File r1925-Fix-uncontrolled-memory-allocation-in-the... of Package podofo.23799

Overview Repositories Revisions Requests Users Attributes Meta

File r1925-Fix-uncontrolled-memory-allocation-in-the-PdfParser-ReadXRefSubsection-CVE-2018-5296.patch of Package podofo.23799

------------------------------------------------------------------------
r1925 | domseichter | 2018-04-30 21:21:55 +0200 (lun, 30 abr 2018) | 1 line

FIXED: #6 based on the patch by Mark Rogers. Limit the maximum number of indirect objects by default to 2^23-1 as in the PDF reference Appendix C implementation limits

Index: src/base/PdfParser.cpp
===================================================================
--- src/base/PdfParser.cpp	(revision 1924)
+++ src/base/PdfParser.cpp	(revision 1925)
@@ -72,8 +72,10 @@
 
 namespace PoDoFo {
 
-long PdfParser::s_nMaxObjects = std::numeric_limits<long>::max();
-
+const long nMaxNumIndirectObjects = (1L << 23) - 1L;
+long PdfParser::s_nMaxObjects = nMaxNumIndirectObjects;
+  
+    
# class PdfRecursionGuard
# {
#   // RAII recursion guard ensures m_nRecursionDepth is always decremented
 PdfParser::PdfParser( PdfVecObjects* pVecObjects )
     : PdfTokenizer(), m_vecObjects( pVecObjects ), m_bStrictParsing( false )
 
@@ -352,13 +354,10 @@
         m_nNumObjects = 0;
     }
 
-    // allow caller to specify a max object count to avoid very slow load times on large documents
-    if (s_nMaxObjects != std::numeric_limits<long>::max()
-        && m_nNumObjects > s_nMaxObjects)
-        PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange,  "m_nNumObjects is greater than m_nMaxObjects." );
-
     if (m_nNumObjects > 0)
-        m_offsets.resize(m_nNumObjects);
+    {
+      ResizeOffsets( m_nNumObjects );
+    }
 
     if( m_pLinearization )
     {
@@ -769,7 +768,7 @@
             if( e == ePdfError_NoNumber || e == ePdfError_InvalidXRef || e == ePdfError_UnexpectedEOF ) 
                 break;
             else 
-            {
+	    {
                 e.AddToCallstack( __FILE__, __LINE__ );
                 throw e;
             }
@@ -820,19 +819,22 @@
         }
 
         if ( static_cast<pdf_uint64>( nFirstObject ) + static_cast<pdf_uint64>( nNumObjects ) > static_cast<pdf_uint64>( std::numeric_limits<size_t>::max() ) )
+        {
             PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange,
                 "xref subsection's given entry numbers together too large" );
-    
+        }
+        
         if( nFirstObject + nNumObjects > m_nNumObjects )
         {
             try {
+  	      
 #ifdef _WIN32
-                m_nNumObjects = static_cast<long>(nFirstObject + nNumObjects);
-                m_offsets.resize(static_cast<long>(nFirstObject+nNumObjects));
+                m_nNumObjects = static_cast<long>(nFirstObject+nNumObjects);
 #else
                 m_nNumObjects = nFirstObject + nNumObjects;
-                m_offsets.resize(nFirstObject+nNumObjects);
 #endif // _WIN32
+                ResizeOffsets(nFirstObject + nNumObjects);
+
             } catch (std::exception &) {
                 // If m_nNumObjects*sizeof(TXRefEntry) > std::numeric_limits<size_t>::max() then
                 // resize() throws std::length_error, for smaller allocations that fail it may throw
@@ -1444,6 +1446,17 @@
     
