Commit bce14b27 authored by Albert Astals Cid's avatar Albert Astals Cid

* poppler/Catalog.h:

       * poppler/Catalog.cc: Limit max depth of recursive calls on
       readPageTree to fix MOAB-06-01-2007
parent 3f0679a3
2007-01-11 Albert Astals Cid <aacid@kde.org>
* poppler/Catalog.h:
* poppler/Catalog.cc: Limit max depth of recursive calls on
readPageTree to fix MOAB-06-01-2007
2007-01-06 Albert Astals Cid <aacid@kde.org>
* poppler/Sound.cc
......
......@@ -26,6 +26,12 @@
#include "UGooString.h"
#include "Catalog.h"
// This define is used to limit the depth of recursive readPageTree calls
// This is needed because the page tree nodes can reference their parents
// leaving us in an infinite loop
// Most sane pdf documents don't have a call depth higher than 10
#define MAX_CALL_DEPTH 1000
//------------------------------------------------------------------------
// Catalog
//------------------------------------------------------------------------
......@@ -75,7 +81,7 @@ Catalog::Catalog(XRef *xrefA) {
pageRefs[i].num = -1;
pageRefs[i].gen = -1;
}
numPages = readPageTree(pagesDict.getDict(), NULL, 0);
numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
if (numPages != numPages0) {
error(-1, "Page count in top-level pages object is incorrect");
}
......@@ -217,7 +223,7 @@ GooString *Catalog::readMetadata() {
return s;
}
int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
Object kids;
Object kid;
Object kidRef;
......@@ -262,9 +268,13 @@ int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
// This should really be isDict("Pages"), but I've seen at least one
// PDF file where the /Type entry is missing.
} else if (kid.isDict()) {
if ((start = readPageTree(kid.getDict(), attrs1, start))
< 0)
goto err2;
if (callDepth > MAX_CALL_DEPTH) {
error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
} else {
if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
< 0)
goto err2;
}
} else {
error(-1, "Kid object (page %d) is wrong type (%s)",
start+1, kid.getTypeName());
......
......@@ -193,7 +193,7 @@ private:
PageMode pageMode; // page mode
PageLayout pageLayout; // page layout
int readPageTree(Dict *pages, PageAttrs *attrs, int start);
int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
Object *findDestInTree(Object *tree, GooString *name, Object *obj);
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment