--- kpdf/xpdf/xpdf/Catalog.cc +++ kpdf/xpdf/xpdf/Catalog.cc @@ -26,6 +26,12 @@ #include "UGString.h" #include "Catalog.h" +// This define is used to limit the depth of recursive readPageTree calls +// This is needed because the page tree nodes can reference their parents +// leaving us in an infinite loop +// Most sane pdf documents don't have a call depth higher than 10 +#define MAX_CALL_DEPTH 1000 + //------------------------------------------------------------------------ // Catalog //------------------------------------------------------------------------ @@ -76,7 +82,7 @@ Catalog::Catalog(XRef *xrefA) { pageRefs[i].num = -1; pageRefs[i].gen = -1; } - numPages = readPageTree(pagesDict.getDict(), NULL, 0); + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); if (numPages != numPages0) { error(-1, "Page count in top-level pages object is incorrect"); } @@ -191,7 +197,7 @@ GString *Catalog::readMetadata() { return s; } -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { Object kids; Object kid; Object kidRef; @@ -236,9 +242,13 @@ int Catalog::readPageTree(Dict *pagesDic // This should really be isDict("Pages"), but I've seen at least one // PDF file where the /Type entry is missing. } else if (kid.isDict()) { - if ((start = readPageTree(kid.getDict(), attrs1, start)) - < 0) - goto err2; + if (callDepth > MAX_CALL_DEPTH) { + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); + } else { + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) + < 0) + goto err2; + } } else { error(-1, "Kid object (page %d) is wrong type (%s)", start+1, kid.getTypeName()); --- kpdf/xpdf/xpdf/Catalog.h +++ kpdf/xpdf/xpdf/Catalog.h @@ -128,7 +128,7 @@ private: Object acroForm; // AcroForm dictionary GBool ok; // true if catalog is valid - int readPageTree(Dict *pages, PageAttrs *attrs, int start); + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); Object *findDestInTree(Object *tree, GString *name, Object *obj); };