2
1
mirror of https://github.com/qpdf/qpdf.git synced 2025-01-03 15:17:29 +00:00
qpdf/libqpdf/QPDFTokenizer.cc
Jay Berkenbilt fabff0f3ec Limit token length during xref recovery
While scanning the file looking for objects, limit the length of
tokens we allow. This prevents us from getting caught up in reading a
file character by character while digging through large streams.
2017-08-22 14:13:10 -04:00

544 lines
11 KiB
C++

#include <qpdf/QPDFTokenizer.hh>
// DO NOT USE ctype -- it is locale dependent for some things, and
// it's not worth the risk of including it in case it may accidentally
// be used.
#include <qpdf/QTC.hh>
#include <qpdf/QPDFExc.hh>
#include <qpdf/QUtil.hh>
#include <stdexcept>
#include <string.h>
#include <cstdlib>
QPDFTokenizer::QPDFTokenizer() :
pound_special_in_name(true),
allow_eof(false)
{
reset();
}
void
QPDFTokenizer::allowPoundAnywhereInName()
{
QTC::TC("qpdf", "QPDFTokenizer allow pound anywhere in name");
this->pound_special_in_name = false;
}
void
QPDFTokenizer::allowEOF()
{
this->allow_eof = true;
}
void
QPDFTokenizer::reset()
{
state = st_top;
type = tt_bad;
val = "";
raw_val = "";
error_message = "";
unread_char = false;
char_to_unread = '\0';
string_depth = 0;
string_ignoring_newline = false;
last_char_was_bs = false;
}
void
QPDFTokenizer::resolveLiteral()
{
if ((val.length() > 0) && (val.at(0) == '/'))
{
type = tt_name;
// Deal with # in name token. Note: '/' by itself is a
// valid name, so don't strip leading /. That way we
// don't have to deal with the empty string as a name.
std::string nval = "/";
char const* valstr = val.c_str() + 1;
for (char const* p = valstr; *p; ++p)
{
if ((*p == '#') && this->pound_special_in_name)
{
if (p[1] && p[2] &&
QUtil::is_hex_digit(p[1]) && QUtil::is_hex_digit(p[2]))
{
char num[3];
num[0] = p[1];
num[1] = p[2];
num[2] = '\0';
char ch = static_cast<char>(strtol(num, 0, 16));
if (ch == '\0')
{
type = tt_bad;
QTC::TC("qpdf", "QPDF_Tokenizer null in name");
error_message =
"null character not allowed in name token";
nval += "#00";
}
else
{
nval += ch;
}
p += 2;
}
else
{
QTC::TC("qpdf", "QPDF_Tokenizer bad name");
type = tt_bad;
error_message = "invalid name token";
nval += *p;
}
}
else
{
nval += *p;
}
}
val = nval;
}
else if (QUtil::is_number(val.c_str()))
{
if (val.find('.') != std::string::npos)
{
type = tt_real;
}
else
{
type = tt_integer;
}
}
else if ((val == "true") || (val == "false"))
{
type = tt_bool;
}
else if (val == "null")
{
type = tt_null;
}
else
{
// I don't really know what it is, so leave it as tt_word.
// Lots of cases ($, #, etc.) other than actual words fall
// into this category, but that's okay at least for now.
type = tt_word;
}
}
void
QPDFTokenizer::presentCharacter(char ch)
{
if (state == st_token_ready)
{
throw std::logic_error(
"INTERNAL ERROR: QPDF tokenizer presented character "
"while token is waiting");
}
char orig_ch = ch;
// State machine is implemented such that some characters may be
// handled more than once. This happens whenever you have to use
// the character that caused a state change in the new state.
bool handled = true;
if (state == st_top)
{
// Note: we specifically do not use ctype here. It is
// locale-dependent.
if (strchr(" \t\n\v\f\r", ch))
{
// ignore
}
else if (ch == '%')
{
// Discard comments
state = st_in_comment;
}
else if (ch == '(')
{
string_depth = 1;
string_ignoring_newline = false;
memset(bs_num_register, '\0', sizeof(bs_num_register));
last_char_was_bs = false;
state = st_in_string;
}
else if (ch == '<')
{
state = st_lt;
}
else if (ch == '>')
{
state = st_gt;
}
else
{
val += ch;
if (ch == ')')
{
type = tt_bad;
QTC::TC("qpdf", "QPDF_Tokenizer bad )");
error_message = "unexpected )";
state = st_token_ready;
}
else if (ch == '[')
{
type = tt_array_open;
state = st_token_ready;
}
else if (ch == ']')
{
type = tt_array_close;
state = st_token_ready;
}
else if (ch == '{')
{
type = tt_brace_open;
state = st_token_ready;
}
else if (ch == '}')
{
type = tt_brace_close;
state = st_token_ready;
}
else
{
state = st_literal;
}
}
}
else if (state == st_in_comment)
{
if ((ch == '\r') || (ch == '\n'))
{
state = st_top;
}
}
else if (state == st_lt)
{
if (ch == '<')
{
val = "<<";
type = tt_dict_open;
state = st_token_ready;
}
else
{
handled = false;
state = st_in_hexstring;
}
}
else if (state == st_gt)
{
if (ch == '>')
{
val = ">>";
type = tt_dict_close;
state = st_token_ready;
}
else
{
val = ">";
type = tt_bad;
QTC::TC("qpdf", "QPDF_Tokenizer bad >");
error_message = "unexpected >";
unread_char = true;
char_to_unread = ch;
state = st_token_ready;
}
}
else if (state == st_in_string)
{
if (string_ignoring_newline && (! ((ch == '\r') || (ch == '\n'))))
{
string_ignoring_newline = false;
}
size_t bs_num_count = strlen(bs_num_register);
bool ch_is_octal = ((ch >= '0') && (ch <= '7'));
if ((bs_num_count == 3) || ((bs_num_count > 0) && (! ch_is_octal)))
{
// We've accumulated \ddd. PDF Spec says to ignore
// high-order overflow.
