Browse code
Added pdf max object checks to limit max # of objects but continue scanning those that have already been found.
Micah Snyder (micasnyd) authored on 2019/07/16 07:10:24Showing 1 changed files
| ... | ... |
@@ -72,6 +72,8 @@ |
| 72 | 72 |
*Save the file being worked on in tmp */ |
| 73 | 73 |
#endif |
| 74 | 74 |
|
| 75 |
+#define MAX_PDF_OBJECTS (64 * 1024) |
|
| 76 |
+ |
|
| 75 | 77 |
struct pdf_struct; |
| 76 | 78 |
|
| 77 | 79 |
static int asciihexdecode(const char *buf, off_t len, char *output); |
| ... | ... |
@@ -324,6 +326,14 @@ int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm, |
| 324 | 324 |
return CL_EARG; |
| 325 | 325 |
} |
| 326 | 326 |
|
| 327 |
+ if (pdf->nobjs >= MAX_PDF_OBJECTS) {
|
|
| 328 |
+ pdf->flags |= 1 << BAD_PDF_TOOMANYOBJS; |
|
| 329 |
+ |
|
| 330 |
+ cli_dbgmsg("pdf_findobj_in_objstm: reached object maximum\n");
|
|
| 331 |
+ status = CL_BREAK; |
|
| 332 |
+ goto done; |
|
| 333 |
+ } |
|
| 334 |
+ |
|
| 327 | 335 |
*obj_found = NULL; |
| 328 | 336 |
|
| 329 | 337 |
index = objstm->streambuf + objstm->current_pair; |
| ... | ... |
@@ -529,6 +539,13 @@ cl_error_t pdf_findobj(struct pdf_struct *pdf) |
| 529 | 529 |
unsigned long genid, objid; |
| 530 | 530 |
long temp_long; |
| 531 | 531 |
|
| 532 |
+ if (pdf->nobjs >= MAX_PDF_OBJECTS) {
|
|
| 533 |
+ pdf->flags |= 1 << BAD_PDF_TOOMANYOBJS; |
|
| 534 |
+ |
|
| 535 |
+ cli_dbgmsg("pdf_findobj: reached object maximum\n");
|
|
| 536 |
+ status = CL_BREAK; |
|
| 537 |
+ goto done; |
|
| 538 |
+ } |
|
| 532 | 539 |
pdf->nobjs++; |
| 533 | 540 |
pdf->objs = cli_realloc2(pdf->objs, sizeof(struct pdf_obj *) * pdf->nobjs); |
| 534 | 541 |
if (!pdf->objs) {
|
| ... | ... |
@@ -3094,12 +3111,13 @@ cl_error_t pdf_find_and_parse_objs_in_objstm(struct pdf_struct *pdf, struct objs |
| 3094 | 3094 |
|
| 3095 | 3095 |
/* Find object */ |
| 3096 | 3096 |
retval = pdf_findobj_in_objstm(pdf, objstm, &obj); |
| 3097 |
- |
|
| 3098 | 3097 |
if (retval != CL_SUCCESS) {
|
| 3099 |
- cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Fewer objects in stream than expected: %u found, %u expected.\n",
|
|
| 3100 |
- objstm->nobjs_found, objstm->n); |
|
| 3101 |
- badobjects++; |
|
| 3102 |
- pdf->stats.ninvalidobjs++; |
|
| 3098 |
+ if (retval != CL_BREAK) {
|
|
| 3099 |
+ cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Fewer objects in stream than expected: %u found, %u expected.\n",
|
|
| 3100 |
+ objstm->nobjs_found, objstm->n); |
|
| 3101 |
+ badobjects++; |
|
| 3102 |
+ pdf->stats.ninvalidobjs++; |
|
| 3103 |
+ } |
|
| 3103 | 3104 |
break; |
| 3104 | 3105 |
} |
| 3105 | 3106 |
|
| ... | ... |
@@ -3154,13 +3172,12 @@ cl_error_t pdf_find_and_extract_objs(struct pdf_struct *pdf, uint32_t *alerts) |
| 3154 | 3154 |
/* parse PDF and find obj offsets */ |
| 3155 | 3155 |
while (CL_BREAK != (rv = pdf_findobj(pdf))) {
|
| 3156 | 3156 |
if (rv == CL_EMEM) {
|
| 3157 |
- break; |
|
| 3157 |
+ cli_errmsg("pdf_find_and_extract_objs: Memory allocation error.\n");
|
|
| 3158 |
+ status = CL_EMEM; |
|
| 3159 |
+ goto done; |
|
| 3158 | 3160 |
} |
| 3159 | 3161 |
} |
| 3160 | 3162 |
|
| 3161 |
- if (rv == -1) |
|
| 3162 |
- pdf->flags |= 1 << BAD_PDF_TOOMANYOBJS; |
|
| 3163 |
- |
|
| 3164 | 3163 |
/* must parse after finding all objs, so we can flag indirect objects */ |
| 3165 | 3164 |
for (i = 0; i < pdf->nobjs; i++) {
|
| 3166 | 3165 |
struct pdf_obj *obj = pdf->objs[i]; |