diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2021-02-04 16:34:58 +0000 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2021-02-04 16:42:42 +0000 |
| commit | 8cac642a1caf0ff821b2f1f83ee322a1cffc9a3e (patch) | |
| tree | 75baa1a98c181409d2692cf756af3227ab6b0731 /Resource/Init/pdf_rbld.ps | |
| parent | 180f35cecf582c0cd321e5d5cd8e11c4304ec519 (diff) | |
| download | ghostpdl-8cac642a1caf0ff821b2f1f83ee322a1cffc9a3e.tar.gz | |
oss-fuzz 22842: sanity check the claimed number of objects in a PDF
This test case is a file that we identify as a broken PDF, and attempt to
repair.
As part of trying to repair the xref, we an extremely large value integer which
we take to mean the number of objects in the file, and then attempt to loop
over them. The result is, in practice, an endless loop.
On the basis that the very barest PDF object:
1 0 obj
endobj
takes 15 bytes to define, we add a check: if the number of claimed objects is
greater than the number of bytes in the file divided by 15, then the number
is not to be trusted, and we dicard it.
Diffstat (limited to 'Resource/Init/pdf_rbld.ps')
| -rw-r--r-- | Resource/Init/pdf_rbld.ps | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/Resource/Init/pdf_rbld.ps b/Resource/Init/pdf_rbld.ps index 037f10b72..febd1f441 100644 --- a/Resource/Init/pdf_rbld.ps +++ b/Resource/Init/pdf_rbld.ps @@ -142,13 +142,28 @@ PDFfile token pop % get starting entry - or 'trailer' (trailer) ne { % if we do not already have 'trailer' PDFfile token pop % get number of entries - PDFfile token pop pop % this moves us into the middle of the first entry - 25 string exch % define working string for readline - { PDFfile 1 index readline pop pop - } repeat % skip entries - pop % pop working string - PDFfile token pop pop % get 'trailer' - PDFfile fileposition % get file position + % The following check could be more efficient + % but broken file..... + dup + PDFfile fileposition + PDFfile 0 setfileposition + PDFfile bytesavailable + exch PDFfile exch setfileposition + % On the basis it requires at least 15 bytes to define an object + % in PDF, if the claimed number of objects is more than the number + % of bytes in the file, then it is clearly bogus, and we just give up + 15 idiv + lt { + PDFfile token pop pop % this moves us into the middle of the first entry + 25 string exch % define working string for readline + { PDFfile 1 index readline pop pop + } repeat % skip entries + pop % pop working string + PDFfile token pop pop % get 'trailer' + PDFfile fileposition % get file position + } + { pop 0} + ifelse } if } { pop 0 % no xref, should not happen, report it upstrem |