Detect xref pointer infinite loop (fixes #149)

Jay Berkenbilt
1 parent 2d0c6873
Showing 5 changed files with 134 additions and 0 deletions
ChangeLog
libqpdf/QPDF.cc
qpdf/qtest/qpdf.test
qpdf/qtest/qpdf/issue-149.out
qpdf/qtest/qpdf/issue-149.pdf
+2017-08-25  Jay Berkenbilt  <ejb@ql.org>
+
+	* Detect infinite loop while finding additional xref tables. Fixes
+	#149.
+
 2017-08-22  Jay Berkenbilt  <ejb@ql.org>
 	* 7.0.b1: release
@@ -491,8 +491,10 @@ void
 QPDF::read_xref(qpdf_offset_t xref_offset)
 {
     std::map<int, int> free_table;
+    std::set<qpdf_offset_t> visited;
     while (xref_offset)
     {
+        visited.insert(xref_offset);
         char buf[7];
         memset(buf, 0, sizeof(buf));
 	this->m->file->seek(xref_offset, SEEK_SET);
@@ -520,6 +522,10 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
 	{
 	    xref_offset = read_xrefStream(xref_offset);
 	}
+        if (visited.count(xref_offset) != 0)
+        {
+            xref_offset = 0;
+        }
     }
     if (! this->m->trailer.isInitialized())
@@ -221,6 +221,7 @@ my @bug_tests = (
     ["141a", "/W entry size 0", 2],
     ["141b", "/W entry size 0", 2],
     ["143", "self-referential ostream", 3],
+    ["149", "xref prev pointer loop", 3],
     );
 $n_tests += scalar(@bug_tests);
 foreach my $d (@bug_tests)
+WARNING: issue-149.pdf: reported number of objects (11) inconsistent with actual number of objects (7)
+qpdf: operation succeeded with warnings; resulting file may have some problems
+%PDF-1.7
+%Á∑·∂
+% vim: set tw=76 ts=2 et :
+% convert with:
+% ./fixlengths < hello.txt > hello.pdf ; ./genxref hello.pdf
+1 0 obj
+  <<  /Type /Catalog
+      /Outlines 6 0 R
+      /Pages 2 0 R
+  >>
+endobj
+
+2 0 obj
+  <<  /Type /Pages
+      /Kids [3 0 R]
+      /Count 1
+  >>
+endobj
+
+3 0 obj
+  <<  /Type /Page
+      /Parent 2 0 R
+      /MediaBox [0 0 595.276 841.89]
+      /Contents 4 0 R
+      /Resources <<
+        /ProcSet [/PDF /Text]
+        /Font << /F1 5 0 R >>
+        >>
+  >>
+endobj
+
+4 0 obj
+  <<  /Length 36  >>
+stream
+  BT 80 100 Td /F1 48 Tf (foo) Tj ET
+endstream
+endobj
+
+5 0 obj
+  <<  /Type /Font
+      /Subtype /Type1
+      /Name /F1
+      /BaseFont /Helvetica
+      /Encoding /MacRomanEncoding
+  >>
+endobj
+
+6 0 obj
+  <<  /Type /Outlines
+      /Count 0
+  >>
+endobj
+
+xref
+0 7
+0000000000 65535 f
+0000000125 00000 n
+0000000208 00000 n
+0000000283 00000 n
+0000000492 00000 n
+0000000583 00000 n
+0000000721 00000 n
+
+trailer
+  <<  /Size 7
+      /Prev 1516
+      /Root 1 0 R
+  >>
+startxref
+779%%EOF
+
+% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+1 1 obj
+  <<  /Type /Catalog
+      /Outlines 6 0 R
+      /Pages 2 1 R
+  >>
+endobj
+
+2 1 obj
+  <<  /Type /Pages
+      /Kids [3 1 R]
+      /Count 1
+  >>
+endobj
+
+3 1 obj
+  <<  /Type /Page
+      /Parent 2 1 R
+      /MediaBox [0 0 595.276 841.89]
+      /Contents 4 1 R
+      /Resources <<
+        /ProcSet [/PDF /Text]
+        /Font << /F1 5 0 R >>
+        >>
+  >>
+endobj
+
+4 1 obj
+  <<  /Length 36  >>
+stream
+  BT 80 100 Td /F1 48 Tf (bar) Tj ET
+endstream
+endobj
+
+xref
+1 4
+0000001058 00001 n
+0000001141 00001 n
+0000001216 00001 n
+0000001425 00001 n
+
+trailer
+  <<  /Size 11
+      /Prev 779
+      /Root 1 1 R
+  >>
+startxref
+1516
+%%EOF