From 315092dd98d5230ef0efa18b294d464d0e9f79d0 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Tue, 25 Jul 2017 10:21:27 -0400
Subject: Avoid xref reconstruction infinite loop (fixes #100)

This is CVE-2017-9209.
---
 libqpdf/QPDF.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'libqpdf')

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index b8a1601c..a50c87ad 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -93,6 +93,7 @@ QPDF::QPDF() :
     cached_key_generation(0),
     pushed_inherited_attributes_to_pages(false),
     copied_stream_data_provider(0),
+    reconstructed_xref(false),
     first_xref_item_offset(0),
     uncompressed_after_compressed(false)
 {
@@ -331,6 +332,15 @@ QPDF::setTrailer(QPDFObjectHandle obj)
 void
 QPDF::reconstruct_xref(QPDFExc& e)
 {
+    if (this->reconstructed_xref)
+    {
+        // Avoid xref reconstruction infinite loops
+        QTC::TC("qpdf", "QPDF caught recursive xref reconstruction");
+        throw e;
+    }
+
+    this->reconstructed_xref = true;
+
     PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
     PCRE endobj_re("^\\s*endobj\\b");
     PCRE trailer_re("^\\s*trailer\\b");
-- 
cgit v1.2.3-54-g00ecf