From afe0242b263a9e1a8d51dd81e42ab6de2e5127eb Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Wed, 26 Jul 2017 04:30:32 -0400 Subject: Handle object ID 0 (fixes #99) This is CVE-2017-9208. The QPDF library uses object ID 0 internally as a sentinel to represent a direct object, but prior to this fix, was not blocking handling of 0 0 obj or 0 0 R as a special case. Creating an object in the file with 0 0 obj could cause various infinite loops. The PDF spec doesn't allow for object 0. Having qpdf handle object 0 might be a better fix, but changing all the places in the code that assumes objid == 0 means direct would be risky. --- libqpdf/QPDFObjectHandle.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'libqpdf/QPDFObjectHandle.cc') diff --git a/libqpdf/QPDFObjectHandle.cc b/libqpdf/QPDFObjectHandle.cc index 687ba439..cd3084cb 100644 --- a/libqpdf/QPDFObjectHandle.cc +++ b/libqpdf/QPDFObjectHandle.cc @@ -1089,6 +1089,16 @@ QPDFObjectHandle::parseInternal(PointerHolder input, QPDFObjectHandle QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation) { + if (objid == 0) + { + // Special case: QPDF uses objid 0 as a sentinel for direct + // objects, and the PDF specification doesn't allow for object + // 0. Treat indirect references to object 0 as null so that we + // never create an indirect object with objid 0. + QTC::TC("qpdf", "QPDFObjectHandle indirect with 0 objid"); + return newNull(); + } + return QPDFObjectHandle(qpdf, objid, generation); } -- cgit v1.2.3-54-g00ecf