Commit 192525226fe4fd3664a8edb8ac9e7dbe7da401c9
1 parent
1b6a504d
Validate that offsets in object streams are strictly increasing
Showing
1 changed file
with
10 additions
and
0 deletions
libqpdf/QPDF.cc
| ... | ... | @@ -2064,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number) |
| 2064 | 2064 | (m->file->getName() + " object stream " + std::to_string(obj_stream_number)), |
| 2065 | 2065 | bp.get())); |
| 2066 | 2066 | |
| 2067 | + qpdf_offset_t last_offset = -1; | |
| 2067 | 2068 | for (int i = 0; i < n; ++i) { |
| 2068 | 2069 | QPDFTokenizer::Token tnum = readToken(*input); |
| 2069 | 2070 | QPDFTokenizer::Token toffset = readToken(*input); |
| ... | ... | @@ -2089,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number) |
| 2089 | 2090 | "object stream claims to contain itself")); |
| 2090 | 2091 | continue; |
| 2091 | 2092 | } |
| 2093 | + if (offset <= last_offset) { | |
| 2094 | + throw damagedPDF( | |
| 2095 | + *input, | |
| 2096 | + m->last_object_description, | |
| 2097 | + input->getLastOffset(), | |
| 2098 | + "expected offsets in object stream to be increasing"); | |
| 2099 | + } | |
| 2100 | + last_offset = offset; | |
| 2101 | + | |
| 2092 | 2102 | offsets[num] = toI(offset + first); |
| 2093 | 2103 | } |
| 2094 | 2104 | ... | ... |