From c550c99eeaf688fb80a1e649b99c86738e3d1b32 Mon Sep 17 00:00:00 2001
From: Mark Rogers <mark.rogers@powermapper.com>
Date: Wed, 19 Apr 2017 14:03:30 +0100
Subject: [PATCH] PoDoFo: fix CVE-2017-5852 - prevent infinite loop in
 GetPageNumber() if Parent chain contains a loop

---
 Electrum/Mapper/Libs/podofo/src/doc/PdfPage.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Electrum/Mapper/Libs/podofo/src/doc/PdfPage.cpp b/Electrum/Mapper/Libs/podofo/src/doc/PdfPage.cpp
index 43bf17f..5fa84a7 100644
--- a/Electrum/Mapper/Libs/podofo/src/doc/PdfPage.cpp
+++ b/Electrum/Mapper/Libs/podofo/src/doc/PdfPage.cpp
@@ -543,6 +543,11 @@ unsigned int PdfPage::GetPageNumber() const
     PdfObject*          pParent     = this->GetObject()->GetIndirectKey( "Parent" );
     PdfReference ref                = this->GetObject()->Reference();
 
+    // CVE-2017-5852 - prevent infinite loop if Parent chain contains a loop
+    // e.g. pParent->GetIndirectKey( "Parent" ) == pParent or pParent->GetIndirectKey( "Parent" )->GetIndirectKey( "Parent" ) == pParent
+    const int maxRecursionDepth = 1000;
+    int depth = 0;
+
     while( pParent ) 
     {
         PdfObject* pKids = pParent->GetIndirectKey( "Kids" );
@@ -574,6 +579,12 @@ unsigned int PdfPage::GetPageNumber() const
 
         ref     = pParent->Reference();
         pParent = pParent->GetIndirectKey( "Parent" );
+        ++depth;
+
+        if ( depth > maxRecursionDepth )
+        {
+            PODOFO_RAISE_ERROR_INFO( ePdfError_BrokenFile, "Loop in Parent chain" );
+        }
     }
 
     return ++nPageNumber;
-- 
2.2.1