From af27c82bde5dcdea4d0d225f29da0f0409ca2c75 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Wed, 7 Feb 2018 02:46:46 +0100 Subject: Bug 698998: Avoid recursion when opening jbig2 image streams. Previously the JBIG2 globals object might be indirect and if that reference pointed to the object containing the stream itself then mupdf would recurse until running out of error stack. Thanks to oss-fuzz for reporting. --- source/pdf/pdf-stream.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source/pdf/pdf-stream.c') diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index e2696bd1..15014b38 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -66,9 +66,10 @@ pdf_load_jbig2_globals(fz_context *ctx, pdf_document *doc, pdf_obj *dict) fz_var(buf); if ((globals = pdf_find_item(ctx, fz_drop_jbig2_globals_imp, dict)) != NULL) - { return globals; - } + + if (pdf_mark_obj(ctx, dict)) + fz_throw(ctx, FZ_ERROR_GENERIC, "cyclic reference when loading JBIG2 globals"); fz_try(ctx) { @@ -79,6 +80,7 @@ pdf_load_jbig2_globals(fz_context *ctx, pdf_document *doc, pdf_obj *dict) fz_always(ctx) { fz_drop_buffer(ctx, buf); + pdf_unmark_obj(ctx, dict); } fz_catch(ctx) { -- cgit v1.2.3