Fix infinite loop while reporting an error (fixes #101)

This is CVE-2017-9210. The description string for an error message included unparsing an object, which is too complex of a thing to try to do while throwing an exception. There was only one example of this in the entire codebase, so it is not a pervasive problem. Fixing this eliminated one class of infinite loop errors.
2024-12-22 02:49:00 +00:00 · 2017-07-25 10:13:30 -04:00 · 2017-07-25 10:13:30 -04:00 · 603f222365
commit 603f222365
parent bd6c845619
5 changed files with 27 additions and 3 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2017-07-26  Jay Berkenbilt  <ejb@ql.org>
+
+	* CVE-2017-9210: Fix infinite loop caused by attempting to unparse
+	an object for inclusion in the text of an exception.
+
 2015-11-10  Jay Berkenbilt  <ejb@ql.org>

 	* 6.0.0: release
--- a/libqpdf/QPDFObjectHandle.cc
+++ b/libqpdf/QPDFObjectHandle.cc
@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerHolder<InputSource> input,
 		throw QPDFExc(
 		    qpdf_e_damaged_pdf,
 		    input->getName(), object_description, offset,
-		    std::string("dictionary key not name (") +
-		    key_obj.unparse() + ")");
+		    std::string("dictionary key is not not a name token"));
 	    }
 	    dict[key_obj.getName()] = val;
 	}
--- a/qpdf/qtest/qpdf.test
+++ b/qpdf/qtest/qpdf.test
@ -206,7 +206,7 @@ $td->runtest("remove page we don't have",
 show_ntests();
 # ----------
 $td->notify("--- Miscellaneous Tests ---");
-$n_tests += 77;
+$n_tests += 78;

 $td->runtest("qpdf version",
 	     {$td->COMMAND => "qpdf --version"},
@ -218,6 +218,20 @@ $td->runtest("C API: qpdf version",
 	      $td->EXIT_STATUS => 0},
 	     $td->NORMALIZE_NEWLINES);

+# Files to reproduce various bugs
+foreach my $d (
+    ["101", "resolve for exception text"],
+    )
+{
+    my ($n, $description) = @$d;
+    $td->runtest($description,
+                 {$td->COMMAND => "qpdf issue-$n.pdf a.pdf"},
+                 {$td->FILE => "issue-$n.out",
+                  $td->EXIT_STATUS => 2},
+                 $td->NORMALIZE_NEWLINES);
+}
+
+
 foreach (my $i = 1; $i <= 3; ++$i)
 {
    $td->runtest("misc tests",
--- a/qpdf/qtest/qpdf/issue-101.out
+++ b/qpdf/qtest/qpdf/issue-101.out
@ -0,0 +1,6 @@
+WARNING: issue-101.pdf: file is damaged
+WARNING: issue-101.pdf (file position 3526): xref not found
+WARNING: issue-101.pdf: Attempting to reconstruct cross-reference table
+WARNING: issue-101.pdf (object 5 0, file position 1509): attempting to recover stream length
+WARNING: issue-101.pdf (object 5 0, file position 2097): attempting to recover stream length
+issue-101.pdf (trailer, file position 2928): unknown token while reading object (ÿ)
--- a/qpdf/qtest/qpdf/issue-101.pdf
+++ b/qpdf/qtest/qpdf/issue-101.pdf