Handle object ID 0 (fixes #99)

This is CVE-2017-9208. The QPDF library uses object ID 0 internally as a sentinel to represent a direct object, but prior to this fix, was not blocking handling of 0 0 obj or 0 0 R as a special case. Creating an object in the file with 0 0 obj could cause various infinite loops. The PDF spec doesn't allow for object 0. Having qpdf handle object 0 might be a better fix, but changing all the places in the code that assumes objid == 0 means direct would be risky.
author: Jay Berkenbilt <ejb@ql.org> 2017-07-26 10:30:32 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2017-07-26 12:24:07 +0200
commit: afe0242b263a9e1a8d51dd81e42ab6de2e5127eb (patch)
tree: 959baca5eaaac2e775aee3faa35ec52a29aa81ab /libqpdf/QPDF.cc
parent: 315092dd98d5230ef0efa18b294d464d0e9f79d0 (diff)
download: qpdf-afe0242b263a9e1a8d51dd81e42ab6de2e5127eb.tar.zst
1 files changed, 8 insertions, 0 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index a50c87ad..846f188f 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -1350,6 +1350,14 @@ QPDF::readObjectAtOffset(bool try_recovery,
 	objid = atoi(tobjid.getValue().c_str());
 	generation = atoi(tgen.getValue().c_str());
 
+        if (objid == 0)
+        {
+            QTC::TC("qpdf", "QPDF object id 0");
+            throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+                          this->last_object_description, offset,
+                          "object with ID 0");
+        }
+
 	if ((exp_objid >= 0) &&
 	    (! ((objid == exp_objid) && (generation == exp_generation))))
 	{
author	Jay Berkenbilt <ejb@ql.org>	2017-07-26 10:30:32 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2017-07-26 12:24:07 +0200
commit	afe0242b263a9e1a8d51dd81e42ab6de2e5127eb (patch)
tree	959baca5eaaac2e775aee3faa35ec52a29aa81ab /libqpdf/QPDF.cc
parent	315092dd98d5230ef0efa18b294d464d0e9f79d0 (diff)
download	qpdf-afe0242b263a9e1a8d51dd81e42ab6de2e5127eb.tar.zst