summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSebastian Rasmussen <sebras@gmail.com>2012-08-04 14:11:20 +0200
committerSebastian Rasmussen <sebras@gmail.com>2012-08-06 13:53:57 +0200
commitf919270b6a732ff45c3ba2d0c105e2b39e9c9bc9 (patch)
tree53373f0b4a0dc9efa35620fb39be15b63be96d2d
parent171deea598ec88f370e31b0d1b58d841277eceb1 (diff)
downloadmupdf-f919270b6a732ff45c3ba2d0c105e2b39e9c9bc9.tar.xz
Handle invalid obj/gen numbers when repairing pdfs
Out of range object numbers cause the repaired object to be ignored. Out of range generation numbers are clamped to the permitted range.
Diffstat
-rw-r--r--pdf/pdf_repair.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/pdf/pdf_repair.c b/pdf/pdf_repair.c
index 0874c2f8..df8d81f9 100644
--- a/pdf/pdf_repair.c
+++ b/pdf/pdf_repair.c
@@ -3,6 +3,9 @@
/* Scan file for objects and reconstruct xref table */
+/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+#define MAX_OBJECT_NUMBER (10 << 20)
+
struct entry
{
int num;
@@ -170,6 +173,16 @@ pdf_repair_obj_stm(pdf_document *xref, int num, int gen)
fz_throw(ctx, "corrupt object stream (%d %d R)", num, gen);
n = buf.i;
+ if (n < 0)
+ {
+ fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", n, i);
+ continue;
+ }
+ else if (n > MAX_OBJECT_NUMBER)
+ {
+ fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", n, i);
+ continue;
+ }
if (n >= xref->len)
pdf_resize_xref(xref, n + 1);
@@ -299,6 +312,19 @@ pdf_repair_xref(pdf_document *xref, pdf_lexbuf *buf)
break;
}
+ if (num < 0)
+ {
+ fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ continue;
+ }
+ else if (num > MAX_OBJECT_NUMBER)
+ {
+ fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ continue;
+ }
+
+ gen = fz_clampi(gen, 0, 65535);
+
if (listlen + 1 == listcap)
{
listcap = (listcap * 3) / 2;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-19 12:31:59 +0000