Contents of /trunk/xpdf/patches/xpdf-3.01-CVE-2007-0104.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 2221 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 2221 byte(s)
-import
1 | --- kpdf/xpdf/Catalog.cc |
2 | +++ kpdf/xpdf/Catalog.cc |
3 | @@ -23,6 +23,12 @@ |
4 | #include "Link.h" |
5 | #include "Catalog.h" |
6 | |
7 | +// This define is used to limit the depth of recursive readPageTree calls |
8 | +// This is needed because the page tree nodes can reference their parents |
9 | +// leaving us in an infinite loop |
10 | +// Most sane pdf documents don't have a call depth higher than 10 |
11 | +#define MAX_CALL_DEPTH 1000 |
12 | + |
13 | //------------------------------------------------------------------------ |
14 | // Catalog |
15 | //------------------------------------------------------------------------ |
16 | @@ -76,7 +82,7 @@ |
17 | pageRefs[i].num = -1; |
18 | pageRefs[i].gen = -1; |
19 | } |
20 | - numPages = readPageTree(pagesDict.getDict(), NULL, 0); |
21 | + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); |
22 | if (numPages != numPages0) { |
23 | error(-1, "Page count in top-level pages object is incorrect"); |
24 | } |
25 | @@ -170,7 +176,7 @@ |
26 | return s; |
27 | } |
28 | |
29 | -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { |
30 | +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { |
31 | Object kids; |
32 | Object kid; |
33 | Object kidRef; |
34 | @@ -220,9 +226,13 @@ |
35 | // This should really be isDict("Pages"), but I've seen at least one |
36 | // PDF file where the /Type entry is missing. |
37 | } else if (kid.isDict()) { |
38 | - if ((start = readPageTree(kid.getDict(), attrs1, start)) |
39 | - < 0) |
40 | - goto err2; |
41 | + if (callDepth > MAX_CALL_DEPTH) { |
42 | + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); |
43 | + } else { |
44 | + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) |
45 | + < 0) |
46 | + goto err2; |
47 | + } |
48 | } else { |
49 | error(-1, "Kid object (page %d) is wrong type (%s)", |
50 | start+1, kid.getTypeName()); |
51 | --- kpdf/xpdf/Catalog.h |
52 | +++ kpdf/xpdf/Catalog.h |
53 | @@ -82,7 +82,7 @@ |
54 | Object outline; // outline dictionary |
55 | GBool ok; // true if catalog is valid |
56 | |
57 | - int readPageTree(Dict *pages, PageAttrs *attrs, int start); |
58 | + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); |
59 | Object *findDestInTree(Object *tree, GString *name, Object *obj); |
60 | }; |
61 |