAx%XHAAd&T^yeBv&V
z$*Noy`El>*&ql-H@NhW%(cv&34nO?k?|%Qn6_R}B%B#=+@XznP_$isa_T-hTS0<lc
z4&VR&uikw2{wJQj{DbX3ee#D_KL6g2|Ms~Tw<g2qM}OTq`B(Ahpa1kr|M|_YfBEgN
zfA{`NZ~f)HXV3oq%JZuq{p35Jec|uNFJDEitxOA8SdMG`Z!hL$F)txIpy)9>?ib@}
zerxemrv!zx=8(-A4)^mVtX#XNU#u1<%Mm0N#%d4vm=BC3fJeYeJ9@bo9TZR<P&$@m
z+=@w9^(jhs8Ec&;F*TgOZVdovqdi8rB!dZjR-hN;$zTkhxAqrhUM>i|P6luH?hG1i
zMwJ}@TluQc`bKw)*}FwK9pwP?bBNt^eng_LOy{r9SJP9%gZvm00c1x9Cx@lZ3N!+)
zjV+p2B|p$sl=TP_ZFdh=6;Dg@c%432hEA2+ixco$0^Fy|6?_0h#UR|v@uHT8>nyDZ
z!qs(75=y3ky^o09{MJ{$M&>88S>+Gh*^D%W_e3X6S^Ro{$~w_D<PJFo({fgjtv6Qx
zSOFy5*dg&3NEAxA?i^!vuErVFaw=O*p-{CN$O!U8#R(C3`}KrtJarDTnhci3JNY*N
ztw0y%lyN-HP(xep)G#r)0k?Xmkafl06vDQ4maPvR8f7v((#~?8bNbpCS`}YE&gbKt
zu$$UpjDg31?^(K`^tx{RR5dFYSlo4WX@iNVv<@bgI9zxtX&1Vv8~wH?#biQhEGSJF
zybE|sN>xTFhnx09Q2}=(ame63hPQ+_d<S&>y?{L&_6S&v>-iWy!!>@!?*#A_x&030
z$OQPqeg!gQYS#fT0W`q@nN3B7i38<+>J=NO(=hdQ;xOpkQc4t92w^j^sXM}js**md
z>FCK~360=QZbM`u<g+|0VpTx3x@nMw2!z#9No}W&iHi+jT{oyV)J$hMJ#V!^>v8Hd
zo92~Vvc7>_dJ`HI?KGQ9wo@><Zu8mr)8?N|ta>g1Ff72GT4k5-+;~$9ILn1qd^VZ_
zyt;a{iZ=Vws%&mB205`&tE9iv(zw~yv2}AzWrHKAawzI7<sIPTjnL{W&(ztu&w8^_
z7n6<r{MuCSFIF321%+mvR*DU?Q|$~lx!9)Xc2xC-<y5n|)~uSRjftS$(d0F#6@4$r
z&Z}A-bZt*$E3%uGs0w%&?ub}xM^weEbrWcV-i^Uku)46pyw%`3!nm&207W+jS7GDA
z28&jMt2nTZu&wfL46c^{g$<Ui23LE_wZY6bx!qW-rMqVC!Y0S9CgV{^rCGFD4Zqp+
z{jVdNF9o@hcAFca3!1+!ZN3!nQtdW3q8GD$PDgRR6#PotZEgfG)+vH%=^NK`)^2kn
zhT%ab_Oso@SxfhAR_8sNVeN-Ac-9(%7##O?X>=2ao!{v8{);!F7@Tf(X>=2co!{v8
z9*j4_81EFuwDir>yS)$NjX1_T#W5{?bEDgPF@31#1gx7ec!JhpdTZ%UC)bRfKfT+#
zF?dYa0A!+5Ak)$}H@dwY!zXkhdW%khOiSO~==Oe0AE-D1r|I1(kcp;#?ELB7-jIn#
zAQPPenU?MXaq*gN@5n@BM<zQ3GA(^$qj`HrCL4hapV@cUhHB}X8{OWK=_6YwU|rL)
zQy|mQolX}{Z{FUK$;OTh9=&!M=}Q4J-rkYPMj(@&0-2V+d8FGrGT8`ZIM>r%O>60!
z8{OWK#f?A~cM4=$`sPNrcVuy6M}|{f9Y*?6ep>SOjx25jGMFXk(&)<pvi6QFZUi!%
z%j+=GD1GzvZtuwSe3lbno)zO{<`<`9oMW>O-m&icFh_!aF*EuwzJ`Ah1p7FsrvI7m
zaefksW(6}#^r2Lr=wllAXO`%n@^EFA=%0Ha#Bj0CSap*OM6*OUQhj2d2J4$GTp2+c
zkU=}6i!NHYGJ<qq`}lCy3`F3#)T%N^W5)eRLfyb8%v-?RRSZf@+z_Z9TLpS`Xj7<g
z$Wo*@Tv1;qDV}tCG{(SEkH#??9!-P;q%sCA{B>~##(H~II2bBZZ1TNzSqimPr@`=K
zU`Gs-y}>$xM?T(OiL(+OEylqCkETMu#3?>|@YZEGC0M8FaYdg7Q?J1~K?8n?#Jh&a
zFUAb=Xh|0GQ(4HbVE`9KeFA=9Zop6RG~lNso-@>SQ8CtuM@z!|gOm*UWqABs-<wh_
zO^?RH!QYgJ!_TS2XJX#on1=iktUPa>3iCP5U|`%|m%-GhN6Q!%d!1j#v8(rJ0%k0I
znhb}jvjp+Q+pF-n!=t5PEo50R=*%cXNUQB-l;bJ1M-u@?Fc{|Y?PV}T7V=Zo`lt?0
T>se`-W&gP5p*c(JMD+gvAB9OH

literal 0
HcmV?d00001