Add check for prev pointer in xref structure relying on PdfReader#StrictnessLevel

Egor Martsynkovsky · Ubuntu · commit 6d6df8f3b311 · 2022-02-11T07:47:48.000Z
DEVSIX-6290
diff --git a/io/src/main/java/com/itextpdf/io/source/PdfTokenizer.java b/io/src/main/java/com/itextpdf/io/source/PdfTokenizer.java
@@ -689,8 +689,10 @@ public void throwError(String error, Object... messageParams) {
 
     /**
      * Checks whether {@code line} equals to 'trailer'.
-     * @param line for check.
-     * @return true, if line is equals tio 'trailer', otherwise false.
+     *
+     * @param line for check
+     *
+     * @return true, if line is equals to 'trailer', otherwise false
      */
     public static boolean checkTrailer(ByteBuffer line) {
         if (Trailer.length > line.size())
diff --git a/kernel/src/main/java/com/itextpdf/kernel/exceptions/InvalidXRefPrevException.java b/kernel/src/main/java/com/itextpdf/kernel/exceptions/InvalidXRefPrevException.java
@@ -0,0 +1,38 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2022 iText Group NV
+    Authors: iText Software.
+
+    This program is offered under a commercial and under the AGPL license.
+    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.
+
+    AGPL licensing:
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.itextpdf.kernel.exceptions;
+
+/**
+ * Exception class for invalid prev pointer in xref structure.
+ */
+public class InvalidXRefPrevException extends PdfException {
+
+    /**
+     * Creates a new instance of InvalidPrevPointerException.
+     *
+     * @param message the detail message.
+     */
+    public InvalidXRefPrevException(String message) {
+        super(message);
+    }
+}
diff --git a/kernel/src/main/java/com/itextpdf/kernel/exceptions/KernelExceptionMessageConstant.java b/kernel/src/main/java/com/itextpdf/kernel/exceptions/KernelExceptionMessageConstant.java
@@ -255,17 +255,17 @@ public final class KernelExceptionMessageConstant {
     public static final String PDF_INDIRECT_OBJECT_BELONGS_TO_OTHER_PDF_DOCUMENT = "Pdf indirect object belongs to "
             + "other PDF document. Copy object to current pdf document.";
     public static final String PDF_VERSION_IS_NOT_VALID = "PDF version is not valid.";
+    public static final String PNG_FILTER_UNKNOWN = "PNG filter unknown.";
+    public static final String PRINT_SCALING_ENFORCE_ENTRY_INVALID = "/PrintScaling shall may appear in the Enforce "
+            + "array only if the corresponding entry in the viewer preferences dictionary specifies a valid value "
+            + "other than AppDefault";
     public static final String REF_ARRAY_ITEMS_IN_STRUCTURE_ELEMENT_DICTIONARY_SHALL_BE_INDIRECT_OBJECTS = "Ref array "
             + "items in structure element dictionary shall be indirect objects.";
     public static final String REQUESTED_PAGE_NUMBER_IS_OUT_OF_BOUNDS = "Requested page number {0} is out of bounds.";
     public static final String ROLE_IS_NOT_MAPPED_TO_ANY_STANDARD_ROLE = "Role \"{0}\" is not mapped to any standard "
             + "role.";
     public static final String ROLE_IN_NAMESPACE_IS_NOT_MAPPED_TO_ANY_STANDARD_ROLE = "Role \"{0}\" in namespace {1} "
             + "is not mapped to any standard role.";
-    public static final String PNG_FILTER_UNKNOWN = "PNG filter unknown.";
-    public static final String PRINT_SCALING_ENFORCE_ENTRY_INVALID = "/PrintScaling shall may appear in the Enforce "
-            + "array only if the corresponding entry in the viewer preferences dictionary specifies a valid value "
-            + "other than AppDefault";
     public static final String RESOURCES_CANNOT_BE_NULL = "Resources cannot be null.";
     public static final String RESOURCES_DO_NOT_CONTAIN_EXTGSTATE_ENTRY_UNABLE_TO_PROCESS_THIS_OPERATOR = "Resources "
             + "do not contain ExtGState entry. Unable to process operator {0}.";
@@ -331,14 +331,16 @@ public final class KernelExceptionMessageConstant {
     public static final String WMF_IMAGE_EXCEPTION = "WMF image exception.";
     public static final String WRONG_MEDIA_BOX_SIZE_TOO_FEW_ARGUMENTS = "Wrong media box size: {0}. Need at least 4 "
             + "arguments";
-    public static final String XREF_TABLE_HAS_CYCLED_REFERENCES =
-            "Xref table has cycled references. Prev pointer indicates an already visited xref table.";
+    public static final String XREF_PREV_SHALL_BE_DIRECT_NUMBER_OBJECT = "Prev pointer in xref structure shall be "
+            + "direct number object.";
     public static final String XREF_SUBSECTION_NOT_FOUND = "xref subsection not found.";
     public static final String XREF_STREAM_HAS_CYCLED_REFERENCES =
             "Xref stream has cycled references. Prev pointer indicates an already visited xref stream.";
     public static final String XREF_STRUCTURE_SIZE_EXCEEDED_THE_LIMIT = "Xref structure contains too many elements "
             + "and may cause OOM exception. You can increase number of elements by setting custom "
             + "MemoryLimitsAwareHandler.";
+    public static final String XREF_TABLE_HAS_CYCLED_REFERENCES =
+            "Xref table has cycled references. Prev pointer indicates an already visited xref table.";
     public static final String YOU_HAVE_TO_DEFINE_A_BOOLEAN_ARRAY_FOR_THIS_COLLECTION_SORT_DICTIONARY = "You have to "
             + "define a boolean array for this collection sort dictionary.";
     public static final String YOU_MUST_SET_A_VALUE_BEFORE_ADDING_A_PREFIX = "You must set a value before adding a "
diff --git a/kernel/src/main/java/com/itextpdf/kernel/pdf/PdfReader.java b/kernel/src/main/java/com/itextpdf/kernel/pdf/PdfReader.java
@@ -52,6 +52,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.io.source.RandomAccessSourceFactory;
 import com.itextpdf.io.source.WindowRandomAccessSource;
 import com.itextpdf.commons.utils.MessageFormatUtil;
+import com.itextpdf.kernel.exceptions.InvalidXRefPrevException;
 import com.itextpdf.kernel.exceptions.MemoryLimitsAwareException;
 import com.itextpdf.kernel.exceptions.PdfException;
 import com.itextpdf.kernel.crypto.securityhandler.UnsupportedSecurityHandlerException;
@@ -730,16 +731,20 @@ protected void readPdf() throws IOException {
         }
         try {
             readXref();
-        } catch (XrefCycledReferencesException | MemoryLimitsAwareException ex) {
+        } catch (XrefCycledReferencesException | MemoryLimitsAwareException | InvalidXRefPrevException ex) {
             // Throws an exception when xref stream has cycled references(due to lack of opportunity to fix such an
             // issue) or xref tables have cycled references and PdfReader.StrictnessLevel set to CONSERVATIVE.
             // Also throw an exception when xref structure size exceeds jvm memory limit.
             throw ex;
         } catch (RuntimeException ex) {
-            Logger logger = LoggerFactory.getLogger(PdfReader.class);
-            logger.error(IoLogMessageConstant.XREF_ERROR_WHILE_READING_TABLE_WILL_BE_REBUILT, ex);
+            if (StrictnessLevel.CONSERVATIVE.isStricter(this.getStrictnessLevel())) {
+                Logger logger = LoggerFactory.getLogger(PdfReader.class);
+                logger.error(IoLogMessageConstant.XREF_ERROR_WHILE_READING_TABLE_WILL_BE_REBUILT, ex);
 
