poppler/Stream.cc | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-)
New commits: commit 1e1a2d0600153c98d44f65e83a0555ab5288450b Author: Jason Crain <[email protected]> Date: Sun Sep 6 22:33:02 2015 +0200 Fix JBIG2Decode infinite loop and stack overflow Creating a JBIG2Decode filter can create a stack overflow or infinite loop. Fix stack overflow by adding 'recursion' argument to fetch call. Fix infinite loop by removing the reference lookup loop. Chains of references aren't allowed by the spec anyway. Bug #91186 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index d2dd761..9617678 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -31,6 +31,7 @@ // Copyright (C) 2013 Adam Reichold <[email protected]> // Copyright (C) 2013 Pino Toscano <[email protected]> // Copyright (C) 2015 Suzuki Toshiya <[email protected]> +// Copyright (C) 2015 Jason Crain <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -340,13 +341,8 @@ Stream *Stream::makeFilter(char *name, Stream *str, Object *params, int recursio } else if (!strcmp(name, "JBIG2Decode")) { if (params->isDict()) { XRef *xref = params->getDict()->getXRef(); - params->dictLookupNF("JBIG2Globals", &globals); - while (globals.isRef()) { - obj.free(); - globals.copy(&obj); - globals.free(); - obj.fetch(xref, &globals); - } + params->dictLookupNF("JBIG2Globals", &obj); + obj.fetch(xref, &globals, recursion); } str = new JBIG2Stream(str, &globals, &obj); globals.free(); _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
