From 55d486b1d59993fa17d2fddfa4c6442db096c860 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 3 Aug 2017 08:49:56 +0200
Subject: [PATCH 1/4] 1477213 - Detect recursions loop resolving objects

---
 qpdf-6.0.0-detect-recursions.patch | 61 ++++++++++++++++++++++++++++++
 qpdf.spec                          |  7 +++-
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 qpdf-6.0.0-detect-recursions.patch

diff --git a/qpdf-6.0.0-detect-recursions.patch b/qpdf-6.0.0-detect-recursions.patch
new file mode 100644
index 0000000..ae87d80
--- /dev/null
+++ b/qpdf-6.0.0-detect-recursions.patch
@@ -0,0 +1,61 @@
+diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions qpdf-6.0.0/include/qpdf/QPDF.hh
+--- qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions	2015-11-10 18:48:52.000000000 +0100
++++ qpdf-6.0.0/include/qpdf/QPDF.hh	2017-08-02 08:41:17.500831407 +0200
+@@ -603,6 +603,25 @@ class QPDF
+         int gen;
+     };
+ 
++    class ResolveRecorder
++    {
++      public:
++        ResolveRecorder(QPDF* qpdf, QPDFObjGen const& og) :
++            qpdf(qpdf),
++            og(og)
++        {
++            qpdf->resolving.insert(og);
++        }
++        virtual ~ResolveRecorder()
++        {
++            this->qpdf->resolving.erase(og);
++        }
++      private:
++        QPDF* qpdf;
++        QPDFObjGen og;
++    };
++    friend class ResolveRecorder;
++
+     void parse(char const* password);
+     void warn(QPDFExc const& e);
+     void setTrailer(QPDFObjