Check the top-level /Pages dictionary when finding the trailer in XRef.indexObjects (issue 12402)

In addition to the existing /Root and /Pages validation, also check that the /Pages-entry actually is a dictionary and that it has a valid /Count-entry. This way we can avoid picking a trailer candidate which e.g. the `Catalog.numPages` getter will just end up rejecting, thus breaking PDF document loading completely.
2020-11-25 13:44:57 +01:00 · 2020-11-25 13:44:57 +01:00 · 8a132f584d
commit 8a132f584d
parent b1d3b6eb12
3 changed files with 25 additions and 8 deletions
--- a/src/core/obj.js
+++ b/src/core/obj.js
@ -1836,14 +1836,13 @@ var XRef = (function XRefClosure() {
        }
      }
      // reading XRef streams
-      var i, ii;
-      for (i = 0, ii = xrefStms.length; i < ii; ++i) {
+      for (let i = 0, ii = xrefStms.length; i < ii; ++i) {
        this.startXRefQueue.push(xrefStms[i]);
        this.readXRef(/* recoveryMode */ true);
      }
      // finding main trailer
      let trailerDict;
-      for (i = 0, ii = trailers.length; i < ii; ++i) {
+      for (let i = 0, ii = trailers.length; i < ii; ++i) {
        stream.pos = trailers[i];
        const parser = new Parser({
          lexer: new Lexer(stream),
@ -1861,18 +1860,26 @@ var XRef = (function XRefClosure() {
          continue;
        }
        // Do some basic validation of the trailer/root dictionary candidate.
-        let rootDict;
        try {
-          rootDict = dict.get("Root");
+          const rootDict = dict.get("Root");
+          if (!(rootDict instanceof Dict)) {
+            continue;
+          }
+          const pagesDict = rootDict.get("Pages");
+          if (!(pagesDict instanceof Dict)) {
+            continue;
+          }
+          const pagesCount = pagesDict.get("Count");
+          if (!Number.isInteger(pagesCount)) {
+            continue;
+          }
+          // The top-level /Pages dictionary isn't obviously corrupt.
        } catch (ex) {
          if (ex instanceof MissingDataException) {
            throw ex;
          }
          continue;
        }
-        if (!isDict(rootDict) || !rootDict.has("Pages")) {
-          continue;
-        }
        // taking the first one with 'ID'
        if (dict.has("ID")) {
          return dict;
--- a/test/pdfs/issue12402.pdf.link
+++ b/test/pdfs/issue12402.pdf.link
@ -0,0 +1 @@
+https://github.com/mozilla/pdf.js/files/5597129/issue12402.pdf
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@ -842,6 +842,15 @@
       "link": false,
       "type": "eq"
    },
+    {  "id": "issue12402",
+       "file": "pdfs/issue12402.pdf",
+       "md5": "70031cf610e24cc7164fb6ecd6980c8e",
+       "rounds": 1,
+       "link": true,
+       "firstPage": 8,
+       "lastPage": 8,
+       "type": "eq"
+    },
    {  "id": "issue10004",
       "file": "pdfs/issue10004.pdf",
       "md5": "64d1853060cefe3be50e5c4617dd0505",
				`@ -0,0 +1 @@`
				`https://github.com/mozilla/pdf.js/files/5597129/issue12402.pdf`