You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by le...@apache.org on 2021/05/11 05:58:44 UTC
svn commit: r1889740 -
/pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java
Author: lehmi
Date: Tue May 11 05:58:44 2021
New Revision: 1889740
URL: http://svn.apache.org/viewvc?rev=1889740&view=rev
Log:
PDFBOX-5190: abort parsing a corrupt COSArray to avoid an infinite loop/stack overflow
Modified:
pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java
Modified: pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java?rev=1889740&r1=1889739&r2=1889740&view=diff
==============================================================================
--- pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java (original)
+++ pdfbox/trunk/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/BaseParser.java Tue May 11 05:58:44 2021
@@ -287,11 +287,6 @@ public abstract class BaseParser
private boolean parseCOSDictionaryNameValuePair(COSDictionary obj) throws IOException
{
COSName key = parseCOSName();
- if (key == null)
- {
- LOG.warn("Empty COSName at offset " + source.getPosition());
- return false;
- }
COSBase value = parseCOSDictionaryValue();
skipSpaces();
if (value == null)
@@ -659,13 +654,18 @@ public abstract class BaseParser
else
{
//it could be a bad object in the array which is just skipped
- LOG.warn("Corrupt object reference at offset " +
- source.getPosition() + ", start offset: " + startPosition);
-
- // This could also be an "endobj" or "endstream" which means we can assume that
- // the array has ended.
+ LOG.warn("Corrupt array element at offset " + source.getPosition()
+ + ", start offset: " + startPosition);
String isThisTheEnd = readString();
+ // return immediately if a corrupt element is followed by another array
+ // to avoid a possible infinite recursion as most likely the whole array is corrupted
+ if (isThisTheEnd.isEmpty() && source.peek() == '[')
+ {
+ return po;
+ }
source.rewind(isThisTheEnd.getBytes(StandardCharsets.ISO_8859_1).length);
+ // This could also be an "endobj" or "endstream" which means we can assume that
+ // the array has ended.
if(ENDOBJ_STRING.equals(isThisTheEnd) || ENDSTREAM_STRING.equals(isThisTheEnd))
{
return po;