Fix loop in QPDFOutlineDocumentHelper (fuzz issue 30507)

2021-02-10 16:26:32 -05:00 · 2021-02-10 16:26:32 -05:00 · 9fcf61b2f6
parent 4d1f2fdcac
commit 9fcf61b2f6
3 changed files with 10 additions and 0 deletions
--- a/3
+++ b/3
@ -1,5 +1,8 @@
 2021-02-10  Jay Berkenbilt  <ejb@ql.org>

+	* Detect loops when adding when reading outlines dictionary upon
+	initialization of QPDFOutlineDocumentHelper (fuzz issue 30507).
+
 	* Add "attachments" as an additional json key, and add some
 	information about attachments to the json output.

--- a/fuzz/qpdf_extra/30507.fuzz
+++ b/fuzz/qpdf_extra/30507.fuzz
--- a/libqpdf/QPDFOutlineDocumentHelper.cc
+++ b/libqpdf/QPDFOutlineDocumentHelper.cc
@ -24,8 +24,15 @@ QPDFOutlineDocumentHelper::QPDFOutlineDocumentHelper(QPDF& qpdf) :
        return;
    }
    QPDFObjectHandle cur = outlines.getKey("/First");
+    std::set<QPDFObjGen> seen;
    while (! cur.isNull())
    {
+        auto og = cur.getObjGen();
+        if (seen.count(og))
+        {
+            break;
+        }
+        seen.insert(og);
        this->m->outlines.push_back(
            QPDFOutlineObjectHelper::Accessor::create(cur, *this, 1));
        cur = cur.getKey("/Next");