diff options
| author | Tor Andersson <tor.andersson@artifex.com> | 2014-06-09 14:02:16 +0200 |
|---|---|---|
| committer | Tor Andersson <tor.andersson@artifex.com> | 2014-06-09 16:23:11 +0200 |
| commit | a6f0d56d2d2e66cef2b4ca6e810bf3630ed53d0b (patch) | |
| tree | 1bfc678529b37d58643da6138f0e51a1bb40c6d1 | |
| parent | 0f0653cac62c7dbcd4b4cd2ea57640769271365c (diff) | |
| download | mupdf-a6f0d56d2d2e66cef2b4ca6e810bf3630ed53d0b.tar.xz | |
Fix 695300: don't throw exception on invalid reference number.
Return the null object rather than throwing an exception when parsing
indirect object references with negative object numbers.
Do range check for object numbers (1 .. length) when object numbers
are used instead.
Object number 0 is not a valid object number. It must always be 'free'.
| -rw-r--r-- | source/pdf/pdf-object.c | 4 | ||||
| -rw-r--r-- | source/pdf/pdf-stream.c | 6 | ||||
| -rw-r--r-- | source/pdf/pdf-write.c | 2 | ||||
| -rw-r--r-- | source/pdf/pdf-xref.c | 19 |
4 files changed, 17 insertions, 14 deletions
diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c index 6fd69bbd..51272dea 100644 --- a/source/pdf/pdf-object.c +++ b/source/pdf/pdf-object.c @@ -158,10 +158,6 @@ pdf_new_indirect(pdf_document *doc, int num, int gen) { pdf_obj *obj; fz_context *ctx = doc->ctx; - - if (num <= 0 || gen < 0) - fz_throw(ctx, FZ_ERROR_GENERIC, "Invalid num (%d) or gen (%d) for indirection", num, gen); - obj = Memento_label(fz_malloc(ctx, sizeof(pdf_obj)), "pdf_obj(indirect)"); obj->doc = doc; obj->refs = 1; diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index 54cf87fe..930c30cb 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -8,7 +8,7 @@ pdf_is_stream(pdf_document *doc, int num, int gen) { pdf_xref_entry *entry; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) return 0; pdf_cache_object(doc, num, gen); @@ -405,7 +405,7 @@ pdf_open_raw_renumbered_stream(pdf_document *doc, int num, int gen, int orig_num { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) fz_throw(doc->ctx, FZ_ERROR_GENERIC, "object id out of range (%d %d R)", num, gen); pdf_cache_object(doc, num, gen); @@ -422,7 +422,7 @@ pdf_open_image_stream(pdf_document *doc, int num, int gen, int orig_num, int ori { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) fz_throw(doc->ctx, FZ_ERROR_GENERIC, "object id out of range (%d %d R)", num, gen); pdf_cache_object(doc, num, gen); diff --git a/source/pdf/pdf-write.c b/source/pdf/pdf-write.c index dea21801..8fb4b03d 100644 --- a/source/pdf/pdf-write.c +++ b/source/pdf/pdf-write.c @@ -510,7 +510,7 @@ static pdf_obj *sweepref(pdf_document *doc, pdf_write_options *opts, pdf_obj *ob int gen = pdf_to_gen(obj); fz_context *ctx = doc->ctx; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) return NULL; if (opts->use_list[num]) return NULL; diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 02b935c8..b3505c36 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -1349,7 +1349,7 @@ pdf_load_obj_stm(pdf_document *doc, int num, int gen, pdf_lexbuf *buf) obj = pdf_parse_stm_obj(doc, stm, buf); - if (numbuf[i] < 1 || numbuf[i] >= xref_len) + if (numbuf[i] <= 0 || numbuf[i] >= xref_len) { pdf_drop_obj(obj); fz_throw(ctx, FZ_ERROR_GENERIC, "object id (%d 0 R) out of range (0..%d)", numbuf[i], xref_len - 1); @@ -1638,7 +1638,7 @@ pdf_cache_object(pdf_document *doc, int num, int gen) fz_var(try_repair); - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) fz_throw(ctx, FZ_ERROR_GENERIC, "object out of range (%d %d R); xref size %d", num, gen, pdf_xref_len(doc)); object_updated: @@ -1764,7 +1764,7 @@ pdf_resolve_indirect(pdf_obj *ref) { if (--sanity == 0) { - fz_warn(ctx, "Too many indirections (possible indirection cycle involving %d %d R)", num, gen); + fz_warn(ctx, "too many indirections (possible indirection cycle involving %d %d R)", num, gen); return NULL; } doc = pdf_get_indirect_document(ref); @@ -1773,6 +1773,13 @@ pdf_resolve_indirect(pdf_obj *ref) ctx = doc->ctx; num = pdf_to_num(ref); gen = pdf_to_gen(ref); + + if (num <= 0 || gen < 0) + { + fz_warn(ctx, "invalid indirect reference (%d %d R)", num, gen); + return NULL; + } + fz_try(ctx) { pdf_cache_object(doc, num, gen); @@ -1819,7 +1826,7 @@ pdf_delete_object(pdf_document *doc, int num) { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) { fz_warn(doc->ctx, "object out of range (%d 0 R); xref size %d", num, pdf_xref_len(doc)); return; @@ -1843,7 +1850,7 @@ pdf_update_object(pdf_document *doc, int num, pdf_obj *newobj) { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) { fz_warn(doc->ctx, "object out of range (%d 0 R); xref size %d", num, pdf_xref_len(doc)); return; @@ -1865,7 +1872,7 @@ pdf_update_stream(pdf_document *doc, int num, fz_buffer *newbuf) { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) { fz_warn(doc->ctx, "object out of range (%d 0 R); xref size %d", num, pdf_xref_len(doc)); return; |