Commit 6b80e0f14b296c21d38a92e25af72da9bf5757ae
Committed by
GitHub
GitHub
Merge pull request #1127 from m-holger/parser
Tighten checks for invalid indirect references in QPDFParser
Showing
3 changed files
with
10 additions
and
7 deletions
libqpdf/QPDFParser.cc
| ... | ... | @@ -163,16 +163,15 @@ QPDFParser::parseRemainder(bool content_stream) |
| 163 | 163 | throw std::logic_error("QPDFParser::parse called without context on an object " |
| 164 | 164 | "with indirect references"); |
| 165 | 165 | } |
| 166 | - auto ref_og = QPDFObjGen( | |
| 167 | - QIntC::to_int(int_buffer[(int_count - 1) % 2]), | |
| 168 | - QIntC::to_int(int_buffer[(int_count) % 2])); | |
| 169 | - if (ref_og.isIndirect()) { | |
| 166 | + auto id = QIntC::to_int(int_buffer[(int_count - 1) % 2]); | |
| 167 | + auto gen = QIntC::to_int(int_buffer[(int_count) % 2]); | |
| 168 | + if (!(id < 1 || gen < 0 || gen >= 65535)) { | |
| 170 | 169 | // This action has the desirable side effect of causing dangling references |
| 171 | 170 | // (references to indirect objects that don't appear in the PDF) in any parsed |
| 172 | 171 | // object to appear in the object cache. |
| 173 | - add(std::move(context->getObject(ref_og).obj)); | |
| 172 | + add(std::move(context->getObject(id, gen).obj)); | |
| 174 | 173 | } else { |
| 175 | - QTC::TC("qpdf", "QPDFParser indirect with 0 objid"); | |
| 174 | + QTC::TC("qpdf", "QPDFParser invalid objgen"); | |
| 176 | 175 | addNull(); |
| 177 | 176 | } |
| 178 | 177 | int_count = 0; | ... | ... |
qpdf/qpdf.testcov
| ... | ... | @@ -256,7 +256,7 @@ QPDFWriter standard deterministic ID 1 |
| 256 | 256 | QPDFWriter linearized deterministic ID 1 |
| 257 | 257 | QPDFWriter deterministic with no data 0 |
| 258 | 258 | qpdf-c called qpdf_set_deterministic_ID 0 |
| 259 | -QPDFParser indirect with 0 objid 0 | |
| 259 | +QPDFParser invalid objgen 0 | |
| 260 | 260 | QPDF object id 0 0 |
| 261 | 261 | QPDF recursion loop in resolve 0 |
| 262 | 262 | QPDFParser treat word as string 0 | ... | ... |
qpdf/test_driver.cc
| ... | ... | @@ -1202,6 +1202,10 @@ test_31(QPDF& pdf, char const* arg2) |
| 1202 | 1202 | assert(QPDFObjectHandle::parse(&pdf, ">>").unparse() == "null"); |
| 1203 | 1203 | // TC:QPDFParser eof in parse |
| 1204 | 1204 | assert(QPDFObjectHandle::parse(&pdf, "[7 0 R]").getArrayItem(0).isNull()); |
| 1205 | + // TC:QPDFParser invalid objgen | |
| 1206 | + assert( | |
| 1207 | + QPDFObjectHandle::parse(&pdf, "[0 0 R -1 0 R 1 65535 R 1 100000 R 1 -1 R]").unparse() == | |
| 1208 | + "[ null null null null null ]"); | |
| 1205 | 1209 | } |
| 1206 | 1210 | |
| 1207 | 1211 | static void | ... | ... |