poppler/patches/poppler-0.5.4-CVE-2007-0104.patch

diff -Nur poppler-0.5.4/poppler/Catalog.cc poppler-0.5.4.new/poppler/Catalog.cc
--- poppler-0.5.4/poppler/Catalog.cc	2006-09-13 17:10:52.000000000 +0200
+++ poppler-0.5.4.new/poppler/Catalog.cc	2007-01-16 17:57:43.000000000 +0100
@@ -26,6 +26,12 @@
 #include "UGooString.h"
 #include "Catalog.h"
 
+// This define is used to limit the depth of recursive readPageTree calls
+// This is needed because the page tree nodes can reference their parents
+// leaving us in an infinite loop
+// Most sane pdf documents don't have a call depth higher than 10
+#define MAX_CALL_DEPTH 1000
+
 //------------------------------------------------------------------------
 // Catalog
 //------------------------------------------------------------------------
@@ -75,7 +81,7 @@
     pageRefs[i].num = -1;
     pageRefs[i].gen = -1;
   }
-  numPages = readPageTree(pagesDict.getDict(), NULL, 0);
+  numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
   if (numPages != numPages0) {
     error(-1, "Page count in top-level pages object is incorrect");
   }
@@ -217,7 +223,7 @@
   return s;
 }
 
-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
+int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
   Object kids;
   Object kid;
   Object kidRef;
@@ -262,9 +268,13 @@
     // This should really be isDict("Pages"), but I've seen at least one
     // PDF file where the /Type entry is missing.
     } else if (kid.isDict()) {
-      if ((start = readPageTree(kid.getDict(), attrs1, start))
-	  < 0)
-	goto err2;
+      if (callDepth > MAX_CALL_DEPTH) {
+        error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
+      } else {
+        if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
+	    < 0)
+	  goto err2;
+      }
     } else {
       error(-1, "Kid object (page %d) is wrong type (%s)",
 	    start+1, kid.getTypeName());
diff -Nur poppler-0.5.4/poppler/Catalog.h poppler-0.5.4.new/poppler/Catalog.h
--- poppler-0.5.4/poppler/Catalog.h	2006-01-23 15:43:36.000000000 +0100
+++ poppler-0.5.4.new/poppler/Catalog.h	2007-01-16 17:58:09.000000000 +0100
@@ -193,7 +193,7 @@
   PageMode pageMode;		// page mode
   PageLayout pageLayout;	// page layout
 
-  int readPageTree(Dict *pages, PageAttrs *attrs, int start);
+  int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
   Object *findDestInTree(Object *tree, GooString *name, Object *obj);
 };
 
1	niro	153	diff -Nur poppler-0.5.4/poppler/Catalog.cc poppler-0.5.4.new/poppler/Catalog.cc
2			--- poppler-0.5.4/poppler/Catalog.cc 2006-09-13 17:10:52.000000000 +0200
3			+++ poppler-0.5.4.new/poppler/Catalog.cc 2007-01-16 17:57:43.000000000 +0100
4			@@ -26,6 +26,12 @@
5			#include "UGooString.h"
6			#include "Catalog.h"
7
8			+// This define is used to limit the depth of recursive readPageTree calls
9			+// This is needed because the page tree nodes can reference their parents
10			+// leaving us in an infinite loop
11			+// Most sane pdf documents don't have a call depth higher than 10
12			+#define MAX_CALL_DEPTH 1000
13			+
14			//------------------------------------------------------------------------
15			// Catalog
16			//------------------------------------------------------------------------
17			@@ -75,7 +81,7 @@
18			pageRefs[i].num = -1;
19			pageRefs[i].gen = -1;
20			}
21			- numPages = readPageTree(pagesDict.getDict(), NULL, 0);
22			+ numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
23			if (numPages != numPages0) {
24			error(-1, "Page count in top-level pages object is incorrect");
25			}
26			@@ -217,7 +223,7 @@
27			return s;
28			}
29
30			-int Catalog::readPageTree(Dict pagesDict, PageAttrs attrs, int start) {
31			+int Catalog::readPageTree(Dict pagesDict, PageAttrs attrs, int start, int callDepth) {
32			Object kids;
33			Object kid;
34			Object kidRef;
35			@@ -262,9 +268,13 @@
36			// This should really be isDict("Pages"), but I've seen at least one
37			// PDF file where the /Type entry is missing.
38			} else if (kid.isDict()) {
39			- if ((start = readPageTree(kid.getDict(), attrs1, start))
40			- < 0)
41			- goto err2;
42			+ if (callDepth > MAX_CALL_DEPTH) {
43			+ error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
44			+ } else {
45			+ if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
46			+ < 0)
47			+ goto err2;
48			+ }
49			} else {
50			error(-1, "Kid object (page %d) is wrong type (%s)",
51			start+1, kid.getTypeName());
52			diff -Nur poppler-0.5.4/poppler/Catalog.h poppler-0.5.4.new/poppler/Catalog.h
53			--- poppler-0.5.4/poppler/Catalog.h 2006-01-23 15:43:36.000000000 +0100
54			+++ poppler-0.5.4.new/poppler/Catalog.h 2007-01-16 17:58:09.000000000 +0100
55			@@ -193,7 +193,7 @@
56			PageMode pageMode; // page mode
57			PageLayout pageLayout; // page layout
58
59			- int readPageTree(Dict pages, PageAttrs attrs, int start);
60			+ int readPageTree(Dict pages, PageAttrs attrs, int start, int callDepth);
61			Object findDestInTree(Object tree, GooString name, Object obj);
62			};
63