You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by le...@apache.org on 2021/05/11 05:58:44 UTC

svn commit: r1889740 - /pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java

Author: lehmi
Date: Tue May 11 05:58:44 2021
New Revision: 1889740

URL: http://svn.apache.org/viewvc?rev=1889740&view=rev
Log:
PDFBOX-5190: abort parsing a corrupt COSArray to avoid an infinite loop/stack overflow

Modified:
    pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java

Modified: pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java?rev=1889740&r1=1889739&r2=1889740&view=diff
==============================================================================
--- pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java (original)
+++ pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java Tue May 11 05:58:44 2021
@@ -287,11 +287,6 @@ public abstract class BaseParser
     private boolean parseCOSDictionaryNameValuePair(COSDictionary obj) throws IOException
     {
         COSName key = parseCOSName();
-        if (key == null)
-        {
-            LOG.warn("Empty COSName at offset " + source.getPosition());
-            return false;
-        }
         COSBase value = parseCOSDictionaryValue();
         skipSpaces();
         if (value == null)
@@ -659,13 +654,18 @@ public abstract class BaseParser
             else
             {
                 //it could be a bad object in the array which is just skipped
-                LOG.warn("Corrupt object reference at offset " +
-                        source.getPosition() + ", start offset: " + startPosition);
-
-                // This could also be an "endobj" or "endstream" which means we can assume that
-                // the array has ended.
+                LOG.warn("Corrupt array element at offset " + source.getPosition()
+                        + ", start offset: " + startPosition);
                 String isThisTheEnd = readString();
+                // return immediately if a corrupt element is followed by another array
+                // to avoid a possible infinite recursion as most likely the whole array is corrupted
+                if (isThisTheEnd.isEmpty() && source.peek() == '[')
+                {
+                    return po;
+                }
                 source.rewind(isThisTheEnd.getBytes(StandardCharsets.ISO_8859_1).length);
+                // This could also be an "endobj" or "endstream" which means we can assume that
+                // the array has ended.
                 if(ENDOBJ_STRING.equals(isThisTheEnd) || ENDSTREAM_STRING.equals(isThisTheEnd))
                 {
                     return po;