Contents of /trunk/poppler/patches/poppler-0.5.4-CVE-2007-0104.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 2581 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 2581 byte(s)
-import
1 | diff -Nur poppler-0.5.4/poppler/Catalog.cc poppler-0.5.4.new/poppler/Catalog.cc |
2 | --- poppler-0.5.4/poppler/Catalog.cc 2006-09-13 17:10:52.000000000 +0200 |
3 | +++ poppler-0.5.4.new/poppler/Catalog.cc 2007-01-16 17:57:43.000000000 +0100 |
4 | @@ -26,6 +26,12 @@ |
5 | #include "UGooString.h" |
6 | #include "Catalog.h" |
7 | |
8 | +// This define is used to limit the depth of recursive readPageTree calls |
9 | +// This is needed because the page tree nodes can reference their parents |
10 | +// leaving us in an infinite loop |
11 | +// Most sane pdf documents don't have a call depth higher than 10 |
12 | +#define MAX_CALL_DEPTH 1000 |
13 | + |
14 | //------------------------------------------------------------------------ |
15 | // Catalog |
16 | //------------------------------------------------------------------------ |
17 | @@ -75,7 +81,7 @@ |
18 | pageRefs[i].num = -1; |
19 | pageRefs[i].gen = -1; |
20 | } |
21 | - numPages = readPageTree(pagesDict.getDict(), NULL, 0); |
22 | + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); |
23 | if (numPages != numPages0) { |
24 | error(-1, "Page count in top-level pages object is incorrect"); |
25 | } |
26 | @@ -217,7 +223,7 @@ |
27 | return s; |
28 | } |
29 | |
30 | -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { |
31 | +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { |
32 | Object kids; |
33 | Object kid; |
34 | Object kidRef; |
35 | @@ -262,9 +268,13 @@ |
36 | // This should really be isDict("Pages"), but I've seen at least one |
37 | // PDF file where the /Type entry is missing. |
38 | } else if (kid.isDict()) { |
39 | - if ((start = readPageTree(kid.getDict(), attrs1, start)) |
40 | - < 0) |
41 | - goto err2; |
42 | + if (callDepth > MAX_CALL_DEPTH) { |
43 | + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); |
44 | + } else { |
45 | + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) |
46 | + < 0) |
47 | + goto err2; |
48 | + } |
49 | } else { |
50 | error(-1, "Kid object (page %d) is wrong type (%s)", |
51 | start+1, kid.getTypeName()); |
52 | diff -Nur poppler-0.5.4/poppler/Catalog.h poppler-0.5.4.new/poppler/Catalog.h |
53 | --- poppler-0.5.4/poppler/Catalog.h 2006-01-23 15:43:36.000000000 +0100 |
54 | +++ poppler-0.5.4.new/poppler/Catalog.h 2007-01-16 17:58:09.000000000 +0100 |
55 | @@ -193,7 +193,7 @@ |
56 | PageMode pageMode; // page mode |
57 | PageLayout pageLayout; // page layout |
58 | |
59 | - int readPageTree(Dict *pages, PageAttrs *attrs, int start); |
60 | + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); |
61 | Object *findDestInTree(Object *tree, GooString *name, Object *obj); |
62 | }; |
63 |