OpenSystemsDevelopment / qpdf

While scanning the file looking for objects, limit the length of
tokens we allow. This prevents us from getting caught up in reading a
file character by character while digging through large streams.

A stray semicolon caused a condition to be incorrectly applied during
stream length recovery.

Pushing member variables into a nested class enables addition of new
member variables without breaking binary compatibility.

This commit adds several API methods that enable control over which
types of filters QPDF will attempt to decode. It also adds support for
/RunLengthDecode and /DCTDecode filters for both encoding and
decoding.

Bad /W in an xref stream could cause a division by zero error. Now
this is handled as a special case.

Also accept more errors than before.

Eliminate PCRE and find endobj not preceded by endstream. Be more lax
about placement of endstream and endobj.

Sometimes we want to ignore bad tokens rather than having them throw
an exception. A coverage case is commented out here and added in a
later commit.

The code was using 1.0, but we use /FlateDecode, which didn't appear
until 1.2.

Very badly corrupted files may not have a retrievable root dictionary.
Handle that as a special case so that a more helpful error message can
be provided.

When requested, QPDFWriter will do more aggress prechecking of streams
to make sure it can actually succeed in decoding them before
attempting to do so. This will allow preservation of raw data even
when the raw data is corrupted relative to the specified filters.

QPDFObjectHandle::parseInternal now issues warnings instead of
throwing exceptions for all error conditions that it finds (except
internal logic errors) and has stronger recovery for things like
invalid tokens and malformed dictionaries. This should improve qpdf's
ability to recover from a wide range of broken files that currently
cause it to fail.

During parsing of an object, sometimes parts of the object have to be
resolved. An example is stream lengths. If such an object directly or
indirectly points to the object being parsed, it can cause an infinite
loop. Guard against all cases of re-entrant resolution of objects.

This is CVE-2017-9208.

The QPDF library uses object ID 0 internally as a sentinel to
represent a direct object, but prior to this fix, was not blocking
handling of 0 0 obj or 0 0 R as a special case. Creating an object in
the file with 0 0 obj could cause various infinite loops. The PDF spec
doesn't allow for object 0. Having qpdf handle object 0 might be a
better fix, but changing all the places in the code that assumes objid
== 0 means direct would be risky.

This is CVE-2017-9209.

If xref table entries lack the spec-required trailing whitespace or
contain a small amount of extra space, handle them anyway.

This is a performance fix.  The output is unchanged.

Fixes #28.

Fixes #27.

For std::string and std::vector, replace operator[] with at.  This was
done using an automated process.  See README.hardening for details.