File r1838-Extend-fix-for-CVE-2017-5852.patch of Package podofo.7908

Overview Repositories Revisions Requests Users Attributes Meta

File r1838-Extend-fix-for-CVE-2017-5852.patch of Package podofo.7908

------------------------------------------------------------------------
r1838 | aja_ | 2017-04-09 13:13:05 +0200 (dom, 09 abr 2017) | 2 lines

Patch by Mark Rogers: Extend fix for CVE-2017-5852

Index: src/doc/PdfPage.cpp
===================================================================
--- src/doc/PdfPage.cpp.orig
+++ src/doc/PdfPage.cpp
#@@ -212,7 +212,7 @@
#     return rect;
# }
# 
#-const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const
#+const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth ) const
# {
#     const PdfObject* pObj = NULL;
# 
@@ -200,6 +200,11 @@ PdfRect PdfPage::CreateStandardPageSize(
 
 const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const
 {
+    return GetInheritedKeyFromObject( inKey, inObject, 0 );
+}
+
+const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth ) const
+{
     const PdfObject* pObj = NULL;
 
     // check for it in the object itself
@@ -213,6 +218,18 @@ const PdfObject* PdfPage::GetInheritedKe
     // if we get here, we need to go check the parent - if there is one!
     if( inObject->GetDictionary().HasKey( "Parent" ) ) 
     {
+        // CVE-2017-5852 - prevent stack overflow if Parent chain contains a loop, or is very long
+        // e.g. pObj->GetParent() == pObj or pObj->GetParent()->GetParent() == pObj
+        // default stack sizes
+        // Windows: 1 MB
+        // Linux: 2 MB
+        // macOS: 8 MB for main thread, 0.5 MB for secondary threads
+        // 0.5 MB is enough space for 1000 512 byte stack frames and 2000 256 byte stack frames
+        const int maxRecursionDepth = 1000;
+
+        if ( depth > maxRecursionDepth )
+            PODOFO_RAISE_ERROR( ePdfError_ValueOutOfRange );
+
         pObj = inObject->GetIndirectKey( "Parent" );
         if( pObj == inObject )
         {
@@ -223,7 +240,7 @@ const PdfObject* PdfPage::GetInheritedKe
         }
 
         if( pObj )
-            pObj = GetInheritedKeyFromObject( inKey, pObj );
+            pObj = GetInheritedKeyFromObject( inKey, pObj, depth + 1 );
     }
 
     return pObj;
Index: src/doc/PdfPage.h
===================================================================
--- src/doc/PdfPage.h.orig
+++ src/doc/PdfPage.h
#@@ -291,7 +291,7 @@
#     /** Method for getting a key value that could be inherited (such as the boxes, resources, etc.)
#      *  \returns PdfObject - the result of the key fetching or NULL
#      */
#-    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; 
#+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const;
# 
#     /** Get the annotations array.
#      *  \param bCreate if true the annotations array is created 
@@ -275,7 +275,8 @@ class PODOFO_DOC_API PdfPage : public Pd
     /** Method for getting a key value that could be inherited (such as the boxes, resources, etc.)
      *  \returns PdfObject - the result of the key fetching or NULL
      */
-    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; 
+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const;
+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth ) const;
 
     /** Get the annotations array.
      *  \param bCreate if true the annotations array is created

Places

File r1838-Extend-fix-for-CVE-2017-5852.patch of Package podofo.7908

Places