Skip to content

Lexer: limit max name token length to 1 MB.

Even Rouault requested to merge rouault/poppler:huge_name_token into master

Currently there is no hard limit to the maximum length of a name, which may cause the n variable to overflow INT_MAX (mostly unnoticed unless building with -ftrapv), but later when drawing a page using such invalid huge name, len = strlen(str) at line 417 of GooString.cc, invoked by error(errSyntaxError, -1, "XObject '{0:s}' is unknown", name) in Gfx.cc::334, overflows to a negative value, which causes an invalid length exception in append(str, len) at GooString.cc:445

Thus we limit the maximum length of a name to 1 MB which is way beyond what the spec allows.

The issue can be reproduced with pdftoppm -png byte_huge.pdf on byte_huge.pdf

Merge request reports

Loading