summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlbert Astals Cid <aacid@kde.org>2017-06-17 17:47:23 +0200
committerAlbert Astals Cid <aacid@kde.org>2017-06-21 22:31:19 +0200
commit17e4111da1ae5c9798ca0c040bf75c01bbb72a8a (patch)
tree4b99ba61f99b2836b1a50d9f755a28b646fa111c
parent8e1a2474c5513f7b2f4718258ca90e2d6e03f127 (diff)
Break earlier on reaching recursion limit
Bug #101379
-rw-r--r--poppler/Parser.cc15
1 files changed, 12 insertions, 3 deletions
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 28a54607..8079ca1d 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2006 Krzysztof Kowalczyk <kkowalczyk@gmail.com>
// Copyright (C) 2009 Ilya Gorenbein <igorenbein@finjan.com>
// Copyright (C) 2012 Hib Eris <hib@hiberis.nl>
@@ -87,8 +87,14 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
inlineImg = 0;
}
+ if (unlikely(recursion >= recursionLimit)) {
+ obj->free();
+ obj->initError();
+ return obj;
+ }
+
// array
- if (!simpleOnly && likely(recursion < recursionLimit) && buf1.isCmd("[")) {
+ if (!simpleOnly && buf1.isCmd("[")) {
shift();
obj->initArray(xref);
while (!buf1.isCmd("]") && !buf1.isEOF())
@@ -101,7 +107,7 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
shift();
// dictionary or stream
- } else if (!simpleOnly && likely(recursion < recursionLimit) && buf1.isCmd("<<")) {
+ } else if (!simpleOnly && buf1.isCmd("<<")) {
shift(objNum);
obj->initDict(xref);
while (!buf1.isCmd(">>") && !buf1.isEOF()) {
@@ -119,6 +125,9 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
break;
}
obj->dictAdd(key, getObj(&obj2, gFalse, fileKey, encAlgorithm, keyLength, objNum, objGen, recursion + 1));
+ if (unlikely(obj2.isError() && recursion + 1 >= recursionLimit)) {
+ break;
+ }
}
}
if (buf1.isEOF()) {