-            rebuildXref();
+                rebuildXref();
+            } else {
+                throw ex;
+            }
         }
         pdfDocument.getXref().markReadingCompleted();
         readDecryptObj();
@@ -989,7 +994,9 @@ protected void readXref() throws IOException {
                 xrefStm = true;
                 return;
             }
-        } catch (XrefCycledReferencesException | MemoryLimitsAwareException exceptionWhileReadingXrefStream) {
+        } catch (XrefCycledReferencesException
+                | MemoryLimitsAwareException
+                | InvalidXRefPrevException exceptionWhileReadingXrefStream) {
             throw exceptionWhileReadingXrefStream;
         } catch (Exception ignored) {
             // Do nothing.
@@ -1008,7 +1015,7 @@ protected void readXref() throws IOException {
         final Set<Long> alreadyVisitedXrefTables = new HashSet<>();
         while (true) {
             alreadyVisitedXrefTables.add(startxref);
-            PdfNumber prev = (PdfNumber) trailer2.get(PdfName.Prev);
+            PdfNumber prev = getXrefPrev(trailer2.get(PdfName.Prev, false));
             if (prev == null) {
                 break;
             }
@@ -1175,7 +1182,7 @@ protected boolean readXrefStream(long ptr) throws IOException {
             }
             PdfArray w = xrefStream.getAsArray(PdfName.W);
             long prev = -1;
-            obj = xrefStream.get(PdfName.Prev);
+            obj = getXrefPrev(xrefStream.get(PdfName.Prev, false));
             if (obj != null)
                 prev = ((PdfNumber) obj).longValue();
             xref.setCapacity(size);
@@ -1321,6 +1328,26 @@ protected void rebuildXref() throws IOException {
             throw new PdfException(KernelExceptionMessageConstant.TRAILER_NOT_FOUND);
     }
 
