2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-11-04 20:37:50 +00:00
Commit Graph

143 Commits

Author SHA1 Message Date
Jay Berkenbilt
b07ad6794e Fix bugs found by fuzz tests
* Several assertions in linearization were not always true; change
  them to run time errors
* Handle a few cases of uninitialized objects
* Handle pages with no contents when doing form operations
* Handle invalid page tree nodes when traversing pages
2019-06-21 17:56:24 -04:00
Jay Berkenbilt
d71f05ca07 Fix sign and conversion warnings (major)
This makes all integer type conversions that have potential data loss
explicit with calls that do range checks and raise an exception. After
this commit, qpdf builds with no warnings when -Wsign-conversion
-Wconversion is used with gcc or clang or when -W3 -Wd4800 is used
with MSVC. This significantly reduces the likelihood of potential
crashes from bogus integer values.

There are some parts of the code that take int when they should take
size_t or an offset. Such places would make qpdf not support files
with more than 2^31 of something that usually wouldn't be so large. In
the event that such a file shows up and is valid, at least qpdf would
raise an error in the right spot so the issue could be legitimately
addressed rather than failing in some weird way because of a silent
overflow condition.
2019-06-21 13:17:21 -04:00
Jay Berkenbilt
da30764bce Change QPDFObjectHandle::pipeStreamData's encode_flags type
Change from unsigned long to int since we pass enumerated type values
to this field.
2019-06-21 13:17:21 -04:00
Jay Berkenbilt
3608afd5c5 Add new integer accessors to QPDFObjectHandle 2019-06-21 13:17:21 -04:00
Jay Berkenbilt
cf469d7890 Give up reading objects with too many consecutive errors 2019-06-15 08:52:19 -04:00
Jay Berkenbilt
4ccb29912a Tighten isPageObject (fixes #310) 2019-04-20 21:00:43 -04:00
Jay Berkenbilt
eb49e07c0a Make inline image token exactly contain the image data
Do not include the trailing EI, and handle cases where EI is not
preceded by a delimiter. Such cases have been seen in the wild.
2019-01-31 20:28:44 -05:00
Jay Berkenbilt
ec9e310c9e Refactor QPDFTokenizer's inline image handling
Add a version of expectInlineImage that takes an input source and
searches for EI. This is in preparation for improving the way EI is
found. This commit just refactors the code without changing the
functionality and adds tests to make sure the old and new code behave
identically.
2019-01-31 09:26:37 -05:00
Jay Berkenbilt
31372edce0 Inline image token value ends with EI, not delimiter
The inline image token erroneously included the delimiter that
followed EI. The ObjectHandle created from it was correct.
2019-01-31 09:26:37 -05:00
Jay Berkenbilt
8cb245739c Add QPDFObjectHandle::getUniqueResourceName 2019-01-27 07:50:30 -05:00
Jay Berkenbilt
009767d97a Handle inheritable page attributes
Add getAttribute for handling inheritable page attributes, and fix
getPageImages and annotation flattening code to use it.
2019-01-25 22:30:05 -05:00
Jay Berkenbilt
f78ea057ca Switch annotation flattening to use the form xobjects
Instead of directly putting the contents of the annotation appearance
streams into the page's content stream, add commands to render the
form xobjects directly. This is a more robust way to do it than the
original solution as it works properly with patterns and avoids
problems with resource name clashes between the pages and the form
xobjects.
2019-01-02 21:49:47 -05:00
Jay Berkenbilt
95d6b17a89 Add QPDFObjectHandle::mergeDictionary() 2019-01-01 08:12:56 -05:00
Jay Berkenbilt
5059ec0d35 Add Matrix class under QPDFObjectHandle 2018-12-31 23:02:43 -05:00
Jay Berkenbilt
30a0c070e4 Add QPDFObjectHandle::getJSON() 2018-12-21 18:34:56 -05:00
Jay Berkenbilt
077d3d4512 Add QPDFObjectHandle::wrapInArray()
Wrap an object in an array if it is not already an array.
2018-12-18 16:45:48 -05:00
Jay Berkenbilt
38c9ed23c3 Treat content stream parsing errors as an error, not a warning
If parsing content streams is treated as a warning, there is no way
for a caller to know if a parsing operation has failed. This is very
dangerous and will likely result in data loss when token filters are
parser callbacks are in use.
2018-06-22 10:44:08 -04:00
Jay Berkenbilt
ddd78c1b7f Fix QPDFObjectHandle::shallowCopy
It's not really a shallow copy. It just doesn't cross indirect object
boundaries. The old implementation had a bug that would cause multiple
