From 4660cf823826f30f3a5b384ff944ec3204b1571f Mon Sep 17 00:00:00 2001
From: Jonas Jenwald <jonas.jenwald@gmail.com>
Date: Thu, 24 Aug 2017 19:14:33 +0200
Subject: [PATCH] Prevent an infinite loop in `XRef.readXRef` by keeping track
 of already parsed tables (bug 1393476)

With this patch, not only is the infinite loop prevented, but we're also able to actually render the file (which e.g. Adobe Reader isn't able to).

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1393476.
---
 src/core/obj.js               | 11 +++++++++++
 test/pdfs/bug1393476.pdf.link |  1 +
 test/test_manifest.json       |  7 +++++++
 3 files changed, 19 insertions(+)
 create mode 100644 test/pdfs/bug1393476.pdf.link

diff --git a/src/core/obj.js b/src/core/obj.js
index 652914efa..dd302d10b 100644
--- a/src/core/obj.js
+++ b/src/core/obj.js
@@ -1186,11 +1186,22 @@ var XRef = (function XRefClosure() {
 
     readXRef: function XRef_readXRef(recoveryMode) {
       var stream = this.stream;
+      // Keep track of already parsed XRef tables, to prevent an infinite loop
+      // when parsing corrupt PDF files where e.g. the /Prev entries create a
+      // circular dependency between tables (fixes bug1393476.pdf).
+      let startXRefParsedCache = Object.create(null);
 
       try {
         while (this.startXRefQueue.length) {
           var startXRef = this.startXRefQueue[0];
 
+          if (startXRefParsedCache[startXRef]) {
+            warn('readXRef - skipping XRef table since it was already parsed.');
+            this.startXRefQueue.shift();
+            continue;
+          }
+          startXRefParsedCache[startXRef] = true;
+
           stream.pos = startXRef + stream.start;
 
           var parser = new Parser(new Lexer(stream), true, this);
diff --git a/test/pdfs/bug1393476.pdf.link b/test/pdfs/bug1393476.pdf.link
new file mode 100644
index 000000000..445a04c4c
--- /dev/null
+++ b/test/pdfs/bug1393476.pdf.link
@@ -0,0 +1 @@
+https://bugzilla.mozilla.org/attachment.cgi?id=8900754
diff --git a/test/test_manifest.json b/test/test_manifest.json
index 92e63e59a..96c0034d0 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -820,6 +820,13 @@
        "link": false,
        "type": "eq"
     },
+    {  "id": "bug1393476",
+       "file": "pdfs/bug1393476.pdf",
+       "md5": "163ee8727c77f27ee651eec777bb20a9",
+       "rounds": 1,
+       "link": true,
+       "type": "eq"
+    },
     {  "id": "bug1252420",
        "file": "pdfs/bug1252420.pdf",
        "md5": "f21c911b9b655972b06ef782a1fa6a17",