37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc
|
|
--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 2017-08-03 08:53:32.806072781 +0200
|
|
+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 08:55:39.529073703 +0200
|
|
@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove
|
|
objid = atoi(tobjid.getValue().c_str());
|
|
generation = atoi(tgen.getValue().c_str());
|
|
|
|
+ if (objid == 0)
|
|
+ {
|
|
+ throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
|
|
+ this->last_object_description, offset,
|
|
+ "object with ID 0");
|
|
+ }
|
|
+
|
|
if ((exp_objid >= 0) &&
|
|
(! ((objid == exp_objid) && (generation == exp_generation))))
|
|
{
|
|
diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
|
|
--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 2015-11-10 18:48:52.000000000 +0100
|
|
+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 08:54:50.264499428 +0200
|
|
@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH
|
|
QPDFObjectHandle
|
|
QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation)
|
|
{
|
|
+ if (objid == 0)
|
|
+ {
|
|
+ // Special case: QPDF uses objid 0 as a sentinel for direct
|
|
+ // objects, and the PDF specification doesn't allow for object
|
|
+ // 0. Treat indirect references to object 0 as null so that we
|
|
+ // never create an indirect object with objid 0.
|
|
+ return newNull();
|
|
+ }
|
|
+
|
|
return QPDFObjectHandle(qpdf, objid, generation);
|
|
}
|
|
|