From 7a5b3423d63d5106aa7fc3602d5cf189ddf69eec Mon Sep 17 00:00:00 2001
From: Calixte Denizet <calixte.denizet@gmail.com>
Date: Thu, 10 Aug 2023 15:19:41 +0200
Subject: [PATCH] [Editor] Don't forget to encrypt image streams (see issue
 #16821)

and encrypt a compressed stream after having been compressed.
---
 src/core/annotation.js        |  18 +++++++++++++++---
 src/core/writer.js            |   7 ++++---
 test/pdfs/.gitignore          |   1 +
 test/pdfs/empty_protected.pdf | Bin 0 -> 5605 bytes
 test/test_manifest.json       |  31 +++++++++++++++++++++++++++++++
 5 files changed, 51 insertions(+), 6 deletions(-)
 create mode 100755 test/pdfs/empty_protected.pdf

diff --git a/src/core/annotation.js b/src/core/annotation.js
index b4f651442..347fa3ed6 100644
--- a/src/core/annotation.js
+++ b/src/core/annotation.js
@@ -298,7 +298,13 @@ class AnnotationFactory {
             baseFont.set("Encoding", Name.get("WinAnsiEncoding"));
             const buffer = [];
             baseFontRef = xref.getNewTemporaryRef();
-            await writeObject(baseFontRef, baseFont, buffer, null);
+            const transform = xref.encrypt
+              ? xref.encrypt.createCipherTransform(
+                  baseFontRef.num,
+                  baseFontRef.gen
+                )
+              : null;
+            await writeObject(baseFontRef, baseFont, buffer, transform);
             dependencies.push({ ref: baseFontRef, data: buffer.join("") });
           }
           promises.push(
@@ -325,13 +331,19 @@ class AnnotationFactory {
             const buffer = [];
             if (smaskStream) {
               const smaskRef = xref.getNewTemporaryRef();
-              await writeObject(smaskRef, smaskStream, buffer, null);
+              const transform = xref.encrypt
+                ? xref.encrypt.createCipherTransform(smaskRef.num, smaskRef.gen)
+                : null;
+              await writeObject(smaskRef, smaskStream, buffer, transform);
               dependencies.push({ ref: smaskRef, data: buffer.join("") });
               imageStream.dict.set("SMask", smaskRef);
               buffer.length = 0;
             }
             const imageRef = (image.imageRef = xref.getNewTemporaryRef());
-            await writeObject(imageRef, imageStream, buffer, null);
+            const transform = xref.encrypt
+              ? xref.encrypt.createCipherTransform(imageRef.num, imageRef.gen)
+              : null;
+            await writeObject(imageRef, imageStream, buffer, transform);
             dependencies.push({ ref: imageRef, data: buffer.join("") });
             image.imageStream = image.smaskStream = null;
           }
diff --git a/src/core/writer.js b/src/core/writer.js
