|
 |
76f8c5 |
From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001
|
|
|
76f8c5 |
From: Adam Reichold <adam.reichold@t-online.de>
|
|
|
76f8c5 |
Date: Mon, 24 Dec 2018 15:40:38 +0100
|
|
|
76f8c5 |
Subject: [PATCH] Do not try to parse into unallocated XRef entry and return
|
|
|
76f8c5 |
pointer to dummy entry instead. Closes #692 and oss-fuzz/12330
|
|
|
76f8c5 |
|
|
|
76f8c5 |
---
|
|
|
76f8c5 |
poppler/XRef.cc | 27 +++++++++++++++++++++------
|
|
|
76f8c5 |
1 file changed, 21 insertions(+), 6 deletions(-)
|
|
|
76f8c5 |
|
|
|
76f8c5 |
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
|
|
|
76f8c5 |
index 0ec66944..d042d1f4 100644
|
|
|
76f8c5 |
--- a/poppler/XRef.cc
|
|
|
76f8c5 |
+++ b/poppler/XRef.cc
|
|
|
76f8c5 |
@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
|
|
|
76f8c5 |
}
|
|
|
76f8c5 |
}
|
|
|
76f8c5 |
|
|
|
76f8c5 |
+namespace {
|
|
|
76f8c5 |
+
|
|
|
76f8c5 |
+struct DummyXRefEntry : XRefEntry {
|
|
|
76f8c5 |
+ DummyXRefEntry() {
|
|
|
76f8c5 |
+ offset = 0;
|
|
|
76f8c5 |
+ gen = -1;
|
|
|
76f8c5 |
+ type = xrefEntryNone;
|
|
|
76f8c5 |
+ flags = 0;
|
|
|
76f8c5 |
+ }
|
|
|
76f8c5 |
+};
|
|
|
76f8c5 |
+
|
|
|
76f8c5 |
+DummyXRefEntry dummyXRefEntry;
|
|
|
76f8c5 |
+
|
|
|
76f8c5 |
+}
|
|
|
76f8c5 |
+
|
|
|
76f8c5 |
XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
|
|
|
76f8c5 |
{
|
|
|
76f8c5 |
if (i >= size || entries[i].type == xrefEntryNone) {
|
|
|
76f8c5 |
|
|
|
76f8c5 |
if ((!xRefStream) && mainXRefEntriesOffset) {
|
|
|
76f8c5 |
+ if (unlikely(i >= capacity)) {
|
|
|
76f8c5 |
+ error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
|
|
|
76f8c5 |
+ return &dummyXRefEntry;
|
|
|
76f8c5 |
+ }
|
|
|
76f8c5 |
+
|
|
|
76f8c5 |
if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
|
|
|
76f8c5 |
error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
|
|
|
76f8c5 |
}
|
|
|
76f8c5 |
@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
|
|
|
76f8c5 |
// We might have reconstructed the xref
|
|
|
76f8c5 |
// Check again i is in bounds
|
|
|
76f8c5 |
if (unlikely(i >= size)) {
|
|
|
76f8c5 |
- static XRefEntry dummy;
|
|
|
76f8c5 |
- dummy.offset = 0;
|
|
|
76f8c5 |
- dummy.gen = -1;
|
|
|
76f8c5 |
- dummy.type = xrefEntryNone;
|
|
|
76f8c5 |
- dummy.flags = 0;
|
|
|
76f8c5 |
- return &dummy;
|
|
|
76f8c5 |
+ return &dummyXRefEntry;
|
|
|
76f8c5 |
}
|
|
|
76f8c5 |
|
|
|
76f8c5 |
if (entries[i].type == xrefEntryNone) {
|
|
|
76f8c5 |
--
|
|
|
76f8c5 |
2.20.1
|
|
|
76f8c5 |
|