diff options
| author | Tor Andersson <tor.andersson@artifex.com> | 2014-06-09 14:02:16 +0200 |
|---|---|---|
| committer | Tor Andersson <tor.andersson@artifex.com> | 2014-06-09 16:23:11 +0200 |
| commit | a6f0d56d2d2e66cef2b4ca6e810bf3630ed53d0b (patch) | |
| tree | 1bfc678529b37d58643da6138f0e51a1bb40c6d1 /source/pdf/pdf-xref.c | |
| parent | 0f0653cac62c7dbcd4b4cd2ea57640769271365c (diff) | |
| download | mupdf-a6f0d56d2d2e66cef2b4ca6e810bf3630ed53d0b.tar.xz | |
Fix 695300: don't throw exception on invalid reference number.
Return the null object rather than throwing an exception when parsing
indirect object references with negative object numbers.
Do range check for object numbers (1 .. length) when object numbers
are used instead.
Object number 0 is not a valid object number. It must always be 'free'.
Diffstat (limited to 'source/pdf/pdf-xref.c')
| -rw-r--r-- | source/pdf/pdf-xref.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 02b935c8..b3505c36 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -1349,7 +1349,7 @@ pdf_load_obj_stm(pdf_document *doc, int num, int gen, pdf_lexbuf *buf) obj = pdf_parse_stm_obj(doc, stm, buf); - if (numbuf[i] < 1 || numbuf[i] >= xref_len) + if (numbuf[i] <= 0 || numbuf[i] >= xref_len) { pdf_drop_obj(obj); fz_throw(ctx, FZ_ERROR_GENERIC, "object id (%d 0 R) out of range (0..%d)", numbuf[i], xref_len - 1); @@ -1638,7 +1638,7 @@ pdf_cache_object(pdf_document *doc, int num, int gen) fz_var(try_repair); - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) fz_throw(ctx, FZ_ERROR_GENERIC, "object out of range (%d %d R); xref size %d", num, gen, pdf_xref_len(doc)); object_updated: @@ -1764,7 +1764,7 @@ pdf_resolve_indirect(pdf_obj *ref) { if (--sanity == 0) { - fz_warn(ctx, "Too many indirections (possible indirection cycle involving %d %d R)", num, gen); + fz_warn(ctx, "too many indirections (possible indirection cycle involving %d %d R)", num, gen); return NULL; } doc = pdf_get_indirect_document(ref); @@ -1773,6 +1773,13 @@ pdf_resolve_indirect(pdf_obj *ref) ctx = doc->ctx; num = pdf_to_num(ref); gen = pdf_to_gen(ref); + + if (num <= 0 || gen < 0) + { + fz_warn(ctx, "invalid indirect reference (%d %d R)", num, gen); + return NULL; + } + fz_try(ctx) { pdf_cache_object(doc, num, gen); @@ -1819,7 +1826,7 @@ pdf_delete_object(pdf_document *doc, int num) { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) { fz_warn(doc->ctx, "object out of range (%d 0 R); xref size %d", num, pdf_xref_len(doc)); return; @@ -1843,7 +1850,7 @@ pdf_update_object(pdf_document *doc, int num, pdf_obj *newobj) { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) { fz_warn(doc->ctx, "object out of range (%d 0 R); xref size %d", num, pdf_xref_len(doc)); return; @@ -1865,7 +1872,7 @@ pdf_update_stream(pdf_document *doc, int num, fz_buffer *newbuf) { pdf_xref_entry *x; - if (num < 0 || num >= pdf_xref_len(doc)) + if (num <= 0 || num >= pdf_xref_len(doc)) { fz_warn(doc->ctx, "object out of range (%d 0 R); xref size %d", num, pdf_xref_len(doc)); return; |