 }
 
+void PdfParser::ResizeOffsets( pdf_long nNewSize )
+{
+    // allow caller to specify a max object count to avoid very slow load times on large documents
+    if (nNewSize > s_nMaxObjects)
+    {
+        PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange,  "nNewSize is greater than m_nMaxObjects." );
+    }
+    
+    m_offsets.resize( nNewSize );  
+}
+
 void PdfParser::CheckEOFMarker()
 {
     // Check for the existence of the EOF marker
Index: src/base/PdfParser.h
===================================================================
--- src/base/PdfParser.h	(revision 1924)
+++ src/base/PdfParser.h	(revision 1925)
@@ -381,8 +381,7 @@
     inline void SetIgnoreBrokenObjects( bool bBroken );
 
     /**
-     * \return maximum object count to read (default is LONG_MAX
-     * which means no limit)
+     * \return maximum object count to read
      */
     inline static long GetMaxObjectCount();
     
@@ -394,6 +393,10 @@
      * working set and spend 15 mins in Load() before throwing
      * an out of memory exception.
      *
+     * By default, the maximum object count is set to 8388607 
+     * which is the maximum number of indirect objects according 
+     * to the PDF specification.
+     *
      * \param nMaxObjects set max number of objects
      */
     inline static void SetMaxObjectCount( long nMaxObjects );
@@ -564,6 +567,15 @@
      */
     void         UpdateDocumentVersion();
 
+
+    /** Resize the internal structure m_offsets in a safe manner.
+     *  The limit for the maximum number of indirect objects in a PDF file is checked by this method.
+     *  The maximum is 2^23-1 (8.388.607). 
+     *
+     *  \param nNewSize new size of the vector
+     */
+    void ResizeOffsets( pdf_long nNewSize );
+    
  private:
     EPdfVersion   m_ePdfVersion;
 
#@@ -594,7 +606,7 @@
#     int           m_nRecursionDepth;
# 
#     static long   s_nMaxObjects;
#-
#+    
#     std::set<pdf_long> m_visitedXRefOffsets;
# };
# 
Index: test/unit/BasicTypeTest.cpp
===================================================================
--- test/unit/BasicTypeTest.cpp	(revision 1924)
+++ test/unit/BasicTypeTest.cpp	(revision 1925)
@@ -40,3 +40,8 @@
 {
     CPPUNIT_ASSERT_MESSAGE("pdf_uint64 is big enough to hold an xref entry", std::numeric_limits<pdf_uint64>::max() >= PODOFO_ULL_LITERAL(9999999999) );
 }
+
+void BasicTypeTest::testDefaultMaximumNumberOfObjects()
+{
+    CPPUNIT_ASSERT_EQUAL_MESSAGE("PdfReference allows 8,388,607 indirect objects.", 8388607L, PdfParser::GetMaxObjectCount() );
+}
Index: test/unit/BasicTypeTest.h
===================================================================
--- test/unit/BasicTypeTest.h	(revision 1924)
+++ test/unit/BasicTypeTest.h	(revision 1925)
@@ -31,16 +31,18 @@
  */
 class BasicTypeTest : public CppUnit::TestFixture
 {
-  CPPUNIT_TEST_SUITE( BasicTypeTest );
-  CPPUNIT_TEST( testXrefOffsetTypeSize );
-  CPPUNIT_TEST_SUITE_END();
-
+    CPPUNIT_TEST_SUITE( BasicTypeTest );
+    CPPUNIT_TEST( testXrefOffsetTypeSize );
+    CPPUNIT_TEST( testDefaultMaximumNumberOfObjects );
+    CPPUNIT_TEST_SUITE_END();
+    
  public:
-  void setUp();
-  void tearDown();
-
-  void testXrefOffsetTypeSize();
-
+    void setUp();
+    void tearDown();
+    
+    void testXrefOffsetTypeSize();
+    void testDefaultMaximumNumberOfObjects();
+    
  private:
 };

------------------------------------------------------------------------

Places

File r1925-Fix-uncontrolled-memory-allocation-in-the-PdfParser-ReadXRefSubsection-CVE-2018-5296.patch of Package podofo.23799

Places