Fix a few stack/buffer overflow bugs discovered by Bart, Steffan, and Mark from

the Radboud University NL (thanks!) - Add depth argument to all value read functions that recurse - Add depth argument to page tree loading code - Validate xref stream sizes individually to avoid out-of-bounds access to local xref buffer.
2025-07-19 07:19:58 +02:00 · 2021-11-29 17:46:56 -05:00
parent ec8e900ea5
commit a431d7806f
8 changed files with 50 additions and 20 deletions
--- a/pdfio-value.c
+++ b/pdfio-value.c
@ -196,7 +196,8 @@ _pdfio_value_t *			// O - Value or `NULL` on error/EOF
 _pdfioValueRead(pdfio_file_t   *pdf,	// I - PDF file
                pdfio_obj_t    *obj,	// I - Object, if any
                _pdfio_token_t *tb,	// I - Token buffer/stack
-                _pdfio_value_t *v)	// I - Value
+                _pdfio_value_t *v,	// I - Value
+                size_t         depth)	// I - Depth of value
 {
  char		token[32768];		// Token buffer
 #ifdef DEBUG
@ -226,15 +227,27 @@ _pdfioValueRead(pdfio_file_t   *pdf,	// I - PDF file
  if (!strcmp(token, "["))
  {
    // Start of array
+    if (depth >= PDFIO_MAX_DEPTH)
+    {
+      _pdfioFileError(pdf, "Too many nested arrays.");
+      return (NULL);
+    }
+
    v->type = PDFIO_VALTYPE_ARRAY;
-    if ((v->value.array = _pdfioArrayRead(pdf, obj, tb)) == NULL)
+    if ((v->value.array = _pdfioArrayRead(pdf, obj, tb, depth + 1)) == NULL)
      return (NULL);
  }
  else if (!strcmp(token, "<<"))
  {
    // Start of dictionary
+    if (depth >= PDFIO_MAX_DEPTH)
+    {
+      _pdfioFileError(pdf, "Too many nested dictionaries.");
+      return (NULL);
+    }
+
    v->type = PDFIO_VALTYPE_DICT;
-    if ((v->value.dict = _pdfioDictRead(pdf, obj, tb)) == NULL)
+    if ((v->value.dict = _pdfioDictRead(pdf, obj, tb, depth + 1)) == NULL)
      return (NULL);
  }
  else if (!strncmp(token, "(D:", 3))