OpenSystemsDevelopment / qpdf

Reject objects containing arrays or dictionaries with more than 5000
elements. We are by definition dealing with damaged files, and such
objects are extremely likely to be invalid or malicious.

Fix android build issues (fixes #950)

Implement QPDFFormFieldObjectHelper::isChecked

API was defined, but .cc had no implementation. PDF 2.0 manual is surprisingly unclear as to on/off values, giving /Yes in an example and /Off in descriptive text as "not on".

In QPDF::getAllPagesInternal include the /Kids array in the visited set
for loop detection.

Fixes oss-fuzz issue 411312393

Adjusting for under/overflow by repeated incrementing/decrementing can
cause excessive runtime with invalid BBox coordinates.

Fixes oss-fuzz issue 409905355.

Detection of fseeko on Android ABI level < 24 gets a false positive if
_FILE_OFFSET_BITS is not set first.

Thanks to github user @cdosborn for the basic enhancement.

Only top-level XMP metadata is supposed to be left unencrypted. All
other metadata is not treated specially.

Fix offsets in QPDF::resolveObjectsInStream warnings

CMake: correctly detect that timezone is not an int

As discussed in #1396.

Internally use -1 to represent a missing offset and provide a constructor
overload that allows 0 as a valid offset.

In QPDF::damagedPDF use the new overload.

Also, silently fix any angle that is a multiple of 90.

Rather than converting each (sequential) object id to a string,
generate a string for the first id and than increment the digits in the
string.

The simple CMake test that printf("%ld", timezone) to tell if HAVE_EXTERN_LONG_TIMEZONE, incorrectly saw an int after casting FreeBSD's char * timezone(int zone, int dst) pointer function to an int. By dividing it by 60 (as will occur in the .cc file), we ensure the test program to fail and thus HAVE_EXTERN_LONG_TIMEZONE not to be defined.

... to remove the /Root /StructTreeRoot and /MarkInfo entries.

... and use it in QPDFWriter and QPDF::generateHintStream.

Also, remove redundant QPDFWriter::writeBuffer.

Also,
- use Pl_Discard when only checking whether stream is filterable
- get last char directly from output string

... containing objects with no white-space between them.

To enforce the rule that objects end at the start-offset of the next
object, each object is parsed in it own object stream.

To facilitate this, a new private API input source is::OffsetBuffer has
been added which only contains the object but reports offsets relative to
the start of the object stream. This is adapted from OffsetInputSource by
changing the direction of the offset, endowing it with its own
BufferInputSource and striooing out checks duplicated in BufferInputSource.

Fixes the expected failure in the test case added in #1266.

Add static parse methods. Make all external access to QPDFParser through
static methods.

Make all non-static methods including constructors private.

Only build strings when needed.

... to QPDFObjectHandle_private.hh

This was due to the use of last_object_description, which is not set for
the object stream itself.

Also, modify the messages introduced #1391 and #1392 to report the supposed
offset of the objects.

Cache output of pass 1.