Commit 1e1a2d06 authored by Jason Crain's avatar Jason Crain Committed by Albert Astals Cid

Fix JBIG2Decode infinite loop and stack overflow

Creating a JBIG2Decode filter can create a stack overflow or infinite
loop.  Fix stack overflow by adding 'recursion' argument to fetch
call.  Fix infinite loop by removing the reference lookup loop.
Chains of references aren't allowed by the spec anyway.

Bug #91186
parent 3c91ded2
......@@ -31,6 +31,7 @@
// Copyright (C) 2013 Adam Reichold <adamreichold@myopera.com>
// Copyright (C) 2013 Pino Toscano <pino@kde.org>
// Copyright (C) 2015 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
// Copyright (C) 2015 Jason Crain <jason@aquaticape.us>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
......@@ -340,13 +341,8 @@ Stream *Stream::makeFilter(char *name, Stream *str, Object *params, int recursio
} else if (!strcmp(name, "JBIG2Decode")) {
if (params->isDict()) {
XRef *xref = params->getDict()->getXRef();
params->dictLookupNF("JBIG2Globals", &globals);
while (globals.isRef()) {
obj.free();
globals.copy(&obj);
globals.free();
obj.fetch(xref, &globals);
}
params->dictLookupNF("JBIG2Globals", &obj);
obj.fetch(xref, &globals, recursion);
}
str = new JBIG2Stream(str, &globals, &obj);
globals.free();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment