Skip to content

Commit

Permalink
Check the top-level /Pages dictionary when finding the trailer in `XR…
Browse files Browse the repository at this point in the history
…ef.indexObjects` (issue 12402)

In addition to the existing /Root and /Pages validation, also check that the /Pages-entry actually is a dictionary and that it has a valid /Count-entry.
This way we can avoid picking a trailer candidate which e.g. the `Catalog.numPages` getter will just end up rejecting, thus breaking PDF document loading completely.
  • Loading branch information
Snuffleupagus committed Nov 25, 2020
1 parent b1d3b6e commit 8a132f5
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 8 deletions.
23 changes: 15 additions & 8 deletions src/core/obj.js
Original file line number Diff line number Diff line change
Expand Up @@ -1836,14 +1836,13 @@ var XRef = (function XRefClosure() {
}
}
// reading XRef streams
var i, ii;
for (i = 0, ii = xrefStms.length; i < ii; ++i) {
for (let i = 0, ii = xrefStms.length; i < ii; ++i) {
this.startXRefQueue.push(xrefStms[i]);
this.readXRef(/* recoveryMode */ true);
}
// finding main trailer
let trailerDict;
for (i = 0, ii = trailers.length; i < ii; ++i) {
for (let i = 0, ii = trailers.length; i < ii; ++i) {
stream.pos = trailers[i];
const parser = new Parser({
lexer: new Lexer(stream),
Expand All @@ -1861,18 +1860,26 @@ var XRef = (function XRefClosure() {
continue;
}
// Do some basic validation of the trailer/root dictionary candidate.
let rootDict;
try {
rootDict = dict.get("Root");
const rootDict = dict.get("Root");
if (!(rootDict instanceof Dict)) {
continue;
}
const pagesDict = rootDict.get("Pages");
if (!(pagesDict instanceof Dict)) {
continue;
}
const pagesCount = pagesDict.get("Count");
if (!Number.isInteger(pagesCount)) {
continue;
}
// The top-level /Pages dictionary isn't obviously corrupt.
} catch (ex) {
if (ex instanceof MissingDataException) {
throw ex;
}
continue;
}
if (!isDict(rootDict) || !rootDict.has("Pages")) {
continue;
}
// taking the first one with 'ID'
if (dict.has("ID")) {
return dict;
Expand Down
1 change: 1 addition & 0 deletions test/pdfs/issue12402.pdf.link
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
https://github.com/mozilla/pdf.js/files/5597129/issue12402.pdf
9 changes: 9 additions & 0 deletions test/test_manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -842,6 +842,15 @@
"link": false,
"type": "eq"
},
{ "id": "issue12402",
"file": "pdfs/issue12402.pdf",
"md5": "70031cf610e24cc7164fb6ecd6980c8e",
"rounds": 1,
"link": true,
"firstPage": 8,
"lastPage": 8,
"type": "eq"
},
{ "id": "issue10004",
"file": "pdfs/issue10004.pdf",
"md5": "64d1853060cefe3be50e5c4617dd0505",
Expand Down

0 comments on commit 8a132f5

Please sign in to comment.