diff options
| author | m-holger <m-holger@kubitscheck.org> | 2024-01-17 14:15:13 +0100 |
|---|---|---|
| committer | m-holger <m-holger@kubitscheck.org> | 2024-01-17 14:15:13 +0100 |
| commit | ed43691bf3e1da1cefb7a4618cb809684040dd65 (patch) | |
| tree | 89817345d127e2adf08f2e1ad90b1489454573fd | |
| parent | 6e3b7982dbcf8087374694253e0e248fbc6c6e3e (diff) | |
| download | qpdf-ed43691bf3e1da1cefb7a4618cb809684040dd65.tar.zst | |
Tighten checks for invalid indirect references in QPDFParser
| -rw-r--r-- | libqpdf/QPDFParser.cc | 11 | ||||
| -rw-r--r-- | qpdf/qpdf.testcov | 2 | ||||
| -rw-r--r-- | qpdf/test_driver.cc | 4 |
3 files changed, 10 insertions, 7 deletions
diff --git a/libqpdf/QPDFParser.cc b/libqpdf/QPDFParser.cc index 32c4f8e9..2551cf93 100644 --- a/libqpdf/QPDFParser.cc +++ b/libqpdf/QPDFParser.cc @@ -163,16 +163,15 @@ QPDFParser::parseRemainder(bool content_stream) throw std::logic_error("QPDFParser::parse called without context on an object " "with indirect references"); } - auto ref_og = QPDFObjGen( - QIntC::to_int(int_buffer[(int_count - 1) % 2]), - QIntC::to_int(int_buffer[(int_count) % 2])); - if (ref_og.isIndirect()) { + auto id = QIntC::to_int(int_buffer[(int_count - 1) % 2]); + auto gen = QIntC::to_int(int_buffer[(int_count) % 2]); + if (!(id < 1 || gen < 0 || gen >= 65535)) { // This action has the desirable side effect of causing dangling references // (references to indirect objects that don't appear in the PDF) in any parsed // object to appear in the object cache. - add(std::move(context->getObject(ref_og).obj)); + add(std::move(context->getObject(id, gen).obj)); } else { - QTC::TC("qpdf", "QPDFParser indirect with 0 objid"); + QTC::TC("qpdf", "QPDFParser invalid objgen"); addNull(); } int_count = 0; diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov index 6d0f8a4b..e7b6a8a2 100644 --- a/qpdf/qpdf.testcov +++ b/qpdf/qpdf.testcov @@ -256,7 +256,7 @@ QPDFWriter standard deterministic ID 1 QPDFWriter linearized deterministic ID 1 QPDFWriter deterministic with no data 0 qpdf-c called qpdf_set_deterministic_ID 0 -QPDFParser indirect with 0 objid 0 +QPDFParser invalid objgen 0 QPDF object id 0 0 QPDF recursion loop in resolve 0 QPDFParser treat word as string 0 diff --git a/qpdf/test_driver.cc b/qpdf/test_driver.cc index 472a96a1..28d8062c 100644 --- a/qpdf/test_driver.cc +++ b/qpdf/test_driver.cc @@ -1202,6 +1202,10 @@ test_31(QPDF& pdf, char const* arg2) assert(QPDFObjectHandle::parse(&pdf, ">>").unparse() == "null"); // TC:QPDFParser eof in parse assert(QPDFObjectHandle::parse(&pdf, "[7 0 R]").getArrayItem(0).isNull()); + // TC:QPDFParser invalid objgen + assert( + QPDFObjectHandle::parse(&pdf, "[0 0 R -1 0 R 1 65535 R 1 100000 R 1 -1 R]").unparse() == + "[ null null null null null ]"); } static void |