38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
From ec8a43c8df29fdd6f1228276160898ccd9401c92 Mon Sep 17 00:00:00 2001
|
|
From: Albert Astals Cid <aacid@kde.org>
|
|
Date: Sat, 4 Jul 2020 00:08:55 +0200
|
|
Subject: [PATCH] Fix stack overflow with specially crafted files
|
|
|
|
The file is not malformed per se, it just has a huge XRefStm chain
|
|
and we end up exhausting the stack space trying to parse them all.
|
|
|
|
Having more than 4096 XRefStm seems like won't really happen on real
|
|
life so break the flow at that point
|
|
|
|
Fixes #936
|
|
|
|
---
|
|
poppler/XRef.cc | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
|
|
index 5943bdd..fe8936e 100644
|
|
--- a/poppler/XRef.cc
|
|
+++ b/poppler/XRef.cc
|
|
@@ -633,6 +633,12 @@ bool XRef::readXRefTable(Parser *parser, Goffset *pos, std::vector<Goffset> *fol
|
|
ok = false;
|
|
}
|
|
}
|
|
+ // Arbitrary limit because otherwise we exhaust the stack
|
|
+ // calling readXRef + readXRefTable
|
|
+ if (followedXRefStm->size() > 4096) {
|
|
+ error(errSyntaxError, -1, "File has more than 4096 XRefStm, aborting");
|
|
+ ok = false;
|
|
+ }
|
|
if (ok) {
|
|
followedXRefStm->push_back(pos2);
|
|
readXRef(&pos2, followedXRefStm, xrefStreamObjsNum);
|
|
--
|
|
2.33.0
|
|
|