shallow copies of the same object to share memory, which was not the
intention.
2018-06-21 20:34:45 -04:00
Jay Berkenbilt
952a665a4e Better support for creating Unicode strings 2018-06-21 15:57:13 -04:00
Jay Berkenbilt
4cded10821 Add QPDFObjectHandle::Rectangle type
Provide a convenient way of accessing rectangles.
2018-06-21 15:57:13 -04:00
Jay Berkenbilt
b4d6cf6836 Limit depth of nesting in direct objects (fixes #202)
This fixes CVE-2018-9918.
2018-04-15 16:11:22 -04:00
Jay Berkenbilt
e4e2e26d99 Properly handle pages with no contents (fixes #194)
Remove calls to assertPageObject(). All cases in the library that
called assertPageObject() work fine if you don't call
assertPageObject() because nothing assumes anything that was being
checked by that call. Removing the calls enables more files to be
successfully processed.
2018-03-06 11:34:07 -05:00
Jay Berkenbilt
d0e99f195a More robust handling of type errors
Give objects descriptions and context so it is possible to issue
warnings instead of fatal errors for attempts to access objects of the
wrong type.
2018-02-18 21:06:27 -05:00
Jay Berkenbilt
21b7481b0e Push members of QPDFObjectHandle into a Members object
As in other cases, this is to enable adding new member variables in
the future without breaking ABI compatibility.
2018-02-18 21:06:27 -05:00
Jay Berkenbilt
e410b0fe0d Simplify TokenFilter interface
Expose Pl_QPDFTokenizer, and have it do more of the work of managing
the token filter's pipeline.
2018-02-18 21:05:47 -05:00
Jay Berkenbilt
5708b5d0aa Add additional interface for filtering page contents 2018-02-18 21:05:47 -05:00
Jay Berkenbilt
9910104442 Implement TokenFilter and refactor Pl_QPDFTokenizer
Implement a TokenFilter class and refactor Pl_QPDFTokenizer to use a
TokenFilter class called ContentNormalizer. Pl_QPDFTokenizer is now a
general filter that passes data through a TokenFilter.
2018-02-18 21:05:46 -05:00
Jay Berkenbilt
b8723e97f4 Add coalesce contents capability 2018-02-18 21:05:46 -05:00
Jay Berkenbilt
fcd611b61e Refactor parseContentStream 2018-02-18 21:05:46 -05:00
Jay Berkenbilt
05ff619b09 Remove redundant method
Remove a redundant method that was equal to another one with
additional arguments. This breaks binary compatibility, but there are
other ABI breaking changes in the upcoming release, so now is the time
to do it.
2018-02-18 21:05:46 -05:00
Jay Berkenbilt
55ee55394c Use inline image token in content parser 2018-02-18 21:05:46 -05:00
Jay Berkenbilt
d31a7b76e7 Improve message for stream decoding error
Tweak the message so that we inform the user that we are mitigating
data loss.
2017-09-12 16:03:48 -04:00
Jay Berkenbilt
728dc9e6d8 Fix error caught by clang 2017-08-26 21:51:17 -04:00
Jay Berkenbilt
ad527a64f9 Parse iteratively to avoid stack overflow (fixes #146) 2017-08-25 21:56:45 -04:00
Jay Berkenbilt
e452d9dca6 Spell check 2017-08-22 14:22:20 -04:00
Jay Berkenbilt
9744414c66 Enable finer grained control of stream decoding
This commit adds several API methods that enable control over which
types of filters QPDF will attempt to decode. It also adds support for
/RunLengthDecode and /DCTDecode filters for both encoding and
decoding.
2017-08-21 17:44:22 -04:00
Jay Berkenbilt
cfa2eb97fb Add page rotation (fixes #132) 2017-08-12 22:57:38 -04:00
Jay Berkenbilt
b389268f16 Better handle split content streams (fixes #73)
When parsing content streams, allow content to be split arbitrarily
across stream boundaries.
2017-07-29 12:19:04 -04:00
Jay Berkenbilt
7f8892525f Add precheck streams capability
When requested, QPDFWriter will do more aggress prechecking of streams
to make sure it can actually succeed in decoding them before
attempting to do so. This will allow preservation of raw data even
when the raw data is corrupted relative to the specified filters.
2017-07-27 23:42:27 -04:00
Jay Berkenbilt
40f00122b8 Convert object parsing errors to warnings
QPDFObjectHandle::parseInternal now issues warnings instead of
throwing exceptions for all error conditions that it finds (except
internal logic errors) and has stronger recovery for things like
invalid tokens and malformed dictionaries. This should improve qpdf's
ability to recover from a wide range of broken files that currently
cause it to fail.
2017-07-27 18:20:31 -04:00
Jay Berkenbilt
12db09898e Don't interpret word tokens in content streams (fixes #82) 2017-07-26 06:24:07 -04:00
Jay Berkenbilt
afe0242b26 Handle object ID 0 (fixes #99)
This is CVE-2017-9208.

