Bug 698830: Avoid recursion when loading object streams objects.

If there were indirect references in the object stream dictionary and
one of those indirect references referred to an object inside the object
stream itself, mupdf would previously enter recursion only bounded by the
exception stack. After this commit the object stream is checked if it is
marked immediately after being loaded. If it is marked then we terminate
the recursion at this point, if it is not marked then mark it and
attempt to load the desired object within. We also take care to unmark
the stream object when done or upon exception.

1 files changed, 14 insertions, 0 deletions

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 723b543c..ed09094c 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
 	{
 		objstm = pdf_load_object(ctx, doc, num);
 
+		if (pdf_obj_marked(ctx, objstm))
+			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+	}
+	fz_catch(ctx)
+	{
+		pdf_drop_obj(ctx, objstm);
+		fz_rethrow(ctx);
+	}
+
+	fz_try(ctx)
+	{
+		pdf_mark_obj(ctx, objstm);
+
 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
 
@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
 		fz_drop_stream(ctx, stm);
 		fz_free(ctx, ofsbuf);
 		fz_free(ctx, numbuf);
+		pdf_unmark_obj(ctx, objstm);
 		pdf_drop_obj(ctx, objstm);
 	}
 	fz_catch(ctx)