blob: 7f2262c4c58b7dd3a4ec8f5e3e4b17fee15e52bf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From ec8a43c8df29fdd6f1228276160898ccd9401c92 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sat, 4 Jul 2020 00:08:55 +0200
Subject: [PATCH] Fix stack overflow with specially crafted files
The file is not malformed per se, it just has a huge XRefStm chain
and we end up exhausting the stack space trying to parse them all.
Having more than 4096 XRefStm seems like won't really happen on real
life so break the flow at that point
Fixes #936
---
poppler/XRef.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 5943bdd..fe8936e 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -633,6 +633,12 @@ bool XRef::readXRefTable(Parser *parser, Goffset *pos, std::vector<Goffset> *fol
ok = false;
}
}
+ // Arbitrary limit because otherwise we exhaust the stack
+ // calling readXRef + readXRefTable
+ if (followedXRefStm->size() > 4096) {
+ error(errSyntaxError, -1, "File has more than 4096 XRefStm, aborting");
+ ok = false;
+ }
if (ok) {
followedXRefStm->push_back(pos2);
readXRef(&pos2, followedXRefStm, xrefStreamObjsNum);
--
2.33.0
|