index a3b9b8473..d9223d2f1 100644
--- a/src/core/writer.js
+++ b/src/core/writer.js
@@ -46,9 +46,6 @@ async function writeDict(dict, buffer, transform) {
 
 async function writeStream(stream, buffer, transform) {
   let string = stream.getString();
-  if (transform !== null) {
-    string = transform.encryptString(string);
-  }
   const { dict } = stream;
 
   const [filter, params] = await Promise.all([
@@ -106,6 +103,10 @@ async function writeStream(stream, buffer, transform) {
     }
   }
 
+  if (transform !== null) {
+    string = transform.encryptString(string);
+  }
+
   dict.set("Length", string.length);
   await writeDict(dict, buffer, transform);
   buffer.push(" stream\n", string, "\nendstream");
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
index a396de778..266b80b83 100644
--- a/test/pdfs/.gitignore
+++ b/test/pdfs/.gitignore
@@ -609,3 +609,4 @@
 !annotation_hidden_print.pdf
 !annotation_hidden_noview.pdf
 !widget_hidden_print.pdf
+!empty_protected.pdf
diff --git a/test/pdfs/empty_protected.pdf b/test/pdfs/empty_protected.pdf
new file mode 100755
index 0000000000000000000000000000000000000000..60501924d34753738a2db8b41ce81a71fe7975f4
GIT binary patch
literal 5605
zcmc&&XHZjXx2A_80wOj9LN5xbBy=Gp6bZc}Es%hK5Fnw0AVme~O{oHkqV%Fj6;V(T
z6r@N;K?S7u4mW!Ac;>sFxqrTyyJzy|&E7ljTI*TsSu^Vq)<dgFLZpza!s8R~x>=ba
z5Fi*xv~y-vPyk__+z2>NCw~GS2mxV%(g?6LNEZl!gD^k{41xgZP;MImrJ*uNkOuGq
z5Du3GLJ)8(B_&pZ8~*zlz&~9S8`8gRpb7RwJV6iV=}MwlR3%>Wa&;pCVIVzE0^Z4<
zO!Ndoph`+0jGMiupF5fIgYs7ckebsaGQkt1b_qu&{B;6I6MaEJO-2QQz(`|IXcZ(3
z0#{X$MIewe7>EoK2Bs`vB?UN2T2+m5Lj{Uf!GPgtSp-U28VN;%p-?mmgMleofi&Il
z1m6o391!344n!aX{KF=e;O0oa2!#Fc&HH=UG9UvYk>V5V$8$ppP(TP0WaQ^g0GSyO
z96+WQAV7-06hKI1PXf-BmHFbRogJRt*3Oohe!LWW=#UcjQ1Dv_1iVc{cY=!Ffwq&C
znF8I<w||02BI7*CzMcdJR%S3Ov#>BmSB;hV7qApC5x>Fw6D&X^67<t`889V%2nfg!
z2t)k#NqWOj8(`hy;ua%uXs#A0IFx82{HjOko0FT^d^{S=ywKJm^YRI*JpQZ>Z(nQw
z<JS4-@dE8UTiJ_wz-e}lEo;Qbo2%|gALp6{>`B|$v_FLKBWpj4N>z=LXG1dn$G3_X
z`69-f;6?_aiT1kg1UHbXnl?xUV`u{V<ur_veo6uS49$>?bHn32@xPuzr4b-qu^h9t
zkWRBoY}(f+eg23CyP=)CbE6+4A%%XIn{r8BRgBUcK73BS#DIiu*HkW%1FHY-B@WWX
zh$#+?=Iq?Iy1f*+apStqc<uqU3(HK`ND*f+WaaWl?!)3BJ)k56EDZ(e5h%qj2CHri
zQmN&BG#VEZ+61-F7Y7*t5fort)&4?<vU>j78jE#`=n&K2`{VG<HFx>$Pqv|Ljz^Oe
z9dCu+ABM49>R@s{Aq7Jnoa|XUn%kW1kU{g`4UkG4WQ-AOXhhHS!PpO<DhfWg^|mhS
z-1cKkE%+vl*%8&gUE?EAagYg6`ZxK1(Bfy(wFzV#9!JJ~rvrt)x?bc<l-@!Dey?2v
zkRHyFvX}j_|G^$r%Bz=%j{i6d{=3LkJ&EopqVEN;6or?R4*~+EtVmhPY6a4!bPe3U
zKBcr7O0E60WI!Mhy*%v+l)gi$F9RZ((o2Bgzv%njqkmZcZTt@mQ*-hpQJMh!S4lz;
zU`l6%{dJJ8oiin+zsZJ*<@MX*TS5xnaEX0!tDouxzQnDT*UEvNM(6ngQWYR^SCl?$
zco(<}r91cGg8b7(S%2sA8&Xo%pL>|WH>T+}j)brgH)%zyf_*%roz;duu_Z(Ioxm>&
zI`#UyRFQ+8*QZ|5`Nd?8(-q_t`ww4r3!IvIt$IhM+mtxQ$~u}-Vjy6gi+2&ax#cz^
z(3G!~pcu)dg0(U(iF3S2cpRGY2l9ST+0QioYJpG~6lCaSNB+_2w6TAM`YXr3gH_&?
