diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2022-06-07 15:52:33 +0100 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2022-06-07 15:52:33 +0100 |
| commit | 0d32d5a9aea919e9ab4c0431027f5ec47ccc4a64 (patch) | |
| tree | fae74cebc1bea9dfdc9e7f28470ca8a4e3d14aaf /psi | |
| parent | bb2fd595dd08728323a86a24e0f5643383c92d03 (diff) | |
| download | ghostpdl-0d32d5a9aea919e9ab4c0431027f5ec47ccc4a64.tar.gz | |
GhostPDF - circular references in Info dict with PageLabels
OSS-fuzz #47571
This one is quite complicated and may need further work in the code
for page labels. The problem arises because we deal with page labels
before we deal with the Info dictionary passed back to PostScript.
The PageLabel handling discovers a circular reference but, unlike every
other case, when this happens we do not abort the operation. We simply
leave the indirect reference in place and carry on.
This is a problem because it means we replace some indirect references
with the dereferenced object, but not all of them. When we later run
the same operation when parsing the Info dictionary the fact that one
object has been dereferenced and stored as a direct object means that
we fail to spot the circular reference, because we have not noted the
object number of the 'parent' object.
Ordinarily this can't happen because the original error would prevent us
storing the dereferenced object at any point in the chain.
It is likely that we ought to return an error in the case of page labels
with a circular reference at least and not simply carry on. I suspect
we should always respect the error.
Anyway, to work around this, the commit here checks the Info dictionary
for circular references before we store it in the PDF context. Any
entry which has an error is deleted from the dictionary before we store
it. This prevents the circular reference ever appearing.
Brute force, but we only do it once and it makes sure we can never end
up in this situation.
Diffstat (limited to 'psi')
| -rw-r--r-- | psi/zpdfops.c | 18 |
1 files changed, 0 insertions, 18 deletions
diff --git a/psi/zpdfops.c b/psi/zpdfops.c index 917fdcb83..1bd768de4 100644 --- a/psi/zpdfops.c +++ b/psi/zpdfops.c @@ -805,27 +805,9 @@ static int PDFobj_to_PSobj(i_ctx_t *i_ctx_p, pdfctx_t *pdfctx, pdf_obj *PDFobj, } break; case PDF_DICT: - if (PDFobj->object_num != 0) { - if (pdfi_loop_detector_check_object(pdfctx->ctx, PDFobj->object_num)) { - gs_note_error(gs_error_circular_reference); - goto error; - } - code = pdfi_loop_detector_add_object(pdfctx->ctx, PDFobj->object_num); - if (code < 0) - goto error; - } code = PDFdict_to_PSdict(i_ctx_p, pdfctx, (pdf_dict *)PDFobj, PSobj); break; case PDF_ARRAY: - if (PDFobj->object_num != 0) { - if (pdfi_loop_detector_check_object(pdfctx->ctx, PDFobj->object_num)) { - gs_note_error(gs_error_circular_reference); - goto error; - } - code = pdfi_loop_detector_add_object(pdfctx->ctx, PDFobj->object_num); - if (code < 0) - goto error; - } code = PDFarray_to_PSarray(i_ctx_p, pdfctx, (pdf_array *)PDFobj, PSobj); break; default: |