mirror of
https://github.com/qpdf/qpdf.git
synced 2024-12-22 10:58:58 +00:00
Avoid resolving arguments to R
When checking two objects preceding R while parsing, ensure that the objects are direct. This avoids stuff like 1 0 obj containing 1 0 R 0 R from causing an infinite loop in object resolution.
This commit is contained in:
parent
d8900c2255
commit
c729e07d55
@ -1,3 +1,11 @@
|
||||
2015-02-21 Jay Berkenbilt <ejb@ql.org>
|
||||
|
||||
* Ensure that arguments to "R" when parsing the file are direct
|
||||
objects before trying to resolve them. This prevents specially
|
||||
crafted files from causing qpdf to crash with a stack overflow.
|
||||
Thanks to Gynvael Coldwind and Mateusz Jurczyk of the Google
|
||||
Security Team for providing a sample file with this problem.
|
||||
|
||||
2014-12-01 Jay Berkenbilt <ejb@ql.org>
|
||||
|
||||
* Some broken PDF files lack the required /Type key for /Page and
|
||||
|
@ -966,7 +966,9 @@ QPDFObjectHandle::parseInternal(PointerHolder<InputSource> input,
|
||||
std::string const& value = token.getValue();
|
||||
if ((value == "R") && (in_array || in_dictionary) &&
|
||||
(olist.size() >= 2) &&
|
||||
(! olist.at(olist.size() - 1).isIndirect()) &&
|
||||
(olist.at(olist.size() - 1).isInteger()) &&
|
||||
(! olist.at(olist.size() - 2).isIndirect()) &&
|
||||
(olist.at(olist.size() - 2).isInteger()))
|
||||
{
|
||||
if (context == 0)
|
||||
|
@ -199,7 +199,7 @@ $td->runtest("remove page we don't have",
|
||||
show_ntests();
|
||||
# ----------
|
||||
$td->notify("--- Miscellaneous Tests ---");
|
||||
$n_tests += 74;
|
||||
$n_tests += 75;
|
||||
|
||||
$td->runtest("qpdf version",
|
||||
{$td->COMMAND => "qpdf --version"},
|
||||
@ -562,6 +562,10 @@ $td->runtest("no type key for page nodes",
|
||||
{$td->COMMAND => "qpdf --check no-pages-types.pdf"},
|
||||
{$td->FILE => "no-pages-types.out", $td->EXIT_STATUS => 0},
|
||||
$td->NORMALIZE_NEWLINES);
|
||||
$td->runtest("ensure arguments to R are direct",
|
||||
{$td->COMMAND => "qpdf --check indirect-r-arg.pdf"},
|
||||
{$td->FILE => "indirect-r-arg.out", $td->EXIT_STATUS => 2},
|
||||
$td->NORMALIZE_NEWLINES);
|
||||
|
||||
show_ntests();
|
||||
# ----------
|
||||
|
1
qpdf/qtest/qpdf/indirect-r-arg.out
Normal file
1
qpdf/qtest/qpdf/indirect-r-arg.out
Normal file
@ -0,0 +1 @@
|
||||
indirect-r-arg.pdf (file position 76): unknown token while reading object (R)
|
102
qpdf/qtest/qpdf/indirect-r-arg.pdf
Normal file
102
qpdf/qtest/qpdf/indirect-r-arg.pdf
Normal file
@ -0,0 +1,102 @@
|
||||
%PDF-1.3
|
||||
%¿÷¢þ
|
||||
%QDF-1.0
|
||||
|
||||
%% Original object ID: 1 0
|
||||
1 0 obj
|
||||
<<
|
||||
/X 1 0 R 0 R
|
||||
/Pages 2 0 R
|
||||
/Type /Catalog
|
||||
>>
|
||||
endobj
|
||||
|
||||
%% Original object ID: 2 0
|
||||
2 0 obj
|
||||
<<
|
||||
/Count 1
|
||||
/Kids [
|
||||
3 0 R
|
||||
]
|
||||
/Type /Pages
|
||||
>>
|
||||
endobj
|
||||
|
||||
%% Page 1
|
||||
%% Original object ID: 3 0
|
||||
3 0 obj
|
||||
<<
|
||||
/Contents 4 0 R
|
||||
/MediaBox [
|
||||
0
|
||||
0
|
||||
612
|
||||
792
|
||||
]
|
||||
/Parent 2 0 R
|
||||
/Resources <<
|
||||
/Font <<
|
||||
/F1 6 0 R
|
||||
>>
|
||||
/ProcSet 7 0 R
|
||||
>>
|
||||
/Type /Page
|
||||
>>
|
||||
endobj
|
||||
|
||||
%% Contents for page 1
|
||||
%% Original object ID: 4 0
|
||||
4 0 obj
|
||||
<<
|
||||
/Length 5 0 R
|
||||
>>
|
||||
stream
|
||||
BT
|
||||
/F1 24 Tf
|
||||
72 720 Td
|
||||
(Potato) Tj
|
||||
ET
|
||||
endstream
|
||||
endobj
|
||||
|
||||
5 0 obj
|
||||
44
|
||||
endobj
|
||||
|
||||
%% Original object ID: 6 0
|
||||
6 0 obj
|
||||
<<
|
||||
/BaseFont /Helvetica
|
||||
/Encoding /WinAnsiEncoding
|
||||
/Name /F1
|
||||
/Subtype /Type1
|
||||
/Type /Font
|
||||
>>
|
||||
endobj
|
||||
|
||||
%% Original object ID: 5 0
|
||||
7 0 obj
|
||||
[
|
||||
/PDF
|
||||
/Text
|
||||
]
|
||||
endobj
|
||||
|
||||
xref
|
||||
0 8
|
||||
0000000000 65535 f
|
||||
0000000052 00000 n
|
||||
0000000148 00000 n
|
||||
0000000257 00000 n
|
||||
0000000499 00000 n
|
||||
0000000598 00000 n
|
||||
0000000644 00000 n
|
||||
0000000789 00000 n
|
||||
trailer <<
|
||||
/Root 1 0 R
|
||||
/Size 8
|
||||
/ID [<9e2756c6254602d0b896148e97ee7414><9e2756c6254602d0b896148e97ee7414>]
|
||||
>>
|
||||
startxref
|
||||
824
|
||||
%%EOF
|
Loading…
Reference in New Issue
Block a user