Avoid xref reconstruction infinite loop (fixes #100)

This is CVE-2017-9209.
author: Jay Berkenbilt <ejb@ql.org> 2017-07-25 16:21:27 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2017-07-26 12:24:07 +0200
commit: 315092dd98d5230ef0efa18b294d464d0e9f79d0 (patch)
tree: c0031a373dd87c04d2d34f2fbcd7602b344c4ac2 /libqpdf
parent: 603f222365252f1a1e20303b3dbe52466be3053b (diff)
download: qpdf-315092dd98d5230ef0efa18b294d464d0e9f79d0.tar.zst
1 files changed, 10 insertions, 0 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index b8a1601c..a50c87ad 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -93,6 +93,7 @@ QPDF::QPDF() :
     cached_key_generation(0),
     pushed_inherited_attributes_to_pages(false),
     copied_stream_data_provider(0),
+    reconstructed_xref(false),
     first_xref_item_offset(0),
     uncompressed_after_compressed(false)
 {
@@ -331,6 +332,15 @@ QPDF::setTrailer(QPDFObjectHandle obj)
 void
 QPDF::reconstruct_xref(QPDFExc& e)
 {
+    if (this->reconstructed_xref)
+    {
+        // Avoid xref reconstruction infinite loops
+        QTC::TC("qpdf", "QPDF caught recursive xref reconstruction");
+        throw e;
+    }
+
+    this->reconstructed_xref = true;
+
     PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
     PCRE endobj_re("^\\s*endobj\\b");
     PCRE trailer_re("^\\s*trailer\\b");
author	Jay Berkenbilt <ejb@ql.org>	2017-07-25 16:21:27 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2017-07-26 12:24:07 +0200
commit	315092dd98d5230ef0efa18b294d464d0e9f79d0 (patch)
tree	c0031a373dd87c04d2d34f2fbcd7602b344c4ac2 /libqpdf
parent	603f222365252f1a1e20303b3dbe52466be3053b (diff)
download	qpdf-315092dd98d5230ef0efa18b294d464d0e9f79d0.tar.zst