Avoid xref reconstruction infinite loop (fixes #100)

This is CVE-2017-9209.
2017-07-25 10:21:27 -04:00 · 2017-07-25 10:21:27 -04:00 · 315092dd98
parent 603f222365
commit 315092dd98
6 changed files with 22 additions and 1 deletions
--- a/4
+++ b/4
@ -1,5 +1,9 @@
 2017-07-26  Jay Berkenbilt  <ejb@ql.org>

+	* CVE-2017-9209: Fix infinite loop caused by attempting to
+	reconstruct the xref table while already in the process of
+	reconstructing the xref table.
+
 	* CVE-2017-9210: Fix infinite loop caused by attempting to unparse
 	an object for inclusion in the text of an exception.

--- a/include/qpdf/QPDF.hh
+++ b/include/qpdf/QPDF.hh
@ -1075,6 +1075,7 @@ class QPDF
    // copied_stream_data_provider is owned by copied_streams
    CopiedStreamDataProvider* copied_stream_data_provider;
    std::set<QPDFObjGen> attachment_streams;
+    bool reconstructed_xref;

    // Linearization data
    qpdf_offset_t first_xref_item_offset; // actual value from file
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@ -93,6 +93,7 @@ QPDF::QPDF() :
    cached_key_generation(0),
    pushed_inherited_attributes_to_pages(false),
    copied_stream_data_provider(0),
+    reconstructed_xref(false),
    first_xref_item_offset(0),
    uncompressed_after_compressed(false)
 {
@ -331,6 +332,15 @@ QPDF::setTrailer(QPDFObjectHandle obj)
 void
 QPDF::reconstruct_xref(QPDFExc& e)
 {
+    if (this->reconstructed_xref)
+    {
+        // Avoid xref reconstruction infinite loops
+        QTC::TC("qpdf", "QPDF caught recursive xref reconstruction");
+        throw e;
+    }
+
+    this->reconstructed_xref = true;
+
    PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
    PCRE endobj_re("^\\s*endobj\\b");
    PCRE trailer_re("^\\s*trailer\\b");
--- a/qpdf/qtest/qpdf.test
+++ b/qpdf/qtest/qpdf.test
@ -206,7 +206,7 @@ $td->runtest("remove page we don't have",
 show_ntests();
 # ----------
 $td->notify("--- Miscellaneous Tests ---");
-$n_tests += 78;
+$n_tests += 79;

 $td->runtest("qpdf version",
 	     {$td->COMMAND => "qpdf --version"},
@ -220,6 +220,7 @@ $td->runtest("C API: qpdf version",

 # Files to reproduce various bugs
 foreach my $d (
+    ["100","xref reconstruction loop"],
    ["101", "resolve for exception text"],
    )
 {
--- a/qpdf/qtest/qpdf/issue-100.out
+++ b/qpdf/qtest/qpdf/issue-100.out
@ -0,0 +1,5 @@
+WARNING: issue-100.pdf: file is damaged
+WARNING: issue-100.pdf (file position 736): xref not found
+WARNING: issue-100.pdf: Attempting to reconstruct cross-reference table
+WARNING: issue-100.pdf (object 5 0, file position 489): attempting to recover stream length
+issue-100.pdf (object 6 0, file position 59): expected n n obj
--- a/qpdf/qtest/qpdf/issue-100.pdf
+++ b/qpdf/qtest/qpdf/issue-100.pdf