Annotation of /trunk/xpdf/patches/xpdf-3.01-CVE-2007-0104.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 2221 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 2221 byte(s)
-import
1 | niro | 153 | --- kpdf/xpdf/Catalog.cc |
2 | +++ kpdf/xpdf/Catalog.cc | ||
3 | @@ -23,6 +23,12 @@ | ||
4 | #include "Link.h" | ||
5 | #include "Catalog.h" | ||
6 | |||
7 | +// This define is used to limit the depth of recursive readPageTree calls | ||
8 | +// This is needed because the page tree nodes can reference their parents | ||
9 | +// leaving us in an infinite loop | ||
10 | +// Most sane pdf documents don't have a call depth higher than 10 | ||
11 | +#define MAX_CALL_DEPTH 1000 | ||
12 | + | ||
13 | //------------------------------------------------------------------------ | ||
14 | // Catalog | ||
15 | //------------------------------------------------------------------------ | ||
16 | @@ -76,7 +82,7 @@ | ||
17 | pageRefs[i].num = -1; | ||
18 | pageRefs[i].gen = -1; | ||
19 | } | ||
20 | - numPages = readPageTree(pagesDict.getDict(), NULL, 0); | ||
21 | + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); | ||
22 | if (numPages != numPages0) { | ||
23 | error(-1, "Page count in top-level pages object is incorrect"); | ||
24 | } | ||
25 | @@ -170,7 +176,7 @@ | ||
26 | return s; | ||
27 | } | ||
28 | |||
29 | -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { | ||
30 | +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { | ||
31 | Object kids; | ||
32 | Object kid; | ||
33 | Object kidRef; | ||
34 | @@ -220,9 +226,13 @@ | ||
35 | // This should really be isDict("Pages"), but I've seen at least one | ||
36 | // PDF file where the /Type entry is missing. | ||
37 | } else if (kid.isDict()) { | ||
38 | - if ((start = readPageTree(kid.getDict(), attrs1, start)) | ||
39 | - < 0) | ||
40 | - goto err2; | ||
41 | + if (callDepth > MAX_CALL_DEPTH) { | ||
42 | + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); | ||
43 | + } else { | ||
44 | + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) | ||
45 | + < 0) | ||
46 | + goto err2; | ||
47 | + } | ||
48 | } else { | ||
49 | error(-1, "Kid object (page %d) is wrong type (%s)", | ||
50 | start+1, kid.getTypeName()); | ||
51 | --- kpdf/xpdf/Catalog.h | ||
52 | +++ kpdf/xpdf/Catalog.h | ||
53 | @@ -82,7 +82,7 @@ | ||
54 | Object outline; // outline dictionary | ||
55 | GBool ok; // true if catalog is valid | ||
56 | |||
57 | - int readPageTree(Dict *pages, PageAttrs *attrs, int start); | ||
58 | + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); | ||
59 | Object *findDestInTree(Object *tree, GString *name, Object *obj); | ||
60 | }; | ||
61 |