1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
$NetBSD: patch-av,v 1.1 2007/01/17 17:38:05 drochner Exp $
--- xpdf/Catalog.cc.orig 2005-08-17 07:34:31.000000000 +0200
+++ xpdf/Catalog.cc
@@ -23,6 +23,12 @@
#include "Link.h"
#include "Catalog.h"
+// This define is used to limit the depth of recursive readPageTree calls
+// This is needed because the page tree nodes can reference their parents
+// leaving us in an infinite loop
+// Most sane pdf documents don't have a call depth higher than 10
+#define MAX_CALL_DEPTH 1000
+
//------------------------------------------------------------------------
// Catalog
//------------------------------------------------------------------------
@@ -71,7 +77,7 @@ Catalog::Catalog(XRef *xrefA) {
pageRefs[i].num = -1;
pageRefs[i].gen = -1;
}
- numPages = readPageTree(pagesDict.getDict(), NULL, 0);
+ numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
if (numPages != numPages0) {
error(-1, "Page count in top-level pages object is incorrect");
}
@@ -169,7 +175,7 @@ GString *Catalog::readMetadata() {
return s;
}
-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
+int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
Object kids;
Object kid;
Object kidRef;
@@ -214,9 +220,13 @@ int Catalog::readPageTree(Dict *pagesDic
// This should really be isDict("Pages"), but I've seen at least one
// PDF file where the /Type entry is missing.
} else if (kid.isDict()) {
- if ((start = readPageTree(kid.getDict(), attrs1, start))
- < 0)
- goto err2;
+ if (callDepth > MAX_CALL_DEPTH) {
+ error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
+ } else {
+ if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
+ < 0)
+ goto err2;
+ }
} else {
error(-1, "Kid object (page %d) is wrong type (%s)",
start+1, kid.getTypeName());
|
