[poppler] poppler/Catalog.cc poppler/Catalog.h

[Albert Astals Cid]

 poppler/Catalog.cc |   16 +++++++++++++---
 poppler/Catalog.h  |    2 +-
 2 files changed, 14 insertions(+), 4 deletions(-)

New commits:
commit 267ff8af69ae7e8526d9bfe5063207c87a9b70b5
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Sep 2 13:27:33 2017 +0200

    Fix infinite recursion in NameTree parsing in broken files

diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc
index 6c820c66..8e8b979e 100644
--- a/poppler/Catalog.cc
+++ b/poppler/Catalog.cc
@@ -634,13 +634,14 @@ int NameTree::Entry::cmpEntry(const void *voidEntry, const void *voidOtherEntry)
 
 void NameTree::init(XRef *xrefA, Object *tree) {
   xref = xrefA;
-  parse(tree);
+  std::set<int> seen;
+  parse(tree, seen);
   if (entries && length > 0) {
     qsort(entries, length, sizeof(Entry *), Entry::cmpEntry);
   }
 }
 
-void NameTree::parse(Object *tree) {
+void NameTree::parse(Object *tree, std::set<int> &seen) {
   if (!tree->isDict())
     return;
 
@@ -659,9 +660,18 @@ void NameTree::parse(Object *tree) {
   Object kids = tree->dictLookup("Kids");
   if (kids.isArray()) {
     for (int i = 0; i < kids.arrayGetLength(); ++i) {
+      Object kidRef = kids.arrayGetNF(i);
+      if (kidRef.isRef()) {
+	const int numObj = kidRef.getRef().num;
+	if (seen.find(numObj) != seen.end()) {
+	  error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj);
+	  continue;
+	}
+	seen.insert(numObj);
+      }
       Object kid = kids.arrayGet(i);
       if (kid.isDict())
-	parse(&kid);
+	parse(&kid, seen);
     }
   }
 }
diff --git a/poppler/Catalog.h b/poppler/Catalog.h
index c8b501a1..37d6e1ec 100644
--- a/poppler/Catalog.h
+++ b/poppler/Catalog.h
@@ -86,7 +86,7 @@ private:
     static int cmp(const void *key, const void *entry);
   };
 
-  void parse(Object *tree);
+  void parse(Object *tree, std::set<int> &seen);
   void addEntry(Entry *entry);
 
   XRef *xref;