[poppler] poppler/Catalog.cc poppler/Catalog.h

[GitLab Mirror]

 poppler/Catalog.cc |   20 ++++++++++++++------
 poppler/Catalog.h  |    4 ++--
 2 files changed, 16 insertions(+), 8 deletions(-)

New commits:
commit ebb77e7a1fbb83c3ab7f9cd948d950bb5243f7c3
Author: Albert Astals Cid <aacid at kde.org>
Date:   Wed Jun 17 22:39:47 2020 +0200

    Fix infinite loop in broken file
    
    oss-fuzz/23515

diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc
index a4d1edf5..59ddbfec 100644
--- a/poppler/Catalog.cc
+++ b/poppler/Catalog.cc
@@ -677,7 +677,7 @@ void NameTree::init(XRef *xrefA, Object *tree) {
   }
 }
 
-void NameTree::parse(Object *tree, std::set<int> &seen) {
+void NameTree::parse(const Object *tree, std::set<int> &seen) {
   if (!tree->isDict())
     return;
 
@@ -693,19 +693,27 @@ void NameTree::parse(Object *tree, std::set<int> &seen) {
   }
 
   // root or intermediate node
-  Object kids = tree->dictLookup("Kids");
+  Ref ref;
+  const Object kids = tree->getDict()->lookup("Kids", &ref);
+  if (ref != Ref::INVALID()) {
+    const int numObj = ref.num;
+    if (seen.find(numObj) != seen.end()) {
+      error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj);
+      return;
+    }
+    seen.insert(numObj);
+  }
   if (kids.isArray()) {
     for (int i = 0; i < kids.arrayGetLength(); ++i) {
-      const Object &kidRef = kids.arrayGetNF(i);
-      if (kidRef.isRef()) {
-	const int numObj = kidRef.getRef().num;
+      const Object kid = kids.getArray()->get(i, &ref);
+      if (ref != Ref::INVALID()) {
+	const int numObj = ref.num;
 	if (seen.find(numObj) != seen.end()) {
 	  error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj);
 	  continue;
 	}
 	seen.insert(numObj);
       }
-      Object kid = kids.arrayGet(i);
       if (kid.isDict())
 	parse(&kid, seen);
     }
diff --git a/poppler/Catalog.h b/poppler/Catalog.h
index a15dab28..7e9f237c 100644
--- a/poppler/Catalog.h
+++ b/poppler/Catalog.h
@@ -14,7 +14,7 @@
 // under GPL version 2 or later
 //
 // Copyright (C) 2005 Kristian Høgsberg <krh at redhat.com>
-// Copyright (C) 2005, 2007, 2009-2011, 2013, 2017-2019 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005, 2007, 2009-2011, 2013, 2017-2020 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2005 Jonathan Blandford <jrb at redhat.com>
 // Copyright (C) 2005, 2006, 2008 Brad Hards <bradh at frogmouth.net>
 // Copyright (C) 2007 Julien Rebetez <julienr at svn.gnome.org>
@@ -87,7 +87,7 @@ private:
     static int cmp(const void *key, const void *entry);
   };
 
-  void parse(Object *tree, std::set<int> &seen);
+  void parse(const Object *tree, std::set<int> &seen);
   void addEntry(Entry *entry);
 
   XRef *xref;