File 0006-Extend-fix-for-CVE-2017-5852.patch of Package podofo

Overview Repositories Revisions Requests Users Attributes Meta

File 0006-Extend-fix-for-CVE-2017-5852.patch of Package podofo

Subject: Patch by Mark Rogers: Extend fix for CVE-2017-5852
Url: https://sourceforge.net/p/podofo/code/1838/

--- a/podofo/trunk/src/doc/PdfPage.cpp
+++ b/podofo/trunk/src/doc/PdfPage.cpp
@@ -212,7 +212,7 @@
     return rect;
 }
 
-const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const
+const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth ) const
 {
     const PdfObject* pObj = NULL;
 
@@ -227,6 +227,18 @@
     // if we get here, we need to go check the parent - if there is one!
     if( inObject->GetDictionary().HasKey( "Parent" ) ) 
     {
+        // CVE-2017-5852 - prevent stack overflow if Parent chain contains a loop, or is very long
+        // e.g. pObj->GetParent() == pObj or pObj->GetParent()->GetParent() == pObj
+        // default stack sizes
+        // Windows: 1 MB
+        // Linux: 2 MB
+        // macOS: 8 MB for main thread, 0.5 MB for secondary threads
+        // 0.5 MB is enough space for 1000 512 byte stack frames and 2000 256 byte stack frames
+        const int maxRecursionDepth = 1000;
+
+        if ( depth > maxRecursionDepth )
+            PODOFO_RAISE_ERROR( ePdfError_ValueOutOfRange );
+
         pObj = inObject->GetIndirectKey( "Parent" );
         if( pObj == inObject )
         {
@@ -237,7 +249,7 @@
         }
 
         if( pObj )
-            pObj = GetInheritedKeyFromObject( inKey, pObj );
+            pObj = GetInheritedKeyFromObject( inKey, pObj, depth + 1 );
     }
 
     return pObj;
--- a/podofo/trunk/src/doc/PdfPage.h
+++ b/podofo/trunk/src/doc/PdfPage.h
@@ -291,7 +291,7 @@
     /** Method for getting a key value that could be inherited (such as the boxes, resources, etc.)
      *  \returns PdfObject - the result of the key fetching or NULL
      */
-    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; 
+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const;
 
     /** Get the annotations array.
      *  \param bCreate if true the annotations array is created

Places

File 0006-Extend-fix-for-CVE-2017-5852.patch of Package podofo

Places