aboutsummaryrefslogtreecommitdiff
path: root/editors/koffice-kde4/files/patch-koffce-xpdf-CVE-2007-0104.diff
blob: f5e51a1c706e0bc603ec660d61af8f204b9fe078 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
------------------------------------------------------------------------
r622463 | aacid | 2007-01-11 23:05:54 +0100 (Thu, 11 Jan 2007) | 2 lines
Changed paths:
   M /branches/koffice/1.6/koffice/filters/kword/pdf/xpdf/xpdf/Catalog.cc
   M /branches/koffice/1.6/koffice/filters/kword/pdf/xpdf/xpdf/Catalog.h

Commiting the patch agreed between kpdf and poppler developers to fix MOAB-06-01-2007 issue.

------------------------------------------------------------------------
Index: filters/kword/pdf/xpdf/xpdf/Catalog.cc
===================================================================
--- filters/kword/pdf/xpdf/xpdf/Catalog.cc	(revision 622462)
+++ filters/kword/pdf/xpdf/xpdf/Catalog.cc	(revision 622463)
@@ -24,6 +24,12 @@
 #include "Link.h"
 #include "Catalog.h"
 
+// This define is used to limit the depth of recursive readPageTree calls
+// This is needed because the page tree nodes can reference their parents
+// leaving us in an infinite loop
+// Most sane pdf documents don't have a call depth higher than 10
+#define MAX_CALL_DEPTH 1000
+
 //------------------------------------------------------------------------
 // Catalog
 //------------------------------------------------------------------------
@@ -77,7 +83,7 @@ Catalog::Catalog(XRef *xrefA) {
     pageRefs[i].num = -1;
     pageRefs[i].gen = -1;
   }
-  numPages = readPageTree(pagesDict.getDict(), NULL, 0);
+  numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
   if (numPages != numPages0) {
     error(-1, "Page count in top-level pages object is incorrect");
   }
@@ -171,7 +177,7 @@ GString *Catalog::readMetadata() {
   return s;
 }
 
-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
+int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
   Object kids;
   Object kid;
   Object kidRef;
@@ -221,9 +227,13 @@ int Catalog::readPageTree(Dict *pagesDic
     // This should really be isDict("Pages"), but I've seen at least one
     // PDF file where the /Type entry is missing.
     } else if (kid.isDict()) {
-      if ((start = readPageTree(kid.getDict(), attrs1, start))
-	  < 0)
-	goto err2;
+      if (callDepth > MAX_CALL_DEPTH) {
+        error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
+      } else {
+        if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
+	    < 0)
+	  goto err2;
+      }
     } else {
       error(-1, "Kid object (page %d) is wrong type (%s)",
 	    start+1, kid.getTypeName());
Index: filters/kword/pdf/xpdf/xpdf/Catalog.h
===================================================================
--- filters/kword/pdf/xpdf/xpdf/Catalog.h	(revision 622462)
+++ filters/kword/pdf/xpdf/xpdf/Catalog.h	(revision 622463)
@@ -82,7 +82,7 @@ private:
   Object outline;		// outline dictionary
   GBool ok;			// true if catalog is valid
 
-  int readPageTree(Dict *pages, PageAttrs *attrs, int start);
+  int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
   Object *findDestInTree(Object *tree, GString *name, Object *obj);
 };