File qpdf-CVE-2018-9918.patch of Package qpdf.34425
From b4d6cf6836ce025ba1811b7bbec52680c7204223 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sun, 15 Apr 2018 16:11:22 -0400
Subject: [PATCH] Limit depth of nesting in direct objects (fixes #202)
This fixes CVE-2018-9918.
Index: qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc
===================================================================
--- qpdf-7.1.1.orig/libqpdf/QPDFObjectHandle.cc
+++ qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc
@@ -1054,12 +1054,26 @@ QPDFObjectHandle::parseInternal(PointerH
case QPDFTokenizer::tt_array_open:
case QPDFTokenizer::tt_dict_open:
- olist_stack.push_back(std::vector<QPDFObjectHandle>());
- state = st_start;
- offset_stack.push_back(input->tell());
- state_stack.push_back(
- (token.getType() == QPDFTokenizer::tt_array_open) ?
- st_array : st_dictionary);
+ if (olist_stack.size() > 500)
+ {
+ QTC::TC("qpdf", "QPDFObjectHandle too deep");
+ warn(context,
+ QPDFExc(qpdf_e_damaged_pdf, input->getName(),
+ object_description,
+ input->getLastOffset(),
+ "ignoring excessively deeply nested data structure"));
+ object = newNull();
+ state = st_top;
+ }
+ else
+ {
+ olist_stack.push_back(std::vector<QPDFObjectHandle>());
+ state = st_start;
+ offset_stack.push_back(input->tell());
+ state_stack.push_back(
+ (token.getType() == QPDFTokenizer::tt_array_open) ?
+ st_array : st_dictionary);
+ }
break;
case QPDFTokenizer::tt_bool:
Index: qpdf-7.1.1/qpdf/qpdf.testcov
===================================================================
--- qpdf-7.1.1.orig/qpdf/qpdf.testcov
+++ qpdf-7.1.1/qpdf/qpdf.testcov
@@ -302,3 +302,4 @@ qpdf-c called qpdf_set_compress_streams
qpdf-c called qpdf_set_preserve_unreferenced_objects 0
qpdf-c called qpdf_set_newline_before_endstream 0
QPDF_Stream TIFF predictor 0
+QPDFObjectHandle too deep 0
Index: qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out
===================================================================
--- qpdf-7.1.1.orig/qpdf/qtest/qpdf/issue-146.out
+++ qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out
@@ -1,5 +1,5 @@
WARNING: issue-146.pdf: file is damaged
WARNING: issue-146.pdf: can't find startxref
WARNING: issue-146.pdf: Attempting to reconstruct cross-reference table
-WARNING: issue-146.pdf (trailer, file position 20728): unknown token while reading object; treating as string
-issue-146.pdf (trailer, file position 20732): EOF while reading token
+WARNING: issue-146.pdf (trailer, file position 695): ignoring excessively deeply nested data structure
+issue-146.pdf: unable to find trailer dictionary while recovering damaged file