The QPDF library uses object ID 0 internally as a sentinel to
represent a direct object, but prior to this fix, was not blocking
handling of 0 0 obj or 0 0 R as a special case. Creating an object in
the file with 0 0 obj could cause various infinite loops. The PDF spec
doesn't allow for object 0. Having qpdf handle object 0 might be a
better fix, but changing all the places in the code that assumes objid
== 0 means direct would be risky.
2017-07-26 06:24:07 -04:00
Jay Berkenbilt
603f222365 Fix infinite loop while reporting an error (fixes #101)
This is CVE-2017-9210.

The description string for an error message included unparsing an
object, which is too complex of a thing to try to do while throwing an
exception. There was only one example of this in the entire codebase,
so it is not a pervasive problem. Fixing this eliminated one class of
infinite loop errors.
2017-07-26 06:24:07 -04:00
Jay Berkenbilt
c729e07d55 Avoid resolving arguments to R
When checking two objects preceding R while parsing, ensure that the
objects are direct. This avoids stuff like 1 0 obj containing 1 0 R 0 R
from causing an infinite loop in object resolution.
2015-02-21 17:51:08 -05:00
Jay Berkenbilt
caab1b0e16 Handle pages with no /Contents from getPageContents()
The spec allows /Contents to be omitted for pages that are blank, but
QPDFObjectHandle::getPageContents() was throwing an exception in this
case.
2014-11-14 13:43:34 -05:00
Jay Berkenbilt
ac9c1f0d56 Security: replace operator[] with at
For std::string and std::vector, replace operator[] with at.  This was
done using an automated process.  See README.hardening for details.
2013-10-18 10:45:14 -04:00
Jay Berkenbilt
212812d837 Fix errors reported by Coverity
Thanks to Jiri Popelka from Red Hat for sending the output of a
Coverity run over qpdf.
2013-07-07 15:36:51 -04:00
Jay Berkenbilt
5039da0b91 Add QPDFObjectHandle::getObjGen()
This is safer than getObjectID() and getGeneration() for many uses.
2013-06-14 14:58:09 -04:00
Jay Berkenbilt
2d02b3cc3d Add explicit int to double cast 2013-04-04 14:13:31 -04:00
Jay Berkenbilt
29f5830325 Fix getTypeCode and getTypeName work for indirect objects
Remove const qualifier from getTypeCode and get getTypeName methods of
QPDFObjectHandle, make them work properly for indirect objects, and
exercise them much better in the test suite.
2013-03-05 13:35:46 -05:00
Jay Berkenbilt
119f2a4b68 Add method to terminate content stream parsing 2013-03-05 13:35:46 -05:00
Jay Berkenbilt
30027481f7 Remove all old-style casts from C++ code 2013-03-04 16:45:16 -05:00
Jay Berkenbilt
a5d8783f67 Improve qpdf --check
Fix exit status for case of errors without warnings, continue after
errors when possible, add test case for parsing a file with content
stream errors on some but not all pages.
2013-01-25 11:08:50 -05:00
Jay Berkenbilt
bfda717749 Cosmetic changes to be closer to Adobe terminology
Change object type Keyword to Operator, and place the order of the
object types in object_type_e in the same order as they are mentioned
in the PDF specification.