+    protected PdfNumber getXrefPrev(PdfObject prevObjectToCheck) {
+        if (prevObjectToCheck == null) {
+            return null;
+        }
+
+        if (prevObjectToCheck.getType() == PdfObject.NUMBER) {
+            return (PdfNumber) prevObjectToCheck;
+        } else {
+            if (prevObjectToCheck.getType() == PdfObject.INDIRECT_REFERENCE &&
+                    StrictnessLevel.CONSERVATIVE.isStricter(this.getStrictnessLevel())) {
+                final PdfObject value = ((PdfIndirectReference) prevObjectToCheck).getRefersTo(true);
+                if (value != null && value.getType() == PdfObject.NUMBER) {
+                    return (PdfNumber) value;
+                }
+            }
+            throw new InvalidXRefPrevException(
+                    KernelExceptionMessageConstant.XREF_PREV_SHALL_BE_DIRECT_NUMBER_OBJECT);
+        }
+    }
+
     boolean isMemorySavingMode() {
         return memorySavingMode;
     }
@@ -1359,33 +1386,6 @@ private void readDecryptObj() {
         }
     }
 
-    /**
-     * Utility method that checks the provided byte source to see if it has junk bytes at the beginning.  If junk bytes
-     * are found, construct a tokeniser that ignores the junk.  Otherwise, construct a tokeniser for the byte source as it is
-     *
-     * @param byteSource the source to check
-     * @return a tokeniser that is guaranteed to start at the PDF header
-     * @throws IOException if there is a problem reading the byte source
-     */
-    private static PdfTokenizer getOffsetTokeniser(IRandomAccessSource byteSource, boolean closeStream)
-            throws IOException {
-        PdfTokenizer tok = new PdfTokenizer(new RandomAccessFileOrArray(byteSource));
-        int offset;
-        try {
-            offset = tok.getHeaderOffset();
-        } catch (com.itextpdf.io.exceptions.IOException ex) {
-            if (closeStream) {
-                tok.close();
-            }
-            throw ex;
-        }
-        if (offset != 0) {
-            IRandomAccessSource offsetSource = new WindowRandomAccessSource(byteSource, offset);
-            tok = new PdfTokenizer(new RandomAccessFileOrArray(offsetSource));
-        }
-        return tok;
-    }
-
     private PdfObject readObject(PdfIndirectReference reference, boolean fixXref) {
         if (reference == null)
             return null;
@@ -1497,6 +1497,33 @@ private PdfObject createPdfNullInstance(boolean readAsDirect) {
         }
     }
 
+    /**
+     * Utility method that checks the provided byte source to see if it has junk bytes at the beginning.  If junk bytes
+     * are found, construct a tokeniser that ignores the junk.  Otherwise, construct a tokeniser for the byte source as it is
+     *
+     * @param byteSource the source to check
+     * @return a tokeniser that is guaranteed to start at the PDF header
+     * @throws IOException if there is a problem reading the byte source
+     */
+    private static PdfTokenizer getOffsetTokeniser(IRandomAccessSource byteSource, boolean closeStream)
+            throws IOException {
+        PdfTokenizer tok = new PdfTokenizer(new RandomAccessFileOrArray(byteSource));
+        int offset;
+        try {
+            offset = tok.getHeaderOffset();
+        } catch (com.itextpdf.io.exceptions.IOException ex) {
+            if (closeStream) {
+                tok.close();
+            }
+            throw ex;
+        }
+        if (offset != 0) {
+            IRandomAccessSource offsetSource = new WindowRandomAccessSource(byteSource, offset);
+            tok = new PdfTokenizer(new RandomAccessFileOrArray(offsetSource));
+        }
+        return tok;
+    }
+
     protected static class ReusableRandomAccessSource implements IRandomAccessSource {
         private ByteBuffer buffer;
 
diff --git a/kernel/src/test/java/com/itextpdf/kernel/pdf/PdfReaderTest.java b/kernel/src/test/java/com/itextpdf/kernel/pdf/PdfReaderTest.java
diff --git a/kernel/src/test/resources/com/itextpdf/kernel/pdf/PdfReaderTest/indirectPrev.pdf b/kernel/src/test/resources/com/itextpdf/kernel/pdf/PdfReaderTest/indirectPrev.pdf
