File 0006-Extend-fix-for-CVE-2017-5852.patch of Package podofo
Subject: Patch by Mark Rogers: Extend fix for CVE-2017-5852
Url: https://sourceforge.net/p/podofo/code/1838/
--- a/podofo/trunk/src/doc/PdfPage.cpp
+++ b/podofo/trunk/src/doc/PdfPage.cpp
@@ -212,7 +212,7 @@
return rect;
}
-const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const
+const PdfObject* PdfPage::GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth ) const
{
const PdfObject* pObj = NULL;
@@ -227,6 +227,18 @@
// if we get here, we need to go check the parent - if there is one!
if( inObject->GetDictionary().HasKey( "Parent" ) )
{
+ // CVE-2017-5852 - prevent stack overflow if Parent chain contains a loop, or is very long
+ // e.g. pObj->GetParent() == pObj or pObj->GetParent()->GetParent() == pObj
+ // default stack sizes
+ // Windows: 1 MB
+ // Linux: 2 MB
+ // macOS: 8 MB for main thread, 0.5 MB for secondary threads
+ // 0.5 MB is enough space for 1000 512 byte stack frames and 2000 256 byte stack frames
+ const int maxRecursionDepth = 1000;
+
+ if ( depth > maxRecursionDepth )
+ PODOFO_RAISE_ERROR( ePdfError_ValueOutOfRange );
+
pObj = inObject->GetIndirectKey( "Parent" );
if( pObj == inObject )
{
@@ -237,7 +249,7 @@
}
if( pObj )
- pObj = GetInheritedKeyFromObject( inKey, pObj );
+ pObj = GetInheritedKeyFromObject( inKey, pObj, depth + 1 );
}
return pObj;
--- a/podofo/trunk/src/doc/PdfPage.h
+++ b/podofo/trunk/src/doc/PdfPage.h
@@ -291,7 +291,7 @@
/** Method for getting a key value that could be inherited (such as the boxes, resources, etc.)
* \returns PdfObject - the result of the key fetching or NULL
*/
- const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const;
+ const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const;
/** Get the annotations array.
* \param bCreate if true the annotations array is created
