From 9fcf61b2f6e9f6670c5ef7103242b4640712dd4f Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Wed, 10 Feb 2021 16:26:32 -0500
Subject: [PATCH] Fix loop in QPDFOutlineDocumentHelper (fuzz issue 30507)

---
 ChangeLog                            |   3 +++
 fuzz/qpdf_extra/30507.fuzz           | Bin 0 -> 9548 bytes
 libqpdf/QPDFOutlineDocumentHelper.cc |   7 +++++++
 3 files changed, 10 insertions(+)
 create mode 100644 fuzz/qpdf_extra/30507.fuzz

diff --git a/ChangeLog b/ChangeLog
index f587b967..2146f9e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2021-02-10  Jay Berkenbilt  <ejb@ql.org>
 
+	* Detect loops when adding when reading outlines dictionary upon
+	initialization of QPDFOutlineDocumentHelper (fuzz issue 30507).
+
 	* Add "attachments" as an additional json key, and add some
 	information about attachments to the json output.
 
diff --git a/fuzz/qpdf_extra/30507.fuzz b/fuzz/qpdf_extra/30507.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..e8c28d04502bd13cf81a66cd2739a795b667ca38
GIT binary patch
literal 9548
zcmc&)Uu@gP8CRC1%Y<nS);ttlAI^51*p6lLNQsneM|Nz-@gLciW%*C+$`&P2wrp9n
zDSFMkp)iK6TY>GRdl|3+E3m%wHRv#`4}}K|Xxd>&v2NM+)^-@sm#yy`hU~jL9!;6D
zEqP8uKrwkF@4owezwh^bcTB4=YU!KO1)tA{yF!81Pyhb#qktcWLr6qMc0JJBivmKt
zSk^VOxVxW67%ry}4lD3?1T7(qLs29t3QCjbkfer`5S-mcAqmTHGKpjn{-lr;l9VtC
z#9}C*m-D1+bjstNsTTsoLJ5o!?E@=_o}qHUZ#StbW^Iq*U~M>r!-t>4illnlR4jVh
zq9TAo4l>5`^h^>%k%KncBuWzYwuQa@Ns8*RMT*FtcV+1D@EEcrdES*})ny;EMGn{K
zPZhoWMP%>0(Xa;tIm$6Tz?m|D4(Do<qw;~xmZ=p>x(Qqg2s6c99bq*b5Jt-d1Be8+
zpd>IPX&4q<!nEjR!qmS>I0J5mM~9YrRXHq$3z32<t5`26k}gLJN>tCPkwP|)BYLb?
zlCdi0Lz=1p5?Iq@U6P_<tV955UCqg{G_WsFu{6`76cPiit+%I!84rO_WN3%-32jx6
zYgxTiK@bAM<j!UV*e=qG1Zrys9!vCM1_>q-X25m?ZL0f$X!QdMc_4tX`w{GPGDJI(
zkgxzx0ZYlK(DxAPgudyknDu9m9*~$Z^cgz7MEVD=IB(KcMGQyj4Vm9y=7MvHIa0Ne
zLBJcD)AZig2nZE02I7c1CH1W>9SMV)rIn0T@C&&=VdSB0wxUn%SS8Sj3bZ??I1Hgh