zus7^`XnIYtXn5<yV<&Y*89)Gs`r*oS$5)9<8pq}3<my&}3-7QK?N-2I3W}WSN=r=x
z<e*cT$2sdd8icIo40Z876IijHgiy)7s7vOu)!3M`J|FgbHq>TJ^gc@!NW347=$hsa
zsycp!^W~hqLc56iZY5Ug{#}uf4rGIV(LIvR-F0&)y>I|GPgMgl=Xd~Zf`&#tlWx4b
zQO#Ah^@1&pPmOr@APLse(*3l)Y%V=Jt)YB5@M7vf^6krrfZaL9qc1?`4v8};uNv13
zob!<=RdN+NVfx<jt>BT_H&<FY`b>G%T|1XYVi8uBlO;Q8Rg2o579GtXHr)${4a2zw
zMLv(eKA!;pNUtB8(_nP<da%($Sr{ar*-N^nscG`$;!Se>)JeJPWPZawYWigxrWljH
z;4wz1h-6&s1HESx-m+d-KdkplI=8$M8mkUG#|piMZwXiY8d_Vob3KQPK3*QaaBr!%
zJ|Kl}-1i!`Lmd2hFR1^mOsqtm9!uorSNf8f=Q%W8r}YOVn4hPadOq{tfZNesSMB#n
zmwjul2<JG)oyOOv<b6bBVhqrhcrxIbM2i9P!Qow+P4=l>pAfxK>fr$%CaYIyQu@y2
z?zANr;^}w6=VpuFge@4Su*99(v0H8S_)^*V`~`z9=3)Qf5mYsYUQ$zU<FL&AmiYC^
zPnI*E76Bu%q&a}bI-97>nnUYY_ScThyDtxKq+Ws*+<^fdj=Bfs$pZ{NDVXo-o+*r{
zV=GDjASY%6x{EHf9T`}vl{M7PHDKkN)$&h?FnCH39+VtRm?)KAX5)4b3~(RxP{BXe
ztv{A#@on?HdPg$%6UPFn<8%2DR@fWEdNjMw@QrHx>O<xg)LMpOZ)Q$ilbWSV3M<=r
zGGkm|f(r#^>rqt+;>_edRL|WkX2a?Rx^5CA?ZD|lB?FuDw{ESjGDC7EVJ#O$GI6Es
zkFAr9WHb}mGK8EJD_ca*7}=&zybW?~%(F-3(|s-3-P0-OSwCPrZLm(fPD(s_i6bo^
zRm6}l&W_A=nppn!#cGtsthfA&Wdog)tsYk@JoK_~pI52qbnZj`qhC|YS&Eu!yt$&@
zC^eDkGcHPq-`2F;M+vDux}z<a^`0h4zPyL0<9R`6Ky&-htjZnNgN%C>vPgk;MWTFb
z)qu62&NrXD^g(2wtA?@P3p1%acSjrJXg<uCTTUlu3KgWE+#5j#Y?yR?eZIc4KT8m}
zwZrSNTz5Ipc^_J`B2?06xKU_$Wc|`1AKEu8*oBnGBtVEFoW(NLg}xn4lRC8lV%uB~
zPq?L7TjFwSJolk_%&;=G^!=#n#gaT2R+!UnuhPz<LEh$7MLnhqHNW^(7WSkJ94%@_
zb*pA@B&8k+#eeqA>CWgc39{Bi2d8<&CMTk;l{i_I!B0kE?YjM?Ms7v!9gy@q7a_Ze
zui*j^kah7+rd{CU>fK3ccL7!Hw@$<5dfBB{QoR6X0MR^Z?Gr6;1d=u6E0-!0$5>dG
zKk?k@zjhG@pAA%vDE|bAJmfp^K$%uJ@_8v0)1E?9m~&9tzDo9vk00Y=2<-=EH^pZ7
z**M`R;kVT%brhHpUWx~5E$2BJRCT94k`L#-<;ppEGQmrW9`|bHV6vxeFt=>wTKD1S
zn^oqq)bE$Z(^<D~*-V`&9`p4zwp`i_XFbv{aP$}m-*Gg)_+@Ky2w)~-ZSU?K868*x
z2uUuIJL5a<-Cr3Ha6>wbdW(&vxl+BwG329NsN>loYHf#Vll-CuMDoko!iT~)5kspw
zxcrjYq3-=hMvDfaHQh8LWso&D^S8jHz7X5ZQJv{kTg=M7^?sDD?GS$jlDkQHXI#Tf
z_q9l|;Iy;l@KhD=L}2LpS@@!l_&~uOeSt*v$JVdy8$$H?E>C~pO}iP*c}|^wYdWm8
z=5SF`XUk$ThWJTYgli}twZ7Ob$G2ib_igIYWf_48;k@n~XBWo=yQKE_cIFoI;tE~`
