pdfbox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From henn...@apache.org
Subject pdfbox-jbig2 git commit: Fix PDFBOX-4014 by adding additional terminating conditions
Date Fri, 17 Nov 2017 08:13:01 GMT
Repository: pdfbox-jbig2
Updated Branches:
  refs/heads/bugfix/PDFBOX-4014_Malformed/pathological/malicious_input_can_lead_to_infinite_looping
[created] f5daacc44


Fix PDFBOX-4014 by adding additional terminating conditions

Project: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/repo
Commit: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/commit/f5daacc4
Tree: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/tree/f5daacc4
Diff: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/diff/f5daacc4

Branch: refs/heads/bugfix/PDFBOX-4014_Malformed/pathological/malicious_input_can_lead_to_infinite_looping
Commit: f5daacc4417825f334032a495f10fa42e3d55e71
Parents: 6d652bf
Author: Jörg Henne <j.henne@levigo.de>
Authored: Thu Nov 16 13:32:38 2017 +0100
Committer: Jörg Henne <j.henne@levigo.de>
Committed: Thu Nov 16 13:32:38 2017 +0100

----------------------------------------------------------------------
 .../pdfbox/jbig2/segments/SymbolDictionary.java | 36 ++++++++++++--------
 .../pdfbox/jbig2/segments/TextRegion.java       | 12 +++++--
 2 files changed, 30 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/blob/f5daacc4/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java b/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
index a3a6394..4170ff1 100644
--- a/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
+++ b/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
@@ -73,7 +73,7 @@ public class SymbolDictionary implements Dictionary {
   private int amountOfExportSymbolss;
 
   /** Number of new symbols, 7.4.2.1.5 */
-  private int amountOfNewSymbolss;
+  private int amountOfNewSymbols;
 
   /** Further parameters */
   private SegmentHeader segmentHeader;
@@ -114,7 +114,7 @@ public class SymbolDictionary implements Dictionary {
   public SymbolDictionary() {
   }
 
-  public SymbolDictionary(SubInputStream subInputStream, SegmentHeader segmentHeader) throws
IOException {
+  public SymbolDictionary(final SubInputStream subInputStream, final SegmentHeader segmentHeader)
throws IOException {
     this.subInputStream = subInputStream;
     this.segmentHeader = segmentHeader;
   }
@@ -231,7 +231,7 @@ public class SymbolDictionary implements Dictionary {
   }
 
   private void readAmountOfNewSymbols() throws IOException {
-    amountOfNewSymbolss = (int) subInputStream.readBits(32); // & 0xffffffff;
+    amountOfNewSymbols = (int) subInputStream.readBits(32); // & 0xffffffff;
   }
 
   private void setInSyms() throws IOException, InvalidHeaderValueException, IntegerMaxValueException
{
@@ -328,12 +328,12 @@ public class SymbolDictionary implements Dictionary {
       }
 
       /* 6.5.5 1) */
-      newSymbols = new Bitmap[amountOfNewSymbolss];
+      newSymbols = new Bitmap[amountOfNewSymbols];
 
       /* 6.5.5 2) */
       int[] newSymbolsWidths = null;
       if (isHuffmanEncoded && !useRefinementAggregation) {
-        newSymbolsWidths = new int[amountOfNewSymbolss];
+        newSymbolsWidths = new int[amountOfNewSymbols];
       }
 
       setSymbolsArray();
@@ -343,7 +343,7 @@ public class SymbolDictionary implements Dictionary {
       amountOfDecodedSymbols = 0;
 
       /* 6.5.5 4 a) */
-      while (amountOfDecodedSymbols != amountOfNewSymbolss) {
+      while (amountOfDecodedSymbols < amountOfNewSymbols) {
 
         /* 6.5.5 4 b) */
         heightClassHeight += decodeHeightClassDeltaHeight();
@@ -358,9 +358,15 @@ public class SymbolDictionary implements Dictionary {
           /* 4 c) i) */
           final long differenceWidth = decodeDifferenceWidth();
 
-          // If result is OOB, then all the symbols in this height
-          // class has been decoded; proceed to step 4 d)
-          if (differenceWidth == Long.MAX_VALUE) {
+          /* 
+           * If result is OOB, then all the symbols in this height
+           * class has been decoded; proceed to step 4 d). Also exit, if the expected number
of
+           * symbols have been decoded.
+           * 
+           * The latter exit condition guards against pathological cases where a symbol's
+           * DW never contains OOB and thus never terminates.
+           */
+          if (differenceWidth == Long.MAX_VALUE || amountOfDecodedSymbols >= amountOfNewSymbols)
{
             break;
           }
 
@@ -711,10 +717,10 @@ public class SymbolDictionary implements Dictionary {
     }
   }
 
-  private void setExportedSymbols(int[] toExportFlags) {
+  private void setExportedSymbols(final int[] toExportFlags) {
     exportSymbols = new ArrayList<Bitmap>(amountOfExportSymbolss);
 
-    for (int i = 0; i < amountOfImportedSymbolss + amountOfNewSymbolss; i++) {
+    for (int i = 0; i < amountOfImportedSymbolss + amountOfNewSymbols; i++) {
 
       if (toExportFlags[i] == 1) {
         if (i < amountOfImportedSymbolss) {
@@ -729,9 +735,9 @@ public class SymbolDictionary implements Dictionary {
   private int[] getToExportFlags() throws IOException, InvalidHeaderValueException {
     int currentExportFlag = 0;
     long exRunLength = 0;
-    final int[] exportFlags = new int[amountOfImportedSymbolss + amountOfNewSymbolss];
+    final int[] exportFlags = new int[amountOfImportedSymbolss + amountOfNewSymbols];
 
-    for (int exportIndex = 0; exportIndex < amountOfImportedSymbolss + amountOfNewSymbolss;
exportIndex += exRunLength) {
+    for (int exportIndex = 0; exportIndex < amountOfImportedSymbolss + amountOfNewSymbols;
exportIndex += exRunLength) {
 
       if (isHuffmanEncoded) {
         exRunLength = StandardTables.getTable(1).decode(subInputStream);
@@ -776,9 +782,9 @@ public class SymbolDictionary implements Dictionary {
    */
   private int getSbSymCodeLen() throws IOException {
     if (isHuffmanEncoded) {
-      return Math.max((int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbolss)
/ Math.log(2))), 1);
+      return Math.max((int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbols)
/ Math.log(2))), 1);
     } else {
-      return (int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbolss) /
Math.log(2)));
+      return (int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbols) / Math.log(2)));
     }
   }
 

http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/blob/f5daacc4/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java b/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
index 797729c..0e11bc8 100644
--- a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
+++ b/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
@@ -420,11 +420,17 @@ public class TextRegion implements Region {
         } else {
           /* 6.4.8 */
           final long idS = decodeIdS();
-          /*
+          
+          /* 
            * If result is OOB, then all the symbol instances in this strip have been decoded;
-           * proceed to step 3 d) respectively 3 b)
+           * proceed to step 3 d) respectively 3 b). Also exit, if the expected number of
+           * instances have been decoded.
+           * 
+           * The latter exit condition guards against pathological cases where a strip's
+           * S never contains OOB and thus never terminates as illustrated in
+           * https://bugs.chromium.org/p/chromium/issues/detail?id=450971 case  pdfium-loop2.pdf.
            */
-          if (idS == Long.MAX_VALUE)
+          if (idS == Long.MAX_VALUE || instanceCounter >= amountOfSymbolInstances)
             break;
 
           currentS += (idS + sbdsOffset);


Mime
View raw message