Fix parsing of object streams

... containing objects with no white-space between them. To enforce the rule that objects end at the start-offset of the next object, each object is parsed in it own object stream. To facilitate this, a new private API input source is::OffsetBuffer has been added which only contains the object but reports offsets relative to the start of the object stream. This is adapted from OffsetInputSource by changing the direction of the offset, endowing it with its own BufferInputSource and striooing out checks duplicated in BufferInputSource. Fixes the expected failure in the test case added in #1266.

Fix parsing of object streams
... containing objects with no white-space between them. To enforce the rule that objects end at the start-offset of the next object, each object is parsed in it own object stream. To facilitate this, a new private API input source is::OffsetBuffer has been added which only contains the object but reports offsets relative to the start of the object stream. This is adapted from OffsetInputSource by changing the direction of the offset, endowing it with its own BufferInputSource and striooing out checks duplicated in BufferInputSource. Fixes the expected failure in the test case added in #1266.
m-holger
1 parent 5eb9a18a
Showing 7 changed files with 134 additions and 12 deletions
include/qpdf/QPDF.hh
libqpdf/QPDFParser.cc
libqpdf/QPDF_objects.cc
libqpdf/qpdf/InputSource_private.hh
libqpdf/qpdf/QPDFParser.hh
manual/release-notes.rst
qpdf/qtest/object-stream.test
@@ -45,6 +45,11 @@
 #include <qpdf/QPDFWriter.hh>
 #include <qpdf/QPDFXRefEntry.hh>
  
+namespace qpdf::is
+{
+    class OffsetBuffer;
+}
+
 class QPDF_Stream;
 class BitStream;
 class BitWriter;
@@ -785,7 +790,7 @@ class QPDF
     QPDFObjectHandle readObject(std::string const& description, QPDFObjGen og);
     void readStream(QPDFObjectHandle& object, QPDFObjGen og, qpdf_offset_t offset);
     void validateStreamLineEnd(QPDFObjectHandle& object, QPDFObjGen og, qpdf_offset_t offset);
-    QPDFObjectHandle readObjectInStream(BufferInputSource& input, int stream_id, int obj_id);
+    QPDFObjectHandle readObjectInStream(qpdf::is::OffsetBuffer& input, int stream_id, int obj_id);
     size_t recoverStreamLength(
         std::shared_ptr<InputSource> input, QPDFObjGen og, qpdf_offset_t stream_offset);
     QPDFTokenizer::Token readToken(InputSource&, size_t max_len = 0);
@@ -12,6 +12,7 @@
 #include <memory>
  
 using namespace std::literals;
+using namespace qpdf;
  
 using ObjectPtr = std::shared_ptr<QPDFObject>;
  
@@ -87,7 +88,7 @@ QPDFParser::parse(
  
 std::pair<QPDFObjectHandle, bool>
 QPDFParser::parse(
-    BufferInputSource& input, int stream_id, int obj_id, qpdf::Tokenizer& tokenizer, QPDF& context)
+    is::OffsetBuffer& input, int stream_id, int obj_id, qpdf::Tokenizer& tokenizer, QPDF& context)
 {
     bool empty{false};
     auto result = QPDFParser(
@@ -1288,7 +1288,7 @@ QPDF::validateStreamLineEnd(QPDFObjectHandle&amp; object, QPDFObjGen og, qpdf_offset
 }
  
 QPDFObjectHandle
-QPDF::readObjectInStream(BufferInputSource& input, int stream_id, int obj_id)
+QPDF::readObjectInStream(is::OffsetBuffer& input, int stream_id, int obj_id)
 {
     auto [object, empty] = QPDFParser::parse(input, stream_id, obj_id, m->tokenizer, *this);
     if (empty) {
@@ -1645,12 +1645,26 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
             "object stream " + std::to_string(obj_stream_number) + " has incorrect keys");
     }
  
-    std::vector<std::pair<int, long long>> offsets;
+    // id, offset, size
+    std::vector<std::tuple<int, qpdf_offset_t, size_t>> offsets;
  
     auto bp = obj_stream.getStreamData(qpdf_dl_specialized);
+
     BufferInputSource input("", bp.get());
  
+    const auto b_size = bp->getSize();
+    const auto end_offset = static_cast<qpdf_offset_t>(b_size);
+    auto b_start = bp->getBuffer();
+
+    if (first >= end_offset) {
+        throw damagedPDF(
+            "object " + std::to_string(obj_stream_number) + " 0",
+            "object stream " + std::to_string(obj_stream_number) + " has invalid /First entry");
+    }
+
+    int id = 0;
     long long last_offset = -1;
+    bool is_first = true;
     for (unsigned int i = 0; i < n; ++i) {
         auto tnum = readToken(input);
         auto toffset = readToken(input);
@@ -1682,26 +1696,45 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
                     std::to_string(last_offset) + ")"));
             continue;
         }
-        last_offset = offset;
  
         if (num > m->xref_table_max_id) {
             continue;
         }
  
-        offsets.emplace_back(num, offset + first);
+        if (first + offset >= end_offset) {
+            warn(damaged(num, offset, "offset is too large"));
+            continue;
+        }
+
+        if (is_first) {
+            is_first = false;
+        } else {
+            offsets.emplace_back(
+                id, last_offset + first, static_cast<size_t>(offset - last_offset));
+        }
+
+        last_offset = offset;
+        id = num;
+    }
+
+    if (!is_first) {
+        // We found at least one valid entry.
+        offsets.emplace_back(
+            id, last_offset + first, b_size - static_cast<size_t>(last_offset + first));
     }
  
