diff options
| author | Albert Astals Cid <aacid@kde.org> | 2007-01-11 22:14:02 +0000 |
|---|---|---|
| committer | Albert Astals Cid <aacid@kde.org> | 2007-01-11 22:14:02 +0000 |
| commit | be615cf03db00d2d1b8414c1d8c9e2e0a53fa491 (patch) | |
| tree | 18050367f16bf57dbea1d99c706a570cc7e18c7e | |
| parent | 20ba21afd4267537ed0a9c705f8651dbd4fe270b (diff) | |
* poppler/Catalog.h:
* poppler/Catalog.cc: Limit max depth of recursive calls on
readPageTree to fix MOAB-06-01-2007
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | poppler/Catalog.cc | 20 | ||||
| -rw-r--r-- | poppler/Catalog.h | 2 |
3 files changed, 22 insertions, 6 deletions
@@ -1,3 +1,9 @@ +2007-01-11 Albert Astals Cid <aacid@kde.org> + + * poppler/Catalog.h: + * poppler/Catalog.cc: Limit max depth of recursive calls on + readPageTree to fix MOAB-06-01-2007 + 2007-01-04 Albert Astals Cid <aacid@kde.org> * qt/poppler-page-transition.cc: Fix memory leak. Patch by diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc index 51c58542..0db4dc04 100644 --- a/poppler/Catalog.cc +++ b/poppler/Catalog.cc @@ -26,6 +26,12 @@ #include "UGooString.h" #include "Catalog.h" +// This define is used to limit the depth of recursive readPageTree calls +// This is needed because the page tree nodes can reference their parents +// leaving us in an infinite loop +// Most sane pdf documents don't have a call depth higher than 10 +#define MAX_CALL_DEPTH 1000 + //------------------------------------------------------------------------ // Catalog //------------------------------------------------------------------------ @@ -75,7 +81,7 @@ Catalog::Catalog(XRef *xrefA) { pageRefs[i].num = -1; pageRefs[i].gen = -1; } - numPages = readPageTree(pagesDict.getDict(), NULL, 0); + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); if (numPages != numPages0) { error(-1, "Page count in top-level pages object is incorrect"); } @@ -217,7 +223,7 @@ GooString *Catalog::readMetadata() { return s; } -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { Object kids; Object kid; Object kidRef; @@ -262,9 +268,13 @@ int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { // This should really be isDict("Pages"), but I've seen at least one // PDF file where the /Type entry is missing. } else if (kid.isDict()) { - if ((start = readPageTree(kid.getDict(), attrs1, start)) - < 0) - goto err2; + if (callDepth > MAX_CALL_DEPTH) { + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); + } else { + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) + < 0) + goto err2; + } } else { error(-1, "Kid object (page %d) is wrong type (%s)", start+1, kid.getTypeName()); diff --git a/poppler/Catalog.h b/poppler/Catalog.h index 036e1715..0800bd93 100644 --- a/poppler/Catalog.h +++ b/poppler/Catalog.h @@ -193,7 +193,7 @@ private: PageMode pageMode; // page mode PageLayout pageLayout; // page layout - int readPageTree(Dict *pages, PageAttrs *attrs, int start); + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); Object *findDestInTree(Object *tree, GooString *name, Object *obj); }; |