zU!Bk`Ee|h3Z@>)FL`Juj0IQ_U#vW#kLtzAxfujJ&6tEzQgyCYz(!uiKl4j{cdXA17
z*UPKc8p6Ik+9m0+Vwt+O8Ssz1md#``g-qrxJ)>tb@xsSizwh!l+CJEy-rqa-j=J}j
zZ|>C#%H@vCd*A)~8()3>%3$!aFMF%4kh!dX{G-o*@y>UC|H9Ju-`)S!bCGvb|N7f|
z`;UCnFZ^~tv;6Fv|LA{l_>I-QE6*(y{O1Q3uAKkt590qFT@U=^*Ka@kInF)vQ=k9g
z#eW-L`Q0yHjQP$z<BQ_f$7H6qY0jKeTw`$vl#(}tvN})%gh8Wh>17L?phW2$1Hy!!
zFKPqEJxWIrDL^3=fFk;v&`fyP<*=k)F?P%xIE9d67&>Do7(x(&8{7bx2?^84&FJu+
z%7T&LC@^0W50i_voy{zYfHqNQ4w}ZdYg>>sEbtFJR^?vG0w=Us&kjcd;9IjotmfUv
zHG0V>JZS8I-H>qHjG+(L?vmJBv`RW^8?F2kkVC;33U@<b-CacGol@!GpLQ2yoTzLx
zqB@iMJ-1c1l?uZRk{z{D;juBKgVB%=8M|u?hSE*dGa&OjX$C1%-_kZfYG4kSO#&&Z
zvWS2taxL?zZXQ5sTLlCoo}*Slu2#w0gfVVJ>BLU5=hmiH&O;D)QB*MoSci+2+Ys(V
zhMoftM~`rx$i0momwSeKkW>t|$ua|$bnmg0+&aP1-hy5zh+<e4MFqo8hhIn()u<>+
zkgN)-C~NZJLzJ@^etGzXL>Wq=Gdi*`DvU@+mcbectdYSCVu_T8bGRnw<em%`%bI-;
zW)M=qa(G__>q8OyIp|A<Hd%_f7)+5@pn;@L?C_K$&l9bUysg5ZFeJJp7w{|+2=F6Z
zS*mzKI%4QQ%Vok2X6VF@Ji^;bF}G%zP%?H&HeDE7l88_chY*g4NL57_dmOsh?BPc8
z;9@KW%MSP9p$K{N1d6oTMuJih6KRZzC+UP^p^Y*}m0L*V+m5tqvGJJ5<sYQ^NE}Bi
z2Ea%y<S{2P6z33-#SI<TB^x>(S={|x-)#5uFtr2E?SB@c#Q$^*kKL?Js<5R&m6#v+
zzshc=Uc~NWCD>uC4K0@nJ_C{%UDClX*$l|Kge!+V0q<a*sZ{0Kx~9UIES)?Viod`s
z6p<w}5=T%5<jmrhRW!;mzrR;7^M&r@&~VJ(+jnnE%WXg+hFaj}b@O^(%v(0F$`x_}
zWGGs6(|?c>4$EOw;A<by3K*XpBnGN0Tc@N5D=`M>krjmyf5H_7mK-md##TKgMTV^%
z-Bl7W_2}BrE<kPI?b6Wnf09gm__CZzNYj@_&)@&UkM|z*H(kB>;L)WA!f5CF^Wxio
zN?m&YQ#0_%moACE&wl7ndOhJ3HBiv<>aDseIY2sk@$ut}z|bR+cF8y|D9*Na!;%y6
zbs}vSq_BE$l=N7n?eIMUY4Iqer4QXm-|~-nk#;H*7t&OR9f5a{R=6HdXiuw3#<1bR
z;tI;-x;SkkO>MWQbUe~5EjEmF6{pAi<28`xY155#Rh~LPnkSg2$Z45-yHTWB3ZuJQ
z$0N<;sbQr5n7Y*CsK<;yUIS^KdMMI4x*?{J99@IcEOO614fXh$z4XIme~7RB8X`3@
zzAjQ%Wyr%qT_qnEuO0}s^vEqAFZm~GK+P4*MQXbGbwe%88Ks>~or`Y`QfKwmVi`32
zNvA})(UfS*2icjc3u$MS|B8K(-4Z7yRv~?m62JUGvEzIB?ccn*b?(CRzW?a{NiWc}
zV*)B{>XEzT)V;Ig+Rh+bm6T33fUaXVgYG<$YLo6uV6w@18gf!A>LDlDsf7U=)`35}
z$yxSK)xeBPk(-=c8|ccwQCyXm@TbG<EOvl!=v29F&qr;q3u)%chLQfrLE7j0>}7v~
