Commit ed43691bf3e1da1cefb7a4618cb809684040dd65
1 parent
6e3b7982
Tighten checks for invalid indirect references in QPDFParser
Showing
3 changed files
with
10 additions
and
7 deletions
libqpdf/QPDFParser.cc
| @@ -163,16 +163,15 @@ QPDFParser::parseRemainder(bool content_stream) | @@ -163,16 +163,15 @@ QPDFParser::parseRemainder(bool content_stream) | ||
| 163 | throw std::logic_error("QPDFParser::parse called without context on an object " | 163 | throw std::logic_error("QPDFParser::parse called without context on an object " |
| 164 | "with indirect references"); | 164 | "with indirect references"); |
| 165 | } | 165 | } |
| 166 | - auto ref_og = QPDFObjGen( | ||
| 167 | - QIntC::to_int(int_buffer[(int_count - 1) % 2]), | ||
| 168 | - QIntC::to_int(int_buffer[(int_count) % 2])); | ||
| 169 | - if (ref_og.isIndirect()) { | 166 | + auto id = QIntC::to_int(int_buffer[(int_count - 1) % 2]); |
| 167 | + auto gen = QIntC::to_int(int_buffer[(int_count) % 2]); | ||
| 168 | + if (!(id < 1 || gen < 0 || gen >= 65535)) { | ||
| 170 | // This action has the desirable side effect of causing dangling references | 169 | // This action has the desirable side effect of causing dangling references |
| 171 | // (references to indirect objects that don't appear in the PDF) in any parsed | 170 | // (references to indirect objects that don't appear in the PDF) in any parsed |
| 172 | // object to appear in the object cache. | 171 | // object to appear in the object cache. |
| 173 | - add(std::move(context->getObject(ref_og).obj)); | 172 | + add(std::move(context->getObject(id, gen).obj)); |
| 174 | } else { | 173 | } else { |
| 175 | - QTC::TC("qpdf", "QPDFParser indirect with 0 objid"); | 174 | + QTC::TC("qpdf", "QPDFParser invalid objgen"); |
| 176 | addNull(); | 175 | addNull(); |
| 177 | } | 176 | } |
| 178 | int_count = 0; | 177 | int_count = 0; |
qpdf/qpdf.testcov
| @@ -256,7 +256,7 @@ QPDFWriter standard deterministic ID 1 | @@ -256,7 +256,7 @@ QPDFWriter standard deterministic ID 1 | ||
| 256 | QPDFWriter linearized deterministic ID 1 | 256 | QPDFWriter linearized deterministic ID 1 |
| 257 | QPDFWriter deterministic with no data 0 | 257 | QPDFWriter deterministic with no data 0 |
| 258 | qpdf-c called qpdf_set_deterministic_ID 0 | 258 | qpdf-c called qpdf_set_deterministic_ID 0 |
| 259 | -QPDFParser indirect with 0 objid 0 | 259 | +QPDFParser invalid objgen 0 |
| 260 | QPDF object id 0 0 | 260 | QPDF object id 0 0 |
| 261 | QPDF recursion loop in resolve 0 | 261 | QPDF recursion loop in resolve 0 |
| 262 | QPDFParser treat word as string 0 | 262 | QPDFParser treat word as string 0 |
qpdf/test_driver.cc
| @@ -1202,6 +1202,10 @@ test_31(QPDF& pdf, char const* arg2) | @@ -1202,6 +1202,10 @@ test_31(QPDF& pdf, char const* arg2) | ||
| 1202 | assert(QPDFObjectHandle::parse(&pdf, ">>").unparse() == "null"); | 1202 | assert(QPDFObjectHandle::parse(&pdf, ">>").unparse() == "null"); |
| 1203 | // TC:QPDFParser eof in parse | 1203 | // TC:QPDFParser eof in parse |
| 1204 | assert(QPDFObjectHandle::parse(&pdf, "[7 0 R]").getArrayItem(0).isNull()); | 1204 | assert(QPDFObjectHandle::parse(&pdf, "[7 0 R]").getArrayItem(0).isNull()); |
| 1205 | + // TC:QPDFParser invalid objgen | ||
| 1206 | + assert( | ||
| 1207 | + QPDFObjectHandle::parse(&pdf, "[0 0 R -1 0 R 1 65535 R 1 100000 R 1 -1 R]").unparse() == | ||
| 1208 | + "[ null null null null null ]"); | ||
| 1205 | } | 1209 | } |
| 1206 | 1210 | ||
| 1207 | static void | 1211 | static void |