diff options
author | Jay Berkenbilt <ejb@ql.org> | 2017-07-25 16:21:27 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2017-07-26 12:24:07 +0200 |
commit | 315092dd98d5230ef0efa18b294d464d0e9f79d0 (patch) | |
tree | c0031a373dd87c04d2d34f2fbcd7602b344c4ac2 /libqpdf | |
parent | 603f222365252f1a1e20303b3dbe52466be3053b (diff) | |
download | qpdf-315092dd98d5230ef0efa18b294d464d0e9f79d0.tar.zst |
Avoid xref reconstruction infinite loop (fixes #100)
This is CVE-2017-9209.
Diffstat (limited to 'libqpdf')
-rw-r--r-- | libqpdf/QPDF.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index b8a1601c..a50c87ad 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -93,6 +93,7 @@ QPDF::QPDF() : cached_key_generation(0), pushed_inherited_attributes_to_pages(false), copied_stream_data_provider(0), + reconstructed_xref(false), first_xref_item_offset(0), uncompressed_after_compressed(false) { @@ -331,6 +332,15 @@ QPDF::setTrailer(QPDFObjectHandle obj) void QPDF::reconstruct_xref(QPDFExc& e) { + if (this->reconstructed_xref) + { + // Avoid xref reconstruction infinite loops + QTC::TC("qpdf", "QPDF caught recursive xref reconstruction"); + throw e; + } + + this->reconstructed_xref = true; + PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b"); PCRE endobj_re("^\\s*endobj\\b"); PCRE trailer_re("^\\s*trailer\\b"); |