From d6fa934b5f1a418ea4821a6562773b9ff1aaf6e8 Mon Sep 17 00:00:00 2001 From: yzrh Date: Sun, 1 Jan 2023 20:36:17 +0000 Subject: [PATCH] Handle incomplete PDF object in parser. Signed-off-by: yzrh --- src/pdf_parser.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/src/pdf_parser.c b/src/pdf_parser.c index 54c7fb4..d0affb6 100644 --- a/src/pdf_parser.c +++ b/src/pdf_parser.c @@ -148,12 +148,16 @@ pdf_load(pdf_object_t **pdf, FILE **fp, int size_buf) memset(buf, 0, ptr->size); - fseek(*fp, ptr->address - 12, SEEK_SET); + fseek(*fp, ptr->address - 15, SEEK_SET); fread(str, 8, 1, *fp); - for (int i = 0; i < 8; i++) { - if (str[i] >= '0' && str[i] <= '9') { - ptr->id = atoi(str + i); + for (int i = 7; i >= 0; i--) { + if (str[i] < '0' || str[i] > '9') { + if (i < 7) + ptr->id = atoi(str + i + 1); + else + ptr->id = 0; + break; } } @@ -181,8 +185,8 @@ pdf_load(pdf_object_t **pdf, FILE **fp, int size_buf) if (ptr->dictionary == NULL) return 1; - memset(ptr->dictionary, 0, ptr->dictionary_size + 1); memcpy(ptr->dictionary, head, ptr->dictionary_size); + memset(ptr->dictionary + ptr->dictionary_size, 0, 1); if ((head = memmem(tail, ptr->size - (tail - buf), @@ -195,8 +199,8 @@ pdf_load(pdf_object_t **pdf, FILE **fp, int size_buf) * contains another object that * contains another stream */ - while (_memmem_whitespace(tail, - ptr->size - (tail - buf), + while (_memmem_whitespace(tail + 10, + ptr->size - (tail - buf) - 10, "endobj", 6) != NULL && (tmp = _memmem_whitespace(tail + 10, ptr->size - (tail - buf) - 10, @@ -211,19 +215,13 @@ pdf_load(pdf_object_t **pdf, FILE **fp, int size_buf) memcpy(ptr->stream, head + 8, ptr->stream_size); } + + free(buf); } else { ptr->object_size = ptr->size; - ptr->object = malloc(ptr->object_size + 1); - - if (ptr->object == NULL) - return 1; - - memset(ptr->object, 0, ptr->object_size + 1); - memcpy(ptr->object, buf, ptr->object_size); + ptr->object = buf; } - free(buf); - ptr = ptr->next; }