|
 |
e59077 |
diff -up qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc.CVE-2018-9918 qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc
|
|
|
e59077 |
--- qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc.CVE-2018-9918 2018-02-05 00:31:42.000000000 +0100
|
|
|
e59077 |
+++ qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc 2018-04-16 15:35:36.378343714 +0200
|
|
|
e59077 |
@@ -1054,12 +1054,26 @@ QPDFObjectHandle::parseInternal(PointerH
|
|
|
e59077 |
|
|
|
e59077 |
case QPDFTokenizer::tt_array_open:
|
|
|
e59077 |
case QPDFTokenizer::tt_dict_open:
|
|
|
e59077 |
- olist_stack.push_back(std::vector<QPDFObjectHandle>());
|
|
|
e59077 |
- state = st_start;
|
|
|
e59077 |
- offset_stack.push_back(input->tell());
|
|
|
e59077 |
- state_stack.push_back(
|
|
|
e59077 |
- (token.getType() == QPDFTokenizer::tt_array_open) ?
|
|
|
e59077 |
- st_array : st_dictionary);
|
|
|
e59077 |
+ if (olist_stack.size() > 500)
|
|
|
e59077 |
+ {
|
|
|
e59077 |
+ QTC::TC("qpdf", "QPDFObjectHandle too deep");
|
|
|
e59077 |
+ warn(context,
|
|
|
e59077 |
+ QPDFExc(qpdf_e_damaged_pdf, input->getName(),
|
|
|
e59077 |
+ object_description,
|
|
|
e59077 |
+ input->getLastOffset(),
|
|
|
e59077 |
+ "ignoring excessively deeply nested data structure"));
|
|
|
e59077 |
+ object = newNull();
|
|
|
e59077 |
+ state = st_top;
|
|
|
e59077 |
+ }
|
|
|
e59077 |
+ else
|
|
|
e59077 |
+ {
|
|
|
e59077 |
+ olist_stack.push_back(std::vector<QPDFObjectHandle>());
|
|
|
e59077 |
+ state = st_start;
|
|
|
e59077 |
+ offset_stack.push_back(input->tell());
|
|
|
e59077 |
+ state_stack.push_back(
|
|
|
e59077 |
+ (token.getType() == QPDFTokenizer::tt_array_open) ?
|
|
|
e59077 |
+ st_array : st_dictionary);
|
|
|
e59077 |
+ }
|
|
|
e59077 |
break;
|
|
|
e59077 |
|
|
|
e59077 |
case QPDFTokenizer::tt_bool:
|
|
|
e59077 |
diff -up qpdf-7.1.1/qpdf/qpdf.testcov.CVE-2018-9918 qpdf-7.1.1/qpdf/qpdf.testcov
|
|
|
e59077 |
--- qpdf-7.1.1/qpdf/qpdf.testcov.CVE-2018-9918 2018-02-05 00:31:42.000000000 +0100
|
|
|
e59077 |
+++ qpdf-7.1.1/qpdf/qpdf.testcov 2018-04-16 15:35:36.379343705 +0200
|
|
|
e59077 |
@@ -302,3 +302,4 @@ qpdf-c called qpdf_set_compress_streams
|
|
|
e59077 |
qpdf-c called qpdf_set_preserve_unreferenced_objects 0
|
|
|
e59077 |
qpdf-c called qpdf_set_newline_before_endstream 0
|
|
|
e59077 |
QPDF_Stream TIFF predictor 0
|
|
|
e59077 |
+QPDFObjectHandle too deep 0
|
|
|
e59077 |
diff -up qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out.CVE-2018-9918 qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out
|
|
|
e59077 |
--- qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out.CVE-2018-9918 2018-02-05 00:31:42.000000000 +0100
|
|
|
e59077 |
+++ qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out 2018-04-16 15:53:17.499476948 +0200
|
|
|
e59077 |
@@ -1,5 +1,5 @@
|
|
|
e59077 |
WARNING: issue-146.pdf: file is damaged
|
|
|
e59077 |
WARNING: issue-146.pdf: can't find startxref
|
|
|
e59077 |
WARNING: issue-146.pdf: Attempting to reconstruct cross-reference table
|
|
|
e59077 |
-WARNING: issue-146.pdf (trailer, file position 20728): unknown token while reading object; treating as string
|
|
|
e59077 |
-issue-146.pdf (trailer, file position 20732): EOF while reading token
|
|
|
e59077 |
+WARNING: issue-146.pdf (trailer, file position 695): ignoring excessively deeply nested data structure
|
|
|
e59077 |
+issue-146.pdf: unable to find trailer dictionary while recovering damaged file
|