mirror of
https://github.com/qpdf/qpdf.git
synced 2024-06-04 11:20:53 +00:00
Fix infinite loop while reporting an error (fixes #101)
This is CVE-2017-9210. The description string for an error message included unparsing an object, which is too complex of a thing to try to do while throwing an exception. There was only one example of this in the entire codebase, so it is not a pervasive problem. Fixing this eliminated one class of infinite loop errors.
This commit is contained in:
parent
bd6c845619
commit
603f222365
|
@ -1,3 +1,8 @@
|
||||||
|
2017-07-26 Jay Berkenbilt <ejb@ql.org>
|
||||||
|
|
||||||
|
* CVE-2017-9210: Fix infinite loop caused by attempting to unparse
|
||||||
|
an object for inclusion in the text of an exception.
|
||||||
|
|
||||||
2015-11-10 Jay Berkenbilt <ejb@ql.org>
|
2015-11-10 Jay Berkenbilt <ejb@ql.org>
|
||||||
|
|
||||||
* 6.0.0: release
|
* 6.0.0: release
|
||||||
|
|
|
@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerHolder<InputSource> input,
|
||||||
throw QPDFExc(
|
throw QPDFExc(
|
||||||
qpdf_e_damaged_pdf,
|
qpdf_e_damaged_pdf,
|
||||||
input->getName(), object_description, offset,
|
input->getName(), object_description, offset,
|
||||||
std::string("dictionary key not name (") +
|
std::string("dictionary key is not not a name token"));
|
||||||
key_obj.unparse() + ")");
|
|
||||||
}
|
}
|
||||||
dict[key_obj.getName()] = val;
|
dict[key_obj.getName()] = val;
|
||||||
}
|
}
|
||||||
|
|
|
@ -206,7 +206,7 @@ $td->runtest("remove page we don't have",
|
||||||
show_ntests();
|
show_ntests();
|
||||||
# ----------
|
# ----------
|
||||||
$td->notify("--- Miscellaneous Tests ---");
|
$td->notify("--- Miscellaneous Tests ---");
|
||||||
$n_tests += 77;
|
$n_tests += 78;
|
||||||
|
|
||||||
$td->runtest("qpdf version",
|
$td->runtest("qpdf version",
|
||||||
{$td->COMMAND => "qpdf --version"},
|
{$td->COMMAND => "qpdf --version"},
|
||||||
|
@ -218,6 +218,20 @@ $td->runtest("C API: qpdf version",
|
||||||
$td->EXIT_STATUS => 0},
|
$td->EXIT_STATUS => 0},
|
||||||
$td->NORMALIZE_NEWLINES);
|
$td->NORMALIZE_NEWLINES);
|
||||||
|
|
||||||
|
# Files to reproduce various bugs
|
||||||
|
foreach my $d (
|
||||||
|
["101", "resolve for exception text"],
|
||||||
|
)
|
||||||
|
{
|
||||||
|
my ($n, $description) = @$d;
|
||||||
|
$td->runtest($description,
|
||||||
|
{$td->COMMAND => "qpdf issue-$n.pdf a.pdf"},
|
||||||
|
{$td->FILE => "issue-$n.out",
|
||||||
|
$td->EXIT_STATUS => 2},
|
||||||
|
$td->NORMALIZE_NEWLINES);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
foreach (my $i = 1; $i <= 3; ++$i)
|
foreach (my $i = 1; $i <= 3; ++$i)
|
||||||
{
|
{
|
||||||
$td->runtest("misc tests",
|
$td->runtest("misc tests",
|
||||||
|
|
6
qpdf/qtest/qpdf/issue-101.out
Normal file
6
qpdf/qtest/qpdf/issue-101.out
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
WARNING: issue-101.pdf: file is damaged
|
||||||
|
WARNING: issue-101.pdf (file position 3526): xref not found
|
||||||
|
WARNING: issue-101.pdf: Attempting to reconstruct cross-reference table
|
||||||
|
WARNING: issue-101.pdf (object 5 0, file position 1509): attempting to recover stream length
|
||||||
|
WARNING: issue-101.pdf (object 5 0, file position 2097): attempting to recover stream length
|
||||||
|
issue-101.pdf (trailer, file position 2928): unknown token while reading object (ÿ)
|
BIN
qpdf/qtest/qpdf/issue-101.pdf
Normal file
BIN
qpdf/qtest/qpdf/issue-101.pdf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user