Bug 698998: Avoid recursion when opening jbig2 image streams.

Previously the JBIG2 globals object might be indirect and if that reference pointed to the object containing the stream itself then mupdf would recurse until running out of error stack. Thanks to oss-fuzz for reporting.
author: Sebastian Rasmussen <sebras@gmail.com> 2018-02-07 02:46:46 +0100
committer: Sebastian Rasmussen <sebras@gmail.com> 2018-02-12 17:35:31 +0100
commit: af27c82bde5dcdea4d0d225f29da0f0409ca2c75 (patch)
tree: 6512c6589b4680f040e19c415d78ee6e559aa028 /source/pdf/pdf-stream.c
parent: f597f8dc0552b8e8facd59b11ac64f87fe6736db (diff)
download: mupdf-af27c82bde5dcdea4d0d225f29da0f0409ca2c75.tar.xz
1 files changed, 4 insertions, 2 deletions
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index e2696bd1..15014b38 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -66,9 +66,10 @@ pdf_load_jbig2_globals(fz_context *ctx, pdf_document *doc, pdf_obj *dict)
 	fz_var(buf);
 
 	if ((globals = pdf_find_item(ctx, fz_drop_jbig2_globals_imp, dict)) != NULL)
-	{
 		return globals;
-	}
+
+	if (pdf_mark_obj(ctx, dict))
+		fz_throw(ctx, FZ_ERROR_GENERIC, "cyclic reference when loading JBIG2 globals");
 
 	fz_try(ctx)
 	{
@@ -79,6 +80,7 @@ pdf_load_jbig2_globals(fz_context *ctx, pdf_document *doc, pdf_obj *dict)
 	fz_always(ctx)
 	{
 		fz_drop_buffer(ctx, buf);
+		pdf_unmark_obj(ctx, dict);
 	}
 	fz_catch(ctx)
 	{
author	Sebastian Rasmussen <sebras@gmail.com>	2018-02-07 02:46:46 +0100
committer	Sebastian Rasmussen <sebras@gmail.com>	2018-02-12 17:35:31 +0100
commit	af27c82bde5dcdea4d0d225f29da0f0409ca2c75 (patch)
tree	6512c6589b4680f040e19c415d78ee6e559aa028 /source/pdf/pdf-stream.c
parent	f597f8dc0552b8e8facd59b11ac64f87fe6736db (diff)
download	mupdf-af27c82bde5dcdea4d0d225f29da0f0409ca2c75.tar.xz