OpenSystemsDevelopment / qpdf

Commit 192525226fe4fd3664a8edb8ac9e7dbe7da401c9

Authored by m-holger
1 parent 1b6a504d

Validate that offsets in object streams are strictly increasing

Inline Side-by-side
Showing 1 changed file with 10 additions and 0 deletions
libqpdf/QPDF.cc
  View file @1925252
@@ -2064,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number) @@ -2064,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
2064 (m->file->getName() + " object stream " + std::to_string(obj_stream_number)), 2064 (m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
2065 bp.get())); 2065 bp.get()));
2066 2066
  2067 + qpdf_offset_t last_offset = -1;
2067 for (int i = 0; i < n; ++i) { 2068 for (int i = 0; i < n; ++i) {
2068 QPDFTokenizer::Token tnum = readToken(*input); 2069 QPDFTokenizer::Token tnum = readToken(*input);
2069 QPDFTokenizer::Token toffset = readToken(*input); 2070 QPDFTokenizer::Token toffset = readToken(*input);
@@ -2089,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number) @@ -2089,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
2089 "object stream claims to contain itself")); 2090 "object stream claims to contain itself"));
2090 continue; 2091 continue;
2091 } 2092 }
  2093 + if (offset <= last_offset) {
  2094 + throw damagedPDF(
  2095 + *input,
  2096 + m->last_object_description,
  2097 + input->getLastOffset(),
  2098 + "expected offsets in object stream to be increasing");
  2099 + }
  2100 + last_offset = offset;
  2101 +
2092 offsets[num] = toI(offset + first); 2102 offsets[num] = toI(offset + first);
2093 } 2103 }
2094 2104