val += static_cast<char>(strtol(bs_num_register, 0, 8));
memset(bs_num_register, '\0', sizeof(bs_num_register));
bs_num_count = 0;
}
if (string_ignoring_newline && ((ch == '\r') || (ch == '\n')))
{
// ignore
}
else if (ch_is_octal && (last_char_was_bs || (bs_num_count > 0)))
{
bs_num_register[bs_num_count++] = ch;
}
else if (last_char_was_bs)
{
switch (ch)
{
case 'n':
val += '\n';
break;
case 'r':
val += '\r';
break;
case 't':
val += '\t';
break;
case 'b':
val += '\b';
break;
case 'f':
val += '\f';
break;
case '\r':
case '\n':
string_ignoring_newline = true;
break;
default:
// PDF spec says backslash is ignored before anything else
val += ch;
break;
}
}
else if (ch == '\\')
{
// last_char_was_bs is set/cleared below as appropriate
if (bs_num_count)
{
throw std::logic_error(
"INTERNAL ERROR: QPDFTokenizer: bs_num_count != 0 "
"when ch == '\\'");
}
}
else if (ch == '(')
{
val += ch;
++string_depth;
}
else if ((ch == ')') && (--string_depth == 0))
{
type = tt_string;
state = st_token_ready;
}
else
{
val += ch;
}
last_char_was_bs = ((! last_char_was_bs) && (ch == '\\'));
}
else if (state == st_literal)
{
if (strchr(" \t\n\v\f\r()<>[]{}/%", ch) != 0)
{
// A C-locale whitespace character or delimiter terminates
// token. It is important to unread the whitespace
// character even though it is ignored since it may be the
// newline after a stream keyword. Removing it here could
// make the stream-reading code break on some files,
// though not on any files in the test suite as of this
// writing.
type = tt_word;
unread_char = true;
char_to_unread = ch;
state = st_token_ready;
}
else
{
val += ch;
}
}
else
{
handled = false;
}
if (handled)
{
// okay
}
else if (state == st_in_hexstring)
{
if (ch == '>')
{
type = tt_string;
state = st_token_ready;
if (val.length() % 2)
{
// PDF spec says odd hexstrings have implicit
// trailing 0.
val += '0';
}
char num[3];
num[2] = '\0';
std::string nval;
for (unsigned int i = 0; i < val.length(); i += 2)
{
num[0] = val.at(i);
num[1] = val.at(i+1);
char nch = static_cast<char>(strtol(num, 0, 16));
nval += nch;
}
val = nval;
}
else if (QUtil::is_hex_digit(ch))
{
val += ch;
}
else if (strchr(" \t\n\v\f\r", ch))
{
// ignore
}
else
{
type = tt_bad;
QTC::TC("qpdf", "QPDF_Tokenizer bad (");
error_message = std::string("invalid character (") +
ch + ") in hexstring";
state = st_token_ready;
}
}
else
{
throw std::logic_error(
"INTERNAL ERROR: invalid state while reading token");
}
if ((state == st_token_ready) && (type == tt_word))
{
resolveLiteral();
}
if (! (betweenTokens() || ((state == st_token_ready) && unread_char)))
{
this->raw_val += orig_ch;
}
}
void
QPDFTokenizer::presentEOF()
{
if (state == st_literal)
{
QTC::TC("qpdf", "QPDF_Tokenizer EOF reading appendable token");
resolveLiteral();
}
else if (state != st_token_ready)
{
QTC::TC("qpdf", "QPDF_Tokenizer EOF reading token",
this->allow_eof ? 1 : 0);
if (this->allow_eof)
{
type = tt_eof;
}
else
{
type = tt_bad;
error_message = "EOF while reading token";
}
}
state = st_token_ready;
}
bool
QPDFTokenizer::getToken(Token& token, bool& unread_char, char& ch)
{
bool ready = (this->state == st_token_ready);
unread_char = this->unread_char;
ch = this->char_to_unread;
if (ready)
{
token = Token(type, val, raw_val, error_message);
reset();
}
return ready;
}
bool
QPDFTokenizer::betweenTokens()
{
return ((state == st_top) || (state == st_in_comment));
}
QPDFTokenizer::Token
QPDFTokenizer::readToken(PointerHolder<InputSource> input,
std::string const& context,
bool allow_bad,
size_t max_len)
{
qpdf_offset_t offset = input->tell();
Token token;
bool unread_char;
char char_to_unread;
bool presented_eof = false;
while (! getToken(token, unread_char, char_to_unread))
{
char ch;
if (input->read(&ch, 1) == 0)
{
if (! presented_eof)
{
presentEOF();
presented_eof = true;
}
else
{
throw std::logic_error(
"getToken returned false after presenting EOF");
}
}
else
{
if (QUtil::is_space(static_cast<unsigned char>(ch)) &&
(input->getLastOffset() == offset))
{
++offset;
}
presentCharacter(ch);
if (max_len && (raw_val.length() >= max_len) &&
(this->state != st_token_ready))
{
// terminate this token now
QTC::TC("qpdf", "QPDFTokenizer block long token");
this->type = tt_bad;
this->state = st_token_ready;
}
}
}
if (unread_char)
{
input->unreadCh(char_to_unread);
}
input->setLastOffset(offset);
if (token.getType() == tt_bad)
{
if (allow_bad)
{
QTC::TC("qpdf", "QPDFTokenizer allowing bad token");
}
else
{
throw QPDFExc(qpdf_e_damaged_pdf, input->getName(),
context, offset, token.getErrorMessage());
}
}
return token;
}