     // To avoid having to read the object stream multiple times, store all objects that would be
     // found here in the cache.  Remember that some objects stored here might have been overridden
     // by new objects appended to the file, so it is necessary to recheck the xref table and only
     // cache what would actually be resolved here.
-    for (auto const& [id, offset]: offsets) {
-        QPDFObjGen og(id, 0);
+    for (auto const& [obj_id, obj_offset, obj_size]: offsets) {
+        QPDFObjGen og(obj_id, 0);
         auto entry = m->xref_table.find(og);
         if (entry != m->xref_table.end() && entry->second.getType() == 2 &&
             entry->second.getObjStreamNumber() == obj_stream_number) {
-            input.seek(offset, SEEK_SET);
-            QPDFObjectHandle oh = readObjectInStream(input, obj_stream_number, id);
+            Buffer obj_buffer{b_start + obj_offset, obj_size};
+            is::OffsetBuffer in("", &obj_buffer, obj_offset);
+            auto oh = readObjectInStream(in, obj_stream_number, obj_id);
             updateCache(og, oh.getObj(), end_before_space, end_after_space);
         } else {
             QTC::TC("qpdf", "QPDF not caching overridden objstm object");
 #ifndef QPDF_INPUTSOURCE_PRIVATE_HH
 #define QPDF_INPUTSOURCE_PRIVATE_HH
  
+#include <qpdf/BufferInputSource.hh>
 #include <qpdf/InputSource.hh>
  
+#include <limits>
+#include <sstream>
+#include <stdexcept>
+
+namespace qpdf::is
+{
+    class OffsetBuffer final: public InputSource
+    {
+      public:
+        OffsetBuffer(std::string const& description, Buffer* buf, qpdf_offset_t global_offset) :
+            proxied(description, buf),
+            global_offset(global_offset)
+        {
+            if (global_offset < 0) {
+                throw std::logic_error("is::OffsetBuffer constructed with negative offset");
+            }
+            last_offset = global_offset;
+        }
+
+        ~OffsetBuffer() final = default;
+
+        qpdf_offset_t
+        findAndSkipNextEOL() final
+        {
+            return proxied.findAndSkipNextEOL() + global_offset;
+        }
+
+        std::string const&
+        getName() const final
+        {
+            return proxied.getName();
+        }
+
+        qpdf_offset_t
+        tell() final
+        {
+            return proxied.tell() + global_offset;
+        }
+
+        void
+        seek(qpdf_offset_t offset, int whence) final
+        {
+            if (whence == SEEK_SET) {
+                proxied.seek(offset - global_offset, whence);
+            } else {
+                proxied.seek(offset, whence);
+            }
+        }
+
+        void
+        rewind() final
+        {
+            seek(0, SEEK_SET);
+        }
+
+        size_t
+        read(char* buffer, size_t length) final
+        {
+            size_t result = proxied.read(buffer, length);
+            setLastOffset(proxied.getLastOffset() + global_offset);
+            return result;
+        }
+
+        void
+        unreadCh(char ch) final
+        {
+            proxied.unreadCh(ch);
+        }
+
+      private:
+        BufferInputSource proxied;
+        qpdf_offset_t global_offset;
+    };
+
+} // namespace qpdf::is
+
 inline size_t
 InputSource::read(std::string& str, size_t count, qpdf_offset_t at)
 {
 #ifndef QPDFPARSER_HH
 #define QPDFPARSER_HH
  
+#include <qpdf/InputSource_private.hh>
 #include <qpdf/QPDFObjectHandle_private.hh>
 #include <qpdf/QPDFObject_private.hh>
 #include <qpdf/QPDFTokenizer_private.hh>
@@ -38,7 +39,7 @@ class QPDFParser
         QPDF& context);
  
     static std::pair<QPDFObjectHandle, bool> parse(
-        BufferInputSource& input,
+        qpdf::is::OffsetBuffer& input,
         int stream_id,
         int obj_id,
         qpdf::Tokenizer& tokenizer,
@@ -21,6 +21,11 @@ more detail.
       integer object. Previously the method returned false if the first
       dictionary object was not a linearization parameter dictionary.
  
+    = Fix parsing of object streams containing objects not seperated by
+      white-space. Pre-2020 editions of the PDF specification incorrectly
+      stated that white-space was required between objects. qpdf relied on this
+      when parsing object streams.
+
     - Fix two object stream error/warning messages that reported the wrong
       object id.
  
@@ -124,7 +124,7 @@ $td-&gt;runtest(&quot;adjacent compressed objects&quot;,
              {$td->COMMAND => "test_driver 99 no-space-compressed-object.pdf"},
              {$td->FILE => "no-space-compressed-object.out",
               $td->EXIT_STATUS => 0},
-             $td->EXPECT_FAILURE);
+             $td->NORMALIZE_NEWLINES);
  
 cleanup();
 $td->report(calc_ntests($n_tests, $n_compare_pdfs));