From bfb8fcadbca01fa6438dc3e6fe09d63dea7008ce Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 3 Aug 2017 09:01:44 +0200
Subject: [PATCH] 1454820 - CVE-2017-9208

---
 qpdf-6.0.0-CVE-2017-9208.patch | 36 ++++++++++++++++++++++++++++++++++
 qpdf.spec                      |  3 +++
 2 files changed, 39 insertions(+)
 create mode 100644 qpdf-6.0.0-CVE-2017-9208.patch

diff --git a/qpdf-6.0.0-CVE-2017-9208.patch b/qpdf-6.0.0-CVE-2017-9208.patch
new file mode 100644
index 0000000..0dce309
--- /dev/null
+++ b/qpdf-6.0.0-CVE-2017-9208.patch
@@ -0,0 +1,36 @@
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208	2017-08-03 08:53:32.806072781 +0200
++++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-03 08:55:39.529073703 +0200
+@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove
+ 	objid = atoi(tobjid.getValue().c_str());
+ 	generation = atoi(tgen.getValue().c_str());
+ 
++   if (objid == 0)
++   {
++       throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
++                     this->last_object_description, offset,
++                     "object with ID 0");
++   }
++
+ 	if ((exp_objid >= 0) &&
+ 	    (! ((objid == exp_objid) && (generation == exp_generation))))
+ 	{
+diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
+--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208	2015-11-10 18:48:52.000000000 +0100
++++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc	2017-08-03 08:54:50.264499428 +0200
+@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH
+ QPDFObjectHandle
+ QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation)
+ {
++    if (objid == 0)
++    {
++        // Special case: QPDF uses objid 0 as a sentinel for direct
++        // objects, and the PDF specification doesn't allow for object
++        // 0. Treat indirect references to object 0 as null so that we
++        // never create an indirect object with objid 0.
++        return newNull();
++    }
++
+     return QPDFObjectHandle(qpdf, objid, generation);
+ }
+ 
diff --git a/qpdf.spec b/qpdf.spec
index 2a5e05f..3b075c6 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -9,6 +9,7 @@ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.g
 
 Patch0:  qpdf-doc.patch
 Patch1:  qpdf-6.0.0-detect-recursions.patch
+Patch2:  qpdf-6.0.0-CVE-2017-9208.patch
 
 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@@ -65,6 +66,7 @@ QPDF Manual
 # fix 'complete manual location' note in man pages
 %patch0 -p1 -b .doc
 %patch1 -p1 -b .detect-recursions
+%patch2 -p1 -b .CVE-2017-9208
 
 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
 
@@ -112,6 +114,7 @@ make check
 %changelog
 * Thu Aug 03 2017 Zdenek Dohnal <zdohnal@redhat.com> - 6.0.0-4
 - 1477213 - Detect recursions loop resolving objects
+- 1454820 - CVE-2017-9208
 
 * Wed Aug 03 2016 Jiri Popelka <jpopelka@redhat.com> - 6.0.0-3
 - %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir}