aboutsummaryrefslogtreecommitdiffstats
path: root/libqpdf
diff options
context:
space:
mode:
authorJay Berkenbilt <ejb@ql.org>2018-04-15 22:11:22 +0200
committerJay Berkenbilt <ejb@ql.org>2018-04-15 22:11:22 +0200
commitb4d6cf6836ce025ba1811b7bbec52680c7204223 (patch)
tree289fec3388557b46007a5fbb66c03435e4f22b33 /libqpdf
parentf8c8e4dcc0f45779dcb93de6f417a2c189d5c157 (diff)
downloadqpdf-b4d6cf6836ce025ba1811b7bbec52680c7204223.tar.zst
Limit depth of nesting in direct objects (fixes #202)
This fixes CVE-2018-9918.
Diffstat (limited to 'libqpdf')
-rw-r--r--libqpdf/QPDFObjectHandle.cc26
1 files changed, 20 insertions, 6 deletions
diff --git a/libqpdf/QPDFObjectHandle.cc b/libqpdf/QPDFObjectHandle.cc
index c178a492..149668eb 100644
--- a/libqpdf/QPDFObjectHandle.cc
+++ b/libqpdf/QPDFObjectHandle.cc
@@ -1487,12 +1487,26 @@ QPDFObjectHandle::parseInternal(PointerHolder<InputSource> input,
case QPDFTokenizer::tt_array_open:
case QPDFTokenizer::tt_dict_open:
- olist_stack.push_back(std::vector<QPDFObjectHandle>());
- state = st_start;
- offset_stack.push_back(input->tell());
- state_stack.push_back(
- (token.getType() == QPDFTokenizer::tt_array_open) ?
- st_array : st_dictionary);
+ if (olist_stack.size() > 500)
+ {
+ QTC::TC("qpdf", "QPDFObjectHandle too deep");
+ warn(context,
+ QPDFExc(qpdf_e_damaged_pdf, input->getName(),
+ object_description,
+ input->getLastOffset(),
+ "ignoring excessively deeply nested data structure"));
+ object = newNull();
+ state = st_top;
+ }
+ else
+ {
+ olist_stack.push_back(std::vector<QPDFObjectHandle>());
+ state = st_start;
+ offset_stack.push_back(input->tell());
+ state_stack.push_back(
+ (token.getType() == QPDFTokenizer::tt_array_open) ?
+ st_array : st_dictionary);
+ }
break;
case QPDFTokenizer::tt_bool:
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 19:38:41 +0200