zAe~}+ft-n4iQGtYX{bgT)}{XsJI@B`Q|2~mdp$@;nASCn^j{pLp)%g{PkT8{dnP8h
zkdBb)*k-wOAi`Jp6Z)I%Ae-!8=&mLXaV=`FilDaFg)|$WQKauzRmQK?T7yJL&xeub
zigJk4JgqdS9)38^X#W_8l&&r?m@MKO#o8r_$5w0+CX&~yJ_VeV+~&pmRkiW!{+SxA
z=GB>-)m&3($g^eW5)y9B433UQ!u&JE@aIqRaD5O-BVoRnhc6<kf`k#h2;WTxjgn!`
zz`g=(a*^+O6#RjrRY~aPps~4Sl*t!^2;w^x5pNk5=~+zQ6|-$d=34MhNXzBAhvzpY
z<2#GRu{cgf7x10gc6@uYd0=z#dUtP5TWg)WtF7Gb6tqgNShR|zyx!E*v|`*|>YSAO
zXUp@i)Y#Xc;}RxAR1xgSX_VM|D8Oo<dkg@pYZi*00)?no8z~CmGM?SK7L47<Z1ii{
zsg~Z<oKlES1bgD4)$OtMbl>%{PQ7)oY5GP?!cxoN!um-2T=P;e(^r_@?p*HfTI;GL
z+Wot=5TIj{*{ab41YD}gY5xTw;9X;$8iB3V_%8VdPmb={zW(OyxL6YbzWQ__aE&Y6
z@e%eUIN+`MC;}^2lbiD`)7$IDT0}GBQ%bhCzlhg^-A${?d|O<sNZpa8*w|2P(g>E5
zcly_|>pR;!Ep6AEZ>oL>gyxZrB&9doC^&-OP7I%x!r1<R;?6qEgPTi}^H<k}Y`U~k
zkSoEZ_PgZ)W1-v=9GKXUR;H(o>{>^2u4g?RwKj(rC&t?QQX6L0?0+dZ>EFGx-clHE
z>RMjBX_~cs$c818f+~OqGNudlBWCK-$;Q0cRF9rv`A8yn6vhDtJ-xm>8xQxFilNDk
z>`1aNIFM}~U((I&o!rR8MpD>TX4?`bULG%$R_5|}yBJyU?>2R%*H)W)&BXFZrn9d$
z5S+~}MPtk8vj(CrVMp*SOAHPerTnN>oh44qF!4y01Zb&B8s!`P+QR5Ur)DfkD=DMX
zTAIRXalJ*qF)OMID{c9{?$(Y}(^THNtBCEEm7ozav@z2fYwJmNh?6y;r2|ur9V81(
Q{#VP>$rkX<kS5mu0pGf8y8r+H

literal 0
HcmV?d00001

diff --git a/libqpdf/QPDFOutlineDocumentHelper.cc b/libqpdf/QPDFOutlineDocumentHelper.cc
index 85aff76b..b5b82a29 100644
--- a/libqpdf/QPDFOutlineDocumentHelper.cc
+++ b/libqpdf/QPDFOutlineDocumentHelper.cc
@@ -24,8 +24,15 @@ QPDFOutlineDocumentHelper::QPDFOutlineDocumentHelper(QPDF& qpdf) :
         return;
     }
     QPDFObjectHandle cur = outlines.getKey("/First");
+    std::set<QPDFObjGen> seen;
     while (! cur.isNull())
     {
+        auto og = cur.getObjGen();
+        if (seen.count(og))
+        {
+            break;
+        }
+        seen.insert(og);
         this->m->outlines.push_back(
             QPDFOutlineObjectHelper::Accessor::create(cur, *this, 1));
         cur = cur.getKey("/Next");