Commit 4d2a0fe2de158c20ec028bb6918264e6b6a45e5a
Committed by
GitHub
GitHub
Merge pull request #1472 from m-holger/fuzz
Apply sanity checks during xref stream parsing
Showing
2 changed files
with
5 additions
and
1 deletions
libqpdf/QPDF_objects.cc
| ... | ... | @@ -768,11 +768,13 @@ QPDF::read_xrefStream(qpdf_offset_t xref_offset, bool in_stream_recovery) |
| 768 | 768 | QPDFObjGen x_og; |
| 769 | 769 | QPDFObjectHandle xref_obj; |
| 770 | 770 | try { |
| 771 | + m->in_read_xref_stream = true; | |
| 771 | 772 | xref_obj = |
| 772 | 773 | readObjectAtOffset(false, xref_offset, "xref stream", QPDFObjGen(0, 0), x_og, true); |
| 773 | 774 | } catch (QPDFExc&) { |
| 774 | 775 | // ignore -- report error below |
| 775 | 776 | } |
| 777 | + m->in_read_xref_stream = false; | |
| 776 | 778 | if (xref_obj.isStreamOfType("/XRef")) { |
| 777 | 779 | QTC::TC("qpdf", "QPDF found xref stream"); |
| 778 | 780 | return processXRefStream(xref_offset, xref_obj, in_stream_recovery); |
| ... | ... | @@ -1199,7 +1201,8 @@ QPDF::readObject(std::string const& description, QPDFObjGen og) |
| 1199 | 1201 | m->tokenizer, |
| 1200 | 1202 | decrypter_ptr, |
| 1201 | 1203 | *this, |
| 1202 | - m->in_xref_reconstruction); | |
| 1204 | + m->in_xref_reconstruction || m->in_read_xref_stream); | |
| 1205 | + ; | |
| 1203 | 1206 | if (empty) { |
| 1204 | 1207 | // Nothing in the PDF spec appears to allow empty objects, but they have been encountered in |
| 1205 | 1208 | // actual PDF files and Adobe Reader appears to ignore them. | ... | ... |
libqpdf/qpdf/QPDF_private.hh
| ... | ... | @@ -491,6 +491,7 @@ class QPDF::Members |
| 491 | 491 | CopiedStreamDataProvider* copied_stream_data_provider{nullptr}; |
| 492 | 492 | bool reconstructed_xref{false}; |
| 493 | 493 | bool in_xref_reconstruction{false}; |
| 494 | + bool in_read_xref_stream{false}; | |
| 494 | 495 | bool fixed_dangling_refs{false}; |
| 495 | 496 | bool immediate_copy_from{false}; |
| 496 | 497 | bool in_parse{false}; | ... | ... |