Note that this change only breaks backward compatibility with code
that has not yet been released.
2013-01-23 09:38:05 -05:00
Jay Berkenbilt
913eb5ac35 Add getTypeCode() and getTypeName()
Add virtual methods to QPDFObject, wrappers to QPDFObjectHandle, and
implementations to all the QPDF_Object types.
2013-01-22 10:01:45 -05:00
Jay Berkenbilt
f81152311e Add QPDFObjectHandle::parseContentStream method
This method allows parsing of the PDF objects in a content stream or
array of content streams.
2013-01-20 15:35:39 -05:00
Jay Berkenbilt
1d88955fa6 Added new QPDFObjectHandle types Keyword and InlineImage
These object types are to facilitate content stream parsing.
2013-01-20 15:35:39 -05:00
Tobias Hoffmann
9c00874e77 added QPDFObjectHandle::replaceStreamData(std::string data). 2012-07-25 03:02:46 +02:00
Jay Berkenbilt
6bbea4baa0 Implement QPDFObjectHandle::parse
Move object parsing code from QPDF to QPDFObjectHandle and
parameterize the parts of it that are specific to a QPDF object.
Provide a version that can't handle indirect objects and that can be
called on an arbitrary string.

A side effect of this change is that the offset used when reporting
invalid stream length has changed, but since the new value seems like
a better value than the old one, the test suite has been updated
rather than making the code backward compatible.  This only effects
the offset reported for invalid streams that lack /Length or have an
invalid /Length key.

Updated some test code and exmaples to use QPDFObjectHandle::parse.

Supporting changes include adding a BufferInputSource constructor that
takes a string.
2012-07-21 09:06:10 -04:00
Jay Berkenbilt
b501251291 qpdf: push inherited attributes to page when showing images
from qpdf command-line tool
2012-07-15 16:22:28 -04:00
Jay Berkenbilt
e7b8f297ba Support copying objects from another QPDF object
This includes QPDF::copyForeignObject and supporting foreign objects
as arguments to addPage*.
2012-07-11 15:54:33 -04:00
Jay Berkenbilt
8a217eb3a2 Add concept of reserved objects
QPDFObjectHandle::{new,is,assert}Reserved, QPDF::replaceReserved
provide a mechanism to add objects to a PDF file when there are
circular references.  This is a prerequisite to copying objects from
one PDF to another.
2012-07-10 23:34:32 -04:00
Tobias Hoffmann
8720446b23 Added assertNumber and assertScalar to QPDFObjectHandle 2012-07-07 18:55:08 -04:00
Tobias Hoffmann
a8266ccb0e Added public assert{Type} methods to QPDFObjectHandle 2012-07-07 18:53:38 -04:00
Jay Berkenbilt
e2dedde4bd Don't require stream data provider to know length in advance
Breaking API change: length parameter has disappeared from the
StreamDataProvider version of QPDFObjectHandle::replaceStreamData
since it is no longer necessary to compute it in advance.  This
breaking change is justified by the fact that removing the length
parameter provides the caller an opportunity to simplify the calling
code.
2012-07-07 17:33:45 -04:00
Jay Berkenbilt
5f59c32f87 Add a few minor enhancements to recent work
Test coverage case for new newStream method
Expose decimal_places argument for double-based newReal

