diff -rupN podofo-0.9.6/src/base/PdfCompilerCompat.h podofo-0.9.6-new/src/base/PdfCompilerCompat.h --- podofo-0.9.6/src/base/PdfCompilerCompat.h 2017-10-27 08:38:19.000000000 +0200 +++ podofo-0.9.6-new/src/base/PdfCompilerCompat.h 2019-03-13 23:15:12.143138748 +0100 @@ -184,12 +184,15 @@ namespace PoDoFo { #if defined(_MSC_VER) # define PDF_FORMAT_INT64 "I64d" # define PDF_FORMAT_UINT64 "I64u" +# define PDF_SIZE_FORMAT "Iu" #elif defined(SZ_INT64) && defined(SZ_LONG) && SZ_INT64 == SZ_LONG # define PDF_FORMAT_INT64 "ld" # define PDF_FORMAT_UINT64 "lu" +# define PDF_SIZE_FORMAT "zu" #else # define PDF_FORMAT_INT64 "lld" # define PDF_FORMAT_UINT64 "llu" +# define PDF_SIZE_FORMAT "zu" #endif diff -rupN podofo-0.9.6/src/base/PdfVecObjects.cpp podofo-0.9.6-new/src/base/PdfVecObjects.cpp --- podofo-0.9.6/src/base/PdfVecObjects.cpp 2017-06-04 15:28:32.000000000 +0200 +++ podofo-0.9.6-new/src/base/PdfVecObjects.cpp 2019-03-13 23:15:12.144138748 +0100 @@ -100,6 +100,10 @@ private: const PdfReference m_ref; }; +// This is static, IMHO (mabri) different values per-instance could cause confusion. +// It has to be defined here because of the one-definition rule. +size_t PdfVecObjects::m_nMaxReserveSize = static_cast(8388607); // cf. Table C.1 in section C.2 of PDF32000_2008.pdf + PdfVecObjects::PdfVecObjects() : m_bAutoDelete( false ), m_bCanReuseObjectNumbers( true ), m_nObjectCount( 1 ), m_bSorted( true ), m_pDocument( NULL ), m_pStreamFactory( NULL ) { diff -rupN podofo-0.9.6/src/base/PdfVecObjects.h podofo-0.9.6-new/src/base/PdfVecObjects.h --- podofo-0.9.6/src/base/PdfVecObjects.h 2016-11-14 17:21:06.000000000 +0100 +++ podofo-0.9.6-new/src/base/PdfVecObjects.h 2019-03-13 23:15:12.144138748 +0100 @@ -414,6 +414,25 @@ class PODOFO_API PdfVecObjects { inline PdfObject* GetBack(); /** + * Set the maximum number of elements Reserve() will work for (to fix + * CVE-2018-5783) which is called with a value from the PDF in the parser. + * The default is from Table C.1 in section C.2 of PDF32000_2008.pdf + * (PDF 1.7 standard free version). + * This sets a static variable, so don't use from multiple threads + * (without proper locking). + * \param size Number of elements to allow to be reserved + */ + void SetMaxReserveSize(size_t size); + + /** + * Gets the maximum number of elements Reserve() will work for (to fix + * CVE-2018-5783) which is called with a value from the PDF in the parser. + * The default is from Table C.1 in section C.2 of PDF32000_2008.pdf + * (PDF 1.7 standard free version): 8388607. + */ + size_t GetMaxReserveSize() const; + + /** * Deletes all objects that are not references by other objects * besides the trailer (which references the root dictionary, which in * turn should reference all other objects). @@ -480,6 +499,7 @@ class PODOFO_API PdfVecObjects { StreamFactory* m_pStreamFactory; std::string m_sSubsetPrefix; ///< Prefix for BaseFont and FontName of subsetted font + static size_t m_nMaxReserveSize; }; @@ -494,9 +514,34 @@ inline size_t PdfVecObjects::GetSize() c // ----------------------------------------------------- // // ----------------------------------------------------- +inline void PdfVecObjects::SetMaxReserveSize(size_t size) +{ + m_nMaxReserveSize = size; +} + +// ----------------------------------------------------- +// +// ----------------------------------------------------- +inline size_t PdfVecObjects::GetMaxReserveSize() const +{ + return m_nMaxReserveSize; +} + +// ----------------------------------------------------- +// +// ----------------------------------------------------- inline void PdfVecObjects::Reserve( size_t size ) { - m_vector.reserve( size ); + if( size <= m_nMaxReserveSize ) // Fix CVE-2018-5783 + { + m_vector.reserve( size ); + } + else + { + PdfError::DebugMessage( "Call to PdfVecObjects::Reserve with %" + PDF_SIZE_FORMAT" is over allowed limit of %" + PDF_SIZE_FORMAT".\n", size, m_nMaxReserveSize ); + } } // -----------------------------------------------------