summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlbert Astals Cid <aacid@kde.org>2020-06-17 22:39:47 +0200
committerAlbert Astals Cid <tsdgeos@yahoo.es>2020-06-21 22:05:55 +0000
commitebb77e7a1fbb83c3ab7f9cd948d950bb5243f7c3 (patch)
tree43dec4e4e7c5b6533e3541a06fc689504f9a6f8c
parent1460bb960276ef5f62d08fa077515e628a91880d (diff)
Fix infinite loop in broken file
oss-fuzz/23515
-rw-r--r--poppler/Catalog.cc20
-rw-r--r--poppler/Catalog.h4
2 files changed, 16 insertions, 8 deletions
diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc
index a4d1edf5..59ddbfec 100644
--- a/poppler/Catalog.cc
+++ b/poppler/Catalog.cc
@@ -677,7 +677,7 @@ void NameTree::init(XRef *xrefA, Object *tree) {
}
}
-void NameTree::parse(Object *tree, std::set<int> &seen) {
+void NameTree::parse(const Object *tree, std::set<int> &seen) {
if (!tree->isDict())
return;
@@ -693,19 +693,27 @@ void NameTree::parse(Object *tree, std::set<int> &seen) {
}
// root or intermediate node
- Object kids = tree->dictLookup("Kids");
+ Ref ref;
+ const Object kids = tree->getDict()->lookup("Kids", &ref);
+ if (ref != Ref::INVALID()) {
+ const int numObj = ref.num;
+ if (seen.find(numObj) != seen.end()) {
+ error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj);
+ return;
+ }
+ seen.insert(numObj);
+ }
if (kids.isArray()) {
for (int i = 0; i < kids.arrayGetLength(); ++i) {
- const Object &kidRef = kids.arrayGetNF(i);
- if (kidRef.isRef()) {
- const int numObj = kidRef.getRef().num;
+ const Object kid = kids.getArray()->get(i, &ref);
+ if (ref != Ref::INVALID()) {
+ const int numObj = ref.num;
if (seen.find(numObj) != seen.end()) {
error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj);
continue;
}
seen.insert(numObj);
}
- Object kid = kids.arrayGet(i);
if (kid.isDict())
parse(&kid, seen);
}
diff --git a/poppler/Catalog.h b/poppler/Catalog.h
index a15dab28..7e9f237c 100644
--- a/poppler/Catalog.h
+++ b/poppler/Catalog.h
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Kristian Høgsberg <krh@redhat.com>
-// Copyright (C) 2005, 2007, 2009-2011, 2013, 2017-2019 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2005, 2007, 2009-2011, 2013, 2017-2020 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2005 Jonathan Blandford <jrb@redhat.com>
// Copyright (C) 2005, 2006, 2008 Brad Hards <bradh@frogmouth.net>
// Copyright (C) 2007 Julien Rebetez <julienr@svn.gnome.org>
@@ -87,7 +87,7 @@ private:
static int cmp(const void *key, const void *entry);
};
- void parse(Object *tree, std::set<int> &seen);
+ void parse(const Object *tree, std::set<int> &seen);
void addEntry(Entry *entry);
XRef *xref;