File poppler-CVE-2022-48545.patch of Package poppler-qt.31256

Overview Repositories Revisions Requests Users Attributes Meta

File poppler-CVE-2022-48545.patch of Package poppler-qt.31256

From 267ff8af69ae7e8526d9bfe5063207c87a9b70b5 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sat, 2 Sep 2017 13:27:33 +0200
Subject: [PATCH] Fix infinite recursion in NameTree parsing in broken files

---
 poppler/Catalog.cc | 16 +++++++++++++---
 poppler/Catalog.h  |  2 +-
 2 files changed, 14 insertions(+), 4 deletions(-)

Index: poppler-0.43.0/poppler/Catalog.cc
===================================================================
--- poppler-0.43.0.orig/poppler/Catalog.cc
+++ poppler-0.43.0/poppler/Catalog.cc
@@ -685,13 +685,14 @@ int NameTree::Entry::cmpEntry(const void
 
 void NameTree::init(XRef *xrefA, Object *tree) {
   xref = xrefA;
-  parse(tree);
+  std::set<int> seen;
+  parse(tree, seen);
   if (entries && length > 0) {
     qsort(entries, length, sizeof(Entry *), Entry::cmpEntry);
   }
 }
 
-void NameTree::parse(Object *tree) {
+void NameTree::parse(Object *tree, std::set<int> &seen) {
   Object names;
   Object kids, kid;
   int i;
@@ -713,8 +714,18 @@ void NameTree::parse(Object *tree) {
   // root or intermediate node
   if (tree->dictLookup("Kids", &kids)->isArray()) {
     for (i = 0; i < kids.arrayGetLength(); ++i) {
+      Object kidRef;
+      kids.arrayGetNF(i, &kidRef);
+      if (kidRef.isRef()) {
+	const int numObj = kidRef.getRef().num;
+	if (seen.find(numObj) != seen.end()) {
+	  error(errSyntaxError, -1, "loop in NameTree (numObj: {0:d})", numObj);
+	  continue;
+	}
+	seen.insert(numObj);
+      }
       if (kids.arrayGet(i, &kid)->isDict())
-	parse(&kid);
+	parse(&kid, seen);
       kid.free();
     }
   }
Index: poppler-0.43.0/poppler/Catalog.h
===================================================================
--- poppler-0.43.0.orig/poppler/Catalog.h
+++ poppler-0.43.0/poppler/Catalog.h
@@ -85,7 +85,7 @@ private:
     static int cmp(const void *key, const void *entry);
   };
 
-  void parse(Object *tree);
+  void parse(Object *tree, std::set<int> &seen);
   void addEntry(Entry *entry);
 
   XRef *xref;

Places

File poppler-CVE-2022-48545.patch of Package poppler-qt.31256

Places