diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2021-12-17 11:43:17 +0000 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2021-12-17 11:43:17 +0000 |
| commit | 8f86c5f3d7a46206d8eb9501912d212e594d2e0f (patch) | |
| tree | ff32eae4783003982d595b97153e1837b520f274 /pdf/pdf_repair.c | |
| parent | 3f51c61d4ed23355ba717c55bb94630efa1a0c14 (diff) | |
| download | ghostpdl-8f86c5f3d7a46206d8eb9501912d212e594d2e0f.tar.gz | |
GhostPDF - OSS-Fuzz #492299
pdfi_read_token() was returning with a code of 0, but without pushing
an object on the stack (because we ran out of input). In many places
this is catered for, mostly fairly low-level instances, by checking
to see if the stack has any objects on it.
However it seems better to alter the way that pdfi_read_token() works
slightly. It now returns 1 if it read a token, < 0 for an error, and
0 if there was no error but it didn't read a token (ie ran out of
input).
All the places that call pdfi_read_token have been reviewed and the
return value checked. If necessary new action is taken on 0.
Diffstat (limited to 'pdf/pdf_repair.c')
| -rw-r--r-- | pdf/pdf_repair.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/pdf/pdf_repair.c b/pdf/pdf_repair.c index 162be1a0a..27816968c 100644 --- a/pdf/pdf_repair.c +++ b/pdf/pdf_repair.c @@ -250,16 +250,18 @@ int pdfi_repair_file(pdf_context *ctx) continue; goto exit; } - if (ctx->stack_top[-1]->type == PDF_KEYWORD){ - pdf_keyword *k = (pdf_keyword *)ctx->stack_top[-1]; - if (k->key == TOKEN_ENDOBJ) { - code = pdfi_repair_add_object(ctx, object_num, generation_num, offset); - if (code < 0) { - if (code != gs_error_VMerror && code != gs_error_ioerror) - break; - goto exit; + if (code > 0) { + if (ctx->stack_top[-1]->type == PDF_KEYWORD){ + pdf_keyword *k = (pdf_keyword *)ctx->stack_top[-1]; + if (k->key == TOKEN_ENDOBJ) { + code = pdfi_repair_add_object(ctx, object_num, generation_num, offset); + if (code < 0) { + if (code != gs_error_VMerror && code != gs_error_ioerror) + break; + goto exit; + } + break; } - break; } } }while(ctx->main_stream->eof == false); @@ -420,13 +422,14 @@ int pdfi_repair_file(pdf_context *ctx) if (code == 0) { for (j=0;j < N; j++) { code = pdfi_read_token(ctx, compressed_stream, 0, 0); - if (code == 0) { + if (code > 0) { o = ctx->stack_top[-1]; if (((pdf_obj *)o)->type == PDF_INT) { obj_num = ((pdf_num *)o)->value.i; pdfi_pop(ctx, 1); code = pdfi_read_token(ctx, compressed_stream, 0, 0); - if (code == 0) { + if (code > 0) { + code = 0; o = ctx->stack_top[-1]; if (((pdf_obj *)o)->type == PDF_INT) { offset = ((pdf_num *)o)->value.i; @@ -450,6 +453,8 @@ int pdfi_repair_file(pdf_context *ctx) } } } + if (code == 0) + break; } } pdfi_close_file(ctx, compressed_stream); |