diff options
Diffstat (limited to 'graphics/kdegraphics4/files/patch-post-3.5.5-kdegraphics-CVE-2007-0104.diff')
| -rw-r--r-- | graphics/kdegraphics4/files/patch-post-3.5.5-kdegraphics-CVE-2007-0104.diff | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/graphics/kdegraphics4/files/patch-post-3.5.5-kdegraphics-CVE-2007-0104.diff b/graphics/kdegraphics4/files/patch-post-3.5.5-kdegraphics-CVE-2007-0104.diff new file mode 100644 index 000000000000..092cf67f360b --- /dev/null +++ b/graphics/kdegraphics4/files/patch-post-3.5.5-kdegraphics-CVE-2007-0104.diff @@ -0,0 +1,61 @@ +--- kpdf/xpdf/xpdf/Catalog.cc ++++ kpdf/xpdf/xpdf/Catalog.cc +@@ -26,6 +26,12 @@ + #include "UGString.h" + #include "Catalog.h" + ++// This define is used to limit the depth of recursive readPageTree calls ++// This is needed because the page tree nodes can reference their parents ++// leaving us in an infinite loop ++// Most sane pdf documents don't have a call depth higher than 10 ++#define MAX_CALL_DEPTH 1000 ++ + //------------------------------------------------------------------------ + // Catalog + //------------------------------------------------------------------------ +@@ -76,7 +82,7 @@ Catalog::Catalog(XRef *xrefA) { + pageRefs[i].num = -1; + pageRefs[i].gen = -1; + } +- numPages = readPageTree(pagesDict.getDict(), NULL, 0); ++ numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); + if (numPages != numPages0) { + error(-1, "Page count in top-level pages object is incorrect"); + } +@@ -191,7 +197,7 @@ GString *Catalog::readMetadata() { + return s; + } + +-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { ++int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { + Object kids; + Object kid; + Object kidRef; +@@ -236,9 +242,13 @@ int Catalog::readPageTree(Dict *pagesDic + // This should really be isDict("Pages"), but I've seen at least one + // PDF file where the /Type entry is missing. + } else if (kid.isDict()) { +- if ((start = readPageTree(kid.getDict(), attrs1, start)) +- < 0) +- goto err2; ++ if (callDepth > MAX_CALL_DEPTH) { ++ error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); ++ } else { ++ if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) ++ < 0) ++ goto err2; ++ } + } else { + error(-1, "Kid object (page %d) is wrong type (%s)", + start+1, kid.getTypeName()); +--- kpdf/xpdf/xpdf/Catalog.h ++++ kpdf/xpdf/xpdf/Catalog.h +@@ -128,7 +128,7 @@ private: + Object acroForm; // AcroForm dictionary + GBool ok; // true if catalog is valid + +- int readPageTree(Dict *pages, PageAttrs *attrs, int start); ++ int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); + Object *findDestInTree(Object *tree, GString *name, Object *obj); + }; + |