Detect xref pointer infinite loop (fixes #149)

author: Jay Berkenbilt <ejb@ql.org> 2017-08-26 01:58:31 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2017-08-26 01:58:31 +0200
commit: 85f05cc57ffa0a863d9d9b23e73acea9410b2937 (patch)
tree: 20fd436119a92c2d611c698c17cc0f568b7a496d /libqpdf
parent: 2d0c68735b52d33e071f2895309c4dc6944b464d (diff)
download: qpdf-85f05cc57ffa0a863d9d9b23e73acea9410b2937.tar.zst
1 files changed, 6 insertions, 0 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 27efdd55..86e798ee 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -491,8 +491,10 @@ void
 QPDF::read_xref(qpdf_offset_t xref_offset)
 {
     std::map<int, int> free_table;
+    std::set<qpdf_offset_t> visited;
     while (xref_offset)
     {
+        visited.insert(xref_offset);
         char buf[7];
         memset(buf, 0, sizeof(buf));
 	this->m->file->seek(xref_offset, SEEK_SET);
@@ -520,6 +522,10 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
 	{
 	    xref_offset = read_xrefStream(xref_offset);
 	}
+        if (visited.count(xref_offset) != 0)
+        {
+            xref_offset = 0;
+        }
     }
 
     if (! this->m->trailer.isInitialized())
author	Jay Berkenbilt <ejb@ql.org>	2017-08-26 01:58:31 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2017-08-26 01:58:31 +0200
commit	85f05cc57ffa0a863d9d9b23e73acea9410b2937 (patch)
tree	20fd436119a92c2d611c698c17cc0f568b7a496d /libqpdf
parent	2d0c68735b52d33e071f2895309c4dc6944b464d (diff)
download	qpdf-85f05cc57ffa0a863d9d9b23e73acea9410b2937.tar.zst