Attempt to find the next valid marker when encountering invalid image data in JpegImage.parse (issue 9425)

In the JPEG images in the referenced PDF file, the DHT (Define Huffman Tables) segments contain more data than expected based on the length parameter. Fixes 9425.
2018-02-01 10:35:38 +01:00 · 2018-02-01 10:35:38 +01:00 · f4a95de694
commit f4a95de694
parent 29d77dedad
3 changed files with 21 additions and 5 deletions
--- a/src/core/jpg.js
+++ b/src/core/jpg.js
@ -369,7 +369,7 @@ var JpegImage = (function JpegImageClosure() {
      // Some bad images seem to pad Scan blocks with e.g. zero bytes, skip past
      // those to attempt to find a valid marker (fixes issue4090.pdf).
      if (fileMarker && fileMarker.invalid) {
-        warn('decodeScan - unexpected MCU data, next marker is: ' +
+        warn('decodeScan - unexpected MCU data, current marker is: ' +
             fileMarker.invalid);
        offset = fileMarker.offset;
      }
@ -389,7 +389,7 @@ var JpegImage = (function JpegImageClosure() {
    // Some images include more Scan blocks than expected, skip past those and
    // attempt to find the next valid marker (fixes issue8182.pdf).
    if (fileMarker && fileMarker.invalid) {
-      warn('decodeScan - unexpected Scan data, next marker is: ' +
+      warn('decodeScan - unexpected Scan data, current marker is: ' +
           fileMarker.invalid);
      offset = fileMarker.offset;
    }
@ -601,12 +601,12 @@ var JpegImage = (function JpegImageClosure() {
    return component.blockData;
  }

-  function findNextFileMarker(data, currentPos, startPos) {
+  function findNextFileMarker(data, currentPos, startPos = currentPos) {
    function peekUint16(pos) {
      return (data[pos] << 8) | data[pos + 1];
    }

-    var maxPos = data.length - 1;
+    const maxPos = data.length - 1;
    var newPos = startPos < currentPos ? startPos : currentPos;

    if (currentPos >= maxPos) {
@ -649,7 +649,7 @@ var JpegImage = (function JpegImageClosure() {

        var fileMarker = findNextFileMarker(data, endOffset, offset);
        if (fileMarker && fileMarker.invalid) {
-          warn('readDataBlock - incorrect length, next marker is: ' +
+          warn('readDataBlock - incorrect length, current marker is: ' +
               fileMarker.invalid);
          endOffset = fileMarker.offset;
        }
@ -874,6 +874,13 @@ var JpegImage = (function JpegImageClosure() {
              offset -= 3;
              break;
            }
+            let nextFileMarker = findNextFileMarker(data, offset - 2);
+            if (nextFileMarker && nextFileMarker.invalid) {
+              warn('JpegImage.parse - unexpected data, current marker is: ' +
+                   nextFileMarker.invalid);
+              offset = nextFileMarker.offset;
+              break;
+            }
            throw new JpegError('unknown marker ' + fileMarker.toString(16));
        }
        fileMarker = readUint16();
--- a/test/pdfs/issue9425.pdf.link
+++ b/test/pdfs/issue9425.pdf.link
@ -0,0 +1 @@
+https://github.com/mozilla/pdf.js/files/1682471/Test.pdf
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@ -860,6 +860,14 @@
       "lastPage": 1,
       "type": "eq"
    },
+    {  "id": "issue9425",
+       "file": "pdfs/issue9425.pdf",
+       "md5": "cb5e99c9ada308304ca2dfcb7f72e3a0",
+       "rounds": 1,
+       "link": true,
+       "lastPage": 1,
+       "type": "eq"
+    },
    {  "id": "txt2pdf",
       "file": "pdfs/txt2pdf.pdf",
       "md5": "02cefa0f5e8d96313bb05163b2f88c8c",
				`@ -0,0 +1 @@`
				`https://github.com/mozilla/pdf.js/files/1682471/Test.pdf`