zpU+3{h}W*MzdhD6Kcg)E3UPmpO_*uqtm|ABE$SFVqA4PBx%`#KcvqYVxQla+m%I9S
ztT3&;{OLnCKc8WF(e$7-bT#@3756iGf77?I-SyOxC0nWYHNSi$=V<~LpRoXrg-b$=
z6afqYAqEfPRI5`4np=`_`qT22T8)Ty!Wsv9ZtOf4y7a|)kJO4Tep%YcZs+u-F~SSL
z&YsfpqoJ`1iw7cXA~1eF839T1g8y6wz|+aRT5#*0N2`LysjxxKhMt5K_jwj)fNvK5
zL_<;y)=EpK+|XJiOZm!%b3d&tv_a?~8ZplZifT&N$b9}pNXxIbiiL<=YAzj^a)Gdu
zs5L!qLwx+DudMS|AD#+`i;uuvyo951dU}>I=(F<i)=EWy1ge7c*er9E)^YWCznl7O
z@BJwK?ta1b?SdE22wyWuOUQHFiI-*{A>zl2Y0iESur{XJ)X2f<XZj62kiT}{^y5I7
ze^~B~6B#25{Fc|fbnhib*iSw}(F8mVC{k%Lyq<Ems(YD{*1DSah9l%jU;B2J;N(o*
zrw=WF%yJK^Y8QWtaN>+&gHYBNOZSV(!<p$RFK?U;x{YIsud@=W<u0<xY5G`F_O4|v
zXpP)Y6aT8jDBko#{?#_xh&^ssd`$1RBk$LHM`@fsOO%E5O88pYqtp3hdklC6Pqwr+
zk$R55bfrIXe}v=d<DCl?tePBvXiyaU$tzu7cGNaMFZwWlGRQnRQq|V`{#Au)AOlMZ
z$IN*a%(*Yd4qC<G$(noqR|xwhrOAddn^U=g4#4NJ268r-J8L{EJ{zK^hu#Yua(#K%
zzc@?E5`a2&_KXYT%UEs<YwGybi4C1NMQ!HjRrFn`(v5`{d-3}zt@6c+*s4Uurju|w
z-3sk6ckw5|9kk_$j6-(2DhsFbE86*o*zGvWo;;U>-Mi?-`<XFtH6ZHpowA^36YzUC
zHIfUk{xMgko_aOc7h6<n<(isph$JgTHsTcXZFeW@npRQ6qGQ{|t8bc#HP$m5V~=Ep
zZwd9Fboe|3qjKACSLjJ#Oo1(34~}jzi|BgsLT8Ef9e1vXF8BuTSVYectll$wXJhZo
zU;*ZhnVsaD8B#G*+_%{}nRciygFNk^q&Ld4E*WOqC>I#W`5{`3?sVyZ7%7V>7Eq;g
z$}_Ig8P$I_RAU6*a>i?HsgEY9PGOH}SK1MKtW1Js1(os2WcbYKX{<&ELC3VlS8D3u
z0R13#o9~_7T8$lp(V~X3T;4=19dX<7&5JK}IuQOhjqkn$%{0*`Y&(8r#*y8UlmXs8
z3Q@^^Okv4O{P8Qd9RLwW*A%`~1K$=}uZwA$LmJ20G8io8CFVo*jf;I2BLzx;QfIVv
zM^D{$w#e+W9T*+r!o#;a-z1CV^t)%9V767>iMFG46Vw<2hWTyLM8Qw=J;HTc`CN&F
z49&o&K%|JU$jQuJ?@8YbOSdxDh<etp(6N}HEY?%{JhDbs*Cj5`6wEE3vwkHA>BzWi
zB=YFYgh%h;r~Hw<zLC)%b!v;elgdtYrM?fxxTxY>kQ^n)w#%B9v`tq0q|1Zf-7Ac|
z?IK%x9M|s6q+Hu1V5IPo*{5upc!jV1(N`AM)q;Kpr^c!Qbg0zXJx8r|NZ0eL7rSk0
z<P@Z|*4~9O(4?DDOLR_2rDo{waesK|n6<1vt@_l6!NZ`v(@!0II4X&$GM7V!$4TtY
zl8-aN6akB*H?jDNAl3}Dh6KFbJ8f^N(Te8{&17-rd2b{VcezXO_3f0tTAy(Ft}L;T
zA-sfD`~jxET0;3Mq`;F@uW!pRSAR_AbSQUfz3h1YrF>2*Y<85@kQqCY{TZ3$__Rr&
z#-43R|Fc|Z%r^*XAcQuaBePL;kKO12ee~E!rEIsMOJ?C4BPa6K(qi*qhq(klhbs@W
zMb(bXK>6SyhwEWOetk?O1wFf~lHW|rH91d8t@bW6a$PgeG2+-3`t&+2X?c!E!|&xy
zC=)wpBB;182YXgc==C?A6T3n@%SjX0ed6;k4&5gRW&o)%e(i}$flRx0@Sc&hrEMxp
