[poppler] poppler/poppler: Catalog.cc,1.17,1.18 Catalog.h,1.9,1.10

Thu Jan 11 14:12:13 PST 2007

Update of /cvs/poppler/poppler/poppler
In directory kemper:/tmp/cvs-serv10529/poppler

Modified Files:
	Catalog.cc Catalog.h 
Log Message:
       * poppler/Catalog.h:
       * poppler/Catalog.cc: Limit max depth of recursive calls on
       readPageTree to fix MOAB-06-01-2007


Index: Catalog.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Catalog.cc,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18

--- Catalog.cc	11 Aug 2006 13:12:11 -0000	1.17
+++ Catalog.cc	11 Jan 2007 22:12:11 -0000	1.18
@@ -26,6 +26,12 @@
 #include "UGooString.h"
 #include "Catalog.h"
 
+// This define is used to limit the depth of recursive readPageTree calls
+// This is needed because the page tree nodes can reference their parents
+// leaving us in an infinite loop
+// Most sane pdf documents don't have a call depth higher than 10
+#define MAX_CALL_DEPTH 1000
+
 //------------------------------------------------------------------------
 // Catalog
 //------------------------------------------------------------------------
@@ -75,7 +81,7 @@
     pageRefs[i].num = -1;
     pageRefs[i].gen = -1;
   }
-  numPages = readPageTree(pagesDict.getDict(), NULL, 0);
+  numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
   if (numPages != numPages0) {
     error(-1, "Page count in top-level pages object is incorrect");
   }
@@ -217,7 +223,7 @@
   return s;
 }
 
-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
+int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
   Object kids;
   Object kid;
   Object kidRef;
@@ -262,9 +268,13 @@
     // This should really be isDict("Pages"), but I've seen at least one
     // PDF file where the /Type entry is missing.
     } else if (kid.isDict()) {
-      if ((start = readPageTree(kid.getDict(), attrs1, start))
-	  < 0)
-	goto err2;
+      if (callDepth > MAX_CALL_DEPTH) {
+        error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
+      } else {
+        if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
+	    < 0)
+	  goto err2;
+      }
     } else {
       error(-1, "Kid object (page %d) is wrong type (%s)",
 	    start+1, kid.getTypeName());

Index: Catalog.h
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Catalog.h,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- Catalog.h	27 Dec 2006 15:23:04 -0000	1.9
+++ Catalog.h	11 Jan 2007 22:12:11 -0000	1.10
@@ -193,7 +193,7 @@
   PageMode pageMode;		// page mode
   PageLayout pageLayout;	// page layout
 
-  int readPageTree(Dict *pages, PageAttrs *attrs, int start);
+  int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
   Object *findDestInTree(Object *tree, GooString *name, Object *obj);
 };
 

