poppler/Catalog.cc | 20 ++++++++++++++------ poppler/Catalog.h | 4 ++-- 2 files changed, 16 insertions(+), 8 deletions(-)
New commits: commit ebb77e7a1fbb83c3ab7f9cd948d950bb5243f7c3 Author: Albert Astals Cid <[email protected]> Date: Wed Jun 17 22:39:47 2020 +0200 Fix infinite loop in broken file oss-fuzz/23515 diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc index a4d1edf5..59ddbfec 100644 --- a/poppler/Catalog.cc +++ b/poppler/Catalog.cc @@ -677,7 +677,7 @@ void NameTree::init(XRef *xrefA, Object *tree) { } } -void NameTree::parse(Object *tree, std::set<int> &seen) { +void NameTree::parse(const Object *tree, std::set<int> &seen) { if (!tree->isDict()) return; @@ -693,19 +693,27 @@ void NameTree::parse(Object *tree, std::set<int> &seen) { } // root or intermediate node - Object kids = tree->dictLookup("Kids"); + Ref ref; + const Object kids = tree->getDict()->lookup("Kids", &ref); + if (ref != Ref::INVALID()) { + const int numObj = ref.num; + if (seen.find(numObj) != seen.end()) { + error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj); + return; + } + seen.insert(numObj); + } if (kids.isArray()) { for (int i = 0; i < kids.arrayGetLength(); ++i) { - const Object &kidRef = kids.arrayGetNF(i); - if (kidRef.isRef()) { - const int numObj = kidRef.getRef().num; + const Object kid = kids.getArray()->get(i, &ref); + if (ref != Ref::INVALID()) { + const int numObj = ref.num; if (seen.find(numObj) != seen.end()) { error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj); continue; } seen.insert(numObj); } - Object kid = kids.arrayGet(i); if (kid.isDict()) parse(&kid, seen); } diff --git a/poppler/Catalog.h b/poppler/Catalog.h index a15dab28..7e9f237c 100644 --- a/poppler/Catalog.h +++ b/poppler/Catalog.h @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Kristian Høgsberg <[email protected]> -// Copyright (C) 2005, 2007, 2009-2011, 2013, 2017-2019 Albert Astals Cid <[email protected]> +// Copyright (C) 2005, 2007, 2009-2011, 2013, 2017-2020 Albert Astals Cid <[email protected]> // Copyright (C) 2005 Jonathan Blandford <[email protected]> // Copyright (C) 2005, 2006, 2008 Brad Hards <[email protected]> // Copyright (C) 2007 Julien Rebetez <[email protected]> @@ -87,7 +87,7 @@ private: static int cmp(const void *key, const void *entry); }; - void parse(Object *tree, std::set<int> &seen); + void parse(const Object *tree, std::set<int> &seen); void addEntry(Entry *entry); XRef *xref; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
