Browse code
bb12006: correction to dictionary length checks when parsing pdf objects.
Micah Snyder authored on 2018/03/09 02:21:16Showing 1 changed files
| ... | ... |
@@ -1556,20 +1556,27 @@ void pdf_parseobj(struct pdf_struct *pdf, struct pdf_obj *obj) |
| 1556 | 1556 |
if (objstate == STATE_LAUNCHACTION) |
| 1557 | 1557 |
pdfobj_flag(pdf, obj, HAS_LAUNCHACTION); |
| 1558 | 1558 |
if (dict_length > 0 && (objstate == STATE_JAVASCRIPT || objstate == STATE_OPENACTION || objstate == STATE_CONTENTS)) {
|
| 1559 |
+ off_t dict_remaining = dict_length; |
|
| 1560 |
+ |
|
| 1559 | 1561 |
if (objstate == STATE_OPENACTION) |
| 1560 | 1562 |
pdfobj_flag(pdf, obj, HAS_OPENACTION); |
| 1561 | 1563 |
|
| 1562 |
- q2 = pdf_nextobject(q, dict_length); |
|
| 1564 |
+ q2 = pdf_nextobject(q, dict_remaining); |
|
| 1563 | 1565 |
if (q2 && isdigit(*q2)) {
|
| 1566 |
+ const char * q2_old = NULL; |
|
| 1567 |
+ dict_remaining -= (off_t)(q2 - q); |
|
| 1568 |
+ |
|
| 1564 | 1569 |
uint32_t objid = atoi(q2) << 8; |
| 1565 | 1570 |
while (isdigit(*q2)) |
| 1566 | 1571 |
q2++; |
| 1567 | 1572 |
|
| 1568 |
- q2 = pdf_nextobject(q2, dict_length); |
|
| 1573 |
+ q2_old = q2; |
|
| 1574 |
+ q2 = pdf_nextobject(q2, dict_remaining); |
|
| 1569 | 1575 |
if (q2 && isdigit(*q2)) {
|
| 1576 |
+ dict_remaining -= (off_t)(q2 - q2_old); |
|
| 1570 | 1577 |
objid |= atoi(q2) & 0xff; |
| 1571 |
- q2 = pdf_nextobject(q2, dict_length); |
|
| 1572 | 1578 |
|
| 1579 |
+ q2 = pdf_nextobject(q2, dict_remaining); |
|
| 1573 | 1580 |
if (q2 && *q2 == 'R') {
|
| 1574 | 1581 |
struct pdf_obj *obj2; |
| 1575 | 1582 |
|