poppler/Catalog.cc | 16 +++++++++++++--- poppler/Catalog.h | 2 +- 2 files changed, 14 insertions(+), 4 deletions(-)
New commits: commit 267ff8af69ae7e8526d9bfe5063207c87a9b70b5 Author: Albert Astals Cid <[email protected]> Date: Sat Sep 2 13:27:33 2017 +0200 Fix infinite recursion in NameTree parsing in broken files diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc index 6c820c66..8e8b979e 100644 --- a/poppler/Catalog.cc +++ b/poppler/Catalog.cc @@ -634,13 +634,14 @@ int NameTree::Entry::cmpEntry(const void *voidEntry, const void *voidOtherEntry) void NameTree::init(XRef *xrefA, Object *tree) { xref = xrefA; - parse(tree); + std::set<int> seen; + parse(tree, seen); if (entries && length > 0) { qsort(entries, length, sizeof(Entry *), Entry::cmpEntry); } } -void NameTree::parse(Object *tree) { +void NameTree::parse(Object *tree, std::set<int> &seen) { if (!tree->isDict()) return; @@ -659,9 +660,18 @@ void NameTree::parse(Object *tree) { Object kids = tree->dictLookup("Kids"); if (kids.isArray()) { for (int i = 0; i < kids.arrayGetLength(); ++i) { + Object kidRef = kids.arrayGetNF(i); + if (kidRef.isRef()) { + const int numObj = kidRef.getRef().num; + if (seen.find(numObj) != seen.end()) { + error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj); + continue; + } + seen.insert(numObj); + } Object kid = kids.arrayGet(i); if (kid.isDict()) - parse(&kid); + parse(&kid, seen); } } } diff --git a/poppler/Catalog.h b/poppler/Catalog.h index c8b501a1..37d6e1ec 100644 --- a/poppler/Catalog.h +++ b/poppler/Catalog.h @@ -86,7 +86,7 @@ private: static int cmp(const void *key, const void *entry); }; - void parse(Object *tree); + void parse(Object *tree, std::set<int> &seen); void addEntry(Entry *entry); XRef *xref; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