All enhancements suggested by Tobias.
2012-06-27 10:43:27 -04:00
Tobias Hoffmann
43c404b45a Add QPDFObjectHandle::newStream(QPDF *, std::string const&)
This makes the code simpler than having to create a buffer of a fixed
size and copy the string to it.
2012-06-27 10:19:57 -04:00
Tobias Hoffmann
75054c0b94 Add QPDFObjectHandle::newReal(double) 2012-06-27 10:19:01 -04:00
Jay Berkenbilt
781c313058 Change QPDF_Integer from int to long long
This makes it possible to store offsets that are larger than 2 GB in
the trailer dictionary.
2012-06-24 15:20:01 -04:00
Jay Berkenbilt
6c0af0844c Switch some code to use empty newArray/newDictionary 2012-06-22 10:09:42 -04:00
Jay Berkenbilt
b6bdc0f595 Add factory methods for creating empty arrays and dictionaries.
Also updated pdf_from_scratch test driver to use the new factories,
and made some cosmetic improvements and documentation updates for the
emptyPDF() method.
2012-06-22 09:46:33 -04:00
Jay Berkenbilt
81e8752362 Use qpdf_offset_t in place of off_t in public APIs.
off_t is used internally only when needed to talk to standard
libraries.  This requires that the "long long" type be supported by
the compiler.
2012-06-21 21:23:24 -04:00
Jay Berkenbilt
d1ebe30ff6 Add QPDFObjectHandle::shallowCopy() 2012-06-21 16:15:09 -04:00
Tobias Hoffmann
db7474e0fa Added additional array mutators
Added methods to append to arrays, insert items into arrays, and
replace array contents with a vector of items.
2012-06-20 15:29:44 -04:00
Jay Berkenbilt
5d4cad9c02 ABI change: fix use of off_t, size_t, and integer types
Significantly improve the code's use of off_t for file offsets, size_t
for memory sizes, and integer types in cases where there has to be
compatibility with external interfaces.  Rework sections of the code
that would have prevented qpdf from working on files larger than 2 (or
maybe 4) GB in size.
2012-06-20 15:20:26 -04:00
Jay Berkenbilt
655c55f848 implement methods to get dictionary and array contents as map and vector 2011-08-10 13:33:58 -04:00
Jay Berkenbilt
a7e269537d update code to new PointerHolder, and reintroduce change that was accidentally backed out
git-svn-id: svn+q:///qpdf/trunk@1031 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-09-24 20:45:18 +00:00
Jay Berkenbilt
bd7261da9b getRawStreamData()
git-svn-id: svn+q:///qpdf/trunk@1010 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-08-09 23:33:40 +00:00
Jay Berkenbilt
2dbc1006fb addPageContents
git-svn-id: svn+q:///qpdf/trunk@995 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-08-05 21:06:49 +00:00
Jay Berkenbilt
6f2bd7eb3a newStream
git-svn-id: svn+q:///qpdf/trunk@991 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-08-05 20:20:52 +00:00
Jay Berkenbilt
11df7809af add pipeline-based stream data replacement function
git-svn-id: svn+q:///qpdf/trunk@990 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-08-05 19:04:22 +00:00
Jay Berkenbilt
998a6cbee9 remove stream_data_handler; it wouldn't work as designed. replacement data implemented but not tested
git-svn-id: svn+q:///qpdf/trunk@988 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-08-02 22:40:52 +00:00
Jay Berkenbilt
9a06fc541c ready to implement replacement stream data
git-svn-id: svn+q:///qpdf/trunk@987 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-08-02 22:17:01 +00:00
Jay Berkenbilt
6755a86734 comment on memory leak fix
git-svn-id: svn+q:///qpdf/trunk@979 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-06-06 18:03:21 +00:00
Jay Berkenbilt
9496b2cb20 fix memory leak
git-svn-id: svn+q:///qpdf/trunk@976 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-06-06 13:32:08 +00:00
Jay Berkenbilt
aa093bfabd Use a pointer holder in one place where we were previously just using
a pointer.


git-svn-id: svn+q:///qpdf/trunk@968 71b93d88-0707-0410-a8cf-f5a4172ac649
2010-05-31 17:04:55 +00:00
Jay Berkenbilt
734ac1e1d2 deal with stream-specific crypt filters
git-svn-id: svn+q:///qpdf/trunk@827 71b93d88-0707-0410-a8cf-f5a4172ac649
2009-10-19 01:58:31 +00:00
Jay Berkenbilt
44cbd3d4b4 do DLL_EXPORT only in header files and only at the class or top-level function level
git-svn-id: svn+q:///qpdf/trunk@796 71b93d88-0707-0410-a8cf-f5a4172ac649
2009-10-12 01:15:55 +00:00
Jay Berkenbilt
f3d7c26de1 removed qexc; non-compatible ABI change
git-svn-id: svn+q:///qpdf/trunk@709 71b93d88-0707-0410-a8cf-f5a4172ac649
2009-09-26 18:36:04 +00:00
Jay Berkenbilt
1e74c03acd stick DLL_EXPORT in front of every public method of every public class
git-svn-id: svn+q:///qpdf/trunk@688 71b93d88-0707-0410-a8cf-f5a4172ac649
2009-08-06 19:00:25 +00:00
Jay Berkenbilt
91cb7c0a58 fix many typos in comments and strings
git-svn-id: svn+q:///qpdf/trunk@651 71b93d88-0707-0410-a8cf-f5a4172ac649
2009-02-21 02:54:31 +00:00
Jay Berkenbilt
76bf91765e missing header files for gcc 4.3
git-svn-id: svn+q:///qpdf/trunk@607 71b93d88-0707-0410-a8cf-f5a4172ac649
2008-05-04 16:02:53 +00:00
Jay Berkenbilt
9a0b88bf77 update release date to actual date
git-svn-id: svn+q:///qpdf/trunk@599 71b93d88-0707-0410-a8cf-f5a4172ac649
2008-04-29 12:55:25 +00:00