Contents of /trunk/xpdf/patches/xpdf-3.01-CVE-2007-0104.patch
Parent Directory
| 
Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years ago) by niro
File size: 2221 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years ago) by niro
File size: 2221 byte(s)
-import
| 1 | --- kpdf/xpdf/Catalog.cc |
| 2 | +++ kpdf/xpdf/Catalog.cc |
| 3 | @@ -23,6 +23,12 @@ |
| 4 | #include "Link.h" |
| 5 | #include "Catalog.h" |
| 6 | |
| 7 | +// This define is used to limit the depth of recursive readPageTree calls |
| 8 | +// This is needed because the page tree nodes can reference their parents |
| 9 | +// leaving us in an infinite loop |
| 10 | +// Most sane pdf documents don't have a call depth higher than 10 |
| 11 | +#define MAX_CALL_DEPTH 1000 |
| 12 | + |
| 13 | //------------------------------------------------------------------------ |
| 14 | // Catalog |
| 15 | //------------------------------------------------------------------------ |
| 16 | @@ -76,7 +82,7 @@ |
| 17 | pageRefs[i].num = -1; |
| 18 | pageRefs[i].gen = -1; |
| 19 | } |
| 20 | - numPages = readPageTree(pagesDict.getDict(), NULL, 0); |
| 21 | + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); |
| 22 | if (numPages != numPages0) { |
| 23 | error(-1, "Page count in top-level pages object is incorrect"); |
| 24 | } |
| 25 | @@ -170,7 +176,7 @@ |
| 26 | return s; |
| 27 | } |
| 28 | |
| 29 | -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { |
| 30 | +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { |
| 31 | Object kids; |
| 32 | Object kid; |
| 33 | Object kidRef; |
| 34 | @@ -220,9 +226,13 @@ |
| 35 | // This should really be isDict("Pages"), but I've seen at least one |
| 36 | // PDF file where the /Type entry is missing. |
| 37 | } else if (kid.isDict()) { |
| 38 | - if ((start = readPageTree(kid.getDict(), attrs1, start)) |
| 39 | - < 0) |
| 40 | - goto err2; |
| 41 | + if (callDepth > MAX_CALL_DEPTH) { |
| 42 | + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); |
| 43 | + } else { |
| 44 | + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) |
| 45 | + < 0) |
| 46 | + goto err2; |
| 47 | + } |
| 48 | } else { |
| 49 | error(-1, "Kid object (page %d) is wrong type (%s)", |
| 50 | start+1, kid.getTypeName()); |
| 51 | --- kpdf/xpdf/Catalog.h |
| 52 | +++ kpdf/xpdf/Catalog.h |
| 53 | @@ -82,7 +82,7 @@ |
| 54 | Object outline; // outline dictionary |
| 55 | GBool ok; // true if catalog is valid |
| 56 | |
| 57 | - int readPageTree(Dict *pages, PageAttrs *attrs, int start); |
| 58 | + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); |
| 59 | Object *findDestInTree(Object *tree, GString *name, Object *obj); |
| 60 | }; |
| 61 |