diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2022-08-10 13:47:57 +0100 |
---|---|---|
committer | Ken Sharp <ken.sharp@artifex.com> | 2022-08-10 13:47:57 +0100 |
commit | c97ea3fa01aced952bf7917b31cfc977c9a6d5fc (patch) | |
tree | 1d44cffb591b34e00a12a22709a05c6bcb35b849 /pdf | |
parent | 941c74b068dc50c89881f1092b409f8dbd7f583b (diff) | |
download | ghostpdl-c97ea3fa01aced952bf7917b31cfc977c9a6d5fc.tar.gz |
GhostPDF - Improve handling of empty objects
Bug #705734 " stack overflow in psi/zpdfops.c:79 PDFdict_to_PSdict"
The problem here is the file has an object definition with no endobj
and no actual content:
4 0 obj
5 0 obj
The code to deal with missing endobj tokenswas assuming that if there
were any objects on the stack that these represented the content of the
object.
In this case, that isn't true, though there *are* objects on the stack
they didn't come from the object. For various reasons it just so happens
that this ends up defining the content of object 4 as an indirect
reference to object 4 which is ordinarily impossible, only arrays and
dictionaries can contain indirect references, not objects.
This caused a circular reference that shouldn't be possible.
Check the stack depth on entry and use the current stack depth minus
the initial value instead of simply using the current stack depth. This
then correctly returns a stack underflow error and the circular
reference doesn't happen.
Diffstat (limited to 'pdf')
-rw-r--r-- | pdf/pdf_deref.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/pdf/pdf_deref.c b/pdf/pdf_deref.c index b678f53e1..b63af1761 100644 --- a/pdf/pdf_deref.c +++ b/pdf/pdf_deref.c @@ -433,11 +433,12 @@ static int pdfi_read_stream_object(pdf_context *ctx, pdf_c_stream *s, gs_offset_ */ int pdfi_read_bare_object(pdf_context *ctx, pdf_c_stream *s, gs_offset_t stream_offset, uint32_t objnum, uint32_t gen) { - int code = 0; + int code = 0, initial_depth = 0; pdf_key keyword; gs_offset_t saved_offset[3]; pdf_obj_type type; + initial_depth = pdfi_count_stack(ctx); saved_offset[0] = saved_offset[1] = saved_offset[2] = 0; code = pdfi_read_token(ctx, s, objnum, gen); @@ -471,7 +472,7 @@ int pdfi_read_bare_object(pdf_context *ctx, pdf_c_stream *s, gs_offset_t stream_ if (keyword == TOKEN_ENDOBJ) { pdf_obj *o; - if (pdfi_count_stack(ctx) < 2) { + if (pdfi_count_stack(ctx) - initial_depth < 2) { pdfi_clearstack(ctx); return_error(gs_error_stackunderflow); } @@ -496,7 +497,7 @@ int pdfi_read_bare_object(pdf_context *ctx, pdf_c_stream *s, gs_offset_t stream_ pdfi_set_error(ctx, 0, NULL, E_PDF_MISSINGENDOBJ, "pdfi_read_bare_object", NULL); /* 4 for; the object we want, the object number, generation number and 'obj' keyword */ - if (pdfi_count_stack(ctx) < 4) + if (pdfi_count_stack(ctx) - initial_depth < 4) return_error(gs_error_stackunderflow); /* If we have that many objects, assume that we can throw away the x y obj and just use the remaining object */ @@ -520,7 +521,7 @@ missing_endobj: pdfi_set_error(ctx, 0, NULL, E_PDF_MISSINGENDOBJ, "pdfi_read_bare_object", NULL); - if (pdfi_count_stack(ctx) < 2) + if (pdfi_count_stack(ctx) - initial_depth < 2) return_error(gs_error_stackunderflow); o = ctx->stack_top[-2]; |