diff -rupN podofo-0.9.6/src/base/PdfCompilerCompat.h podofo-0.9.6-new/src/base/PdfCompilerCompat.h
--- podofo-0.9.6/src/base/PdfCompilerCompat.h 2017-10-27 08:38:19.000000000 +0200
+++ podofo-0.9.6-new/src/base/PdfCompilerCompat.h 2019-03-13 23:15:12.143138748 +0100
@@ -184,12 +184,15 @@ namespace PoDoFo {
#if defined(_MSC_VER)
# define PDF_FORMAT_INT64 "I64d"
# define PDF_FORMAT_UINT64 "I64u"
+# define PDF_SIZE_FORMAT "Iu"
#elif defined(SZ_INT64) && defined(SZ_LONG) && SZ_INT64 == SZ_LONG
# define PDF_FORMAT_INT64 "ld"
# define PDF_FORMAT_UINT64 "lu"
+# define PDF_SIZE_FORMAT "zu"
#else
# define PDF_FORMAT_INT64 "lld"
# define PDF_FORMAT_UINT64 "llu"
+# define PDF_SIZE_FORMAT "zu"
#endif
diff -rupN podofo-0.9.6/src/base/PdfVecObjects.cpp podofo-0.9.6-new/src/base/PdfVecObjects.cpp
--- podofo-0.9.6/src/base/PdfVecObjects.cpp 2017-06-04 15:28:32.000000000 +0200
+++ podofo-0.9.6-new/src/base/PdfVecObjects.cpp 2019-03-13 23:15:12.144138748 +0100
@@ -100,6 +100,10 @@ private:
const PdfReference m_ref;
};
+// This is static, IMHO (mabri) different values per-instance could cause confusion.
+// It has to be defined here because of the one-definition rule.
+size_t PdfVecObjects::m_nMaxReserveSize = static_cast<size_t>(8388607); // cf. Table C.1 in section C.2 of PDF32000_2008.pdf
+
PdfVecObjects::PdfVecObjects()
: m_bAutoDelete( false ), m_bCanReuseObjectNumbers( true ), m_nObjectCount( 1 ), m_bSorted( true ), m_pDocument( NULL ), m_pStreamFactory( NULL )
{
diff -rupN podofo-0.9.6/src/base/PdfVecObjects.h podofo-0.9.6-new/src/base/PdfVecObjects.h
--- podofo-0.9.6/src/base/PdfVecObjects.h 2016-11-14 17:21:06.000000000 +0100
+++ podofo-0.9.6-new/src/base/PdfVecObjects.h 2019-03-13 23:15:12.144138748 +0100
@@ -414,6 +414,25 @@ class PODOFO_API PdfVecObjects {
inline PdfObject* GetBack();
/**
+ * Set the maximum number of elements Reserve() will work for (to fix
+ * CVE-2018-5783) which is called with a value from the PDF in the parser.
+ * The default is from Table C.1 in section C.2 of PDF32000_2008.pdf
+ * (PDF 1.7 standard free version).
+ * This sets a static variable, so don't use from multiple threads
+ * (without proper locking).
+ * \param size Number of elements to allow to be reserved
+ */
+ void SetMaxReserveSize(size_t size);
+
+ /**
+ * Gets the maximum number of elements Reserve() will work for (to fix
+ * CVE-2018-5783) which is called with a value from the PDF in the parser.
+ * The default is from Table C.1 in section C.2 of PDF32000_2008.pdf
+ * (PDF 1.7 standard free version): 8388607.
+ */
+ size_t GetMaxReserveSize() const;
+
+ /**
* Deletes all objects that are not references by other objects
* besides the trailer (which references the root dictionary, which in
* turn should reference all other objects).
@@ -480,6 +499,7 @@ class PODOFO_API PdfVecObjects {
StreamFactory* m_pStreamFactory;
std::string m_sSubsetPrefix; ///< Prefix for BaseFont and FontName of subsetted font
+ static size_t m_nMaxReserveSize;
};
@@ -494,9 +514,34 @@ inline size_t PdfVecObjects::GetSize() c
// -----------------------------------------------------
//
// -----------------------------------------------------
+inline void PdfVecObjects::SetMaxReserveSize(size_t size)
+{
+ m_nMaxReserveSize = size;
+}
+
+// -----------------------------------------------------
+//
+// -----------------------------------------------------
+inline size_t PdfVecObjects::GetMaxReserveSize() const
+{
+ return m_nMaxReserveSize;
+}
+
+// -----------------------------------------------------
+//
+// -----------------------------------------------------
inline void PdfVecObjects::Reserve( size_t size )
{
- m_vector.reserve( size );
+ if( size <= m_nMaxReserveSize ) // Fix CVE-2018-5783
+ {
+ m_vector.reserve( size );
+ }
+ else
+ {
+ PdfError::DebugMessage( "Call to PdfVecObjects::Reserve with %"
+ PDF_SIZE_FORMAT" is over allowed limit of %"
+ PDF_SIZE_FORMAT".\n", size, m_nMaxReserveSize );
+ }
}
// -----------------------------------------------------