zrKvj8`iJO-E|-<VDx$HlF3=Wntsm<raJ8@}r_n9s;DCR=>mimwlr-_lC@;(Tc<EC#
zet%2kW1r1dtBwI%T#E&u$e=m<nJ-JmlCyG{_Uon-3kT%&yca{;Vn%~#OKT+KICE%u
zIPL1{fz+b(g=2*>uDy^@J;##lWV!8R0X72H?3kkZT@;{gMGMwB((>+!mra(lXErIn
z?R*O9z`Ec0#hXoz$>eY;DKD;GJ^{1Mw$W<c(jJ<qKMXtHrJSF`&cBX&e@}W8J>`c4
z_I(Wc&q1&4oe6WEu#vmbROUD3&5brp=UlGTm~WvlGy5DAcRMFxK>ek{-Un30c`rJt
zfUIstmB=*#9g7vs97*wp57WIz54A-sa0&87O;v&L`u#G0@bw=v@xS^i{r6M~hyS~?
zi{8r|t(&q|H+2*=XTODcQ^oja3xE^E_Wkg$_XaY#;=R3&toUk*6<qbUJh7rvA&1g_
z^QDX_<BQ2HyLztLX~X7&&Va(w=FAZ3xwRV|Gi?ko{kpPRR?>Lxgw$g#c$JXe(XUJT
zjq`#Q??O>F4gKDCl-TvvL>m;YE$hJIE^`%bICiV)V%35-+x>g#BmWTW|0x;5|6e7;
z|0NT`|0E7l<kJ5T2O<9<4pPyGsF`pvh%mGUD~E1K#@m|Fj?<V&69rT(8PrZZTV>M#
ZL#ZfQ;X^qFo<E@U53LXaLHw;2{trW-W%K|5

literal 0
HcmV?d00001

diff --git a/test/test_manifest.json b/test/test_manifest.json
index f66293ddc..e6ee8120e 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -8088,5 +8088,36 @@
       "rounds": 1,
       "link": true,
       "type": "other"
+   },
+   {
+      "id": "protected-stamp-editor-save-print",
+      "file": "pdfs/empty_protected.pdf",
+      "md5": "3a9e0ede729dceb1052bda48db47dca1",
+      "rounds": 1,
+      "type": "eq",
+      "save": true,
+      "print": true,
+      "annotationStorage": {
+        "pdfjs_internal_editor_0": {
+          "annotationType": 13,
+          "pageIndex": 0,
+          "bitmapName": "firefox_logo.png",
+          "bitmapId": "image_c29eaeb9-8839-4a09-bf7c-75a5785805cd_0",
+          "rect": [37.5, 32.406246185302734, 496.5000057220459, 519.1875],
+          "rotation": 0
+        },
+        "pdfjs_internal_editor_1": {
+          "annotationType": 13,
+          "bitmapId": "image_c29eaeb9-8839-4a09-bf7c-75a5785805cd_0",
+          "pageIndex": 0,
+          "rect": [
+           458.06250572204584,
+           473.04686737060547,
+           571.5000057220459,
+           582.7187461853027
+          ],
+          "rotation": 0
+       }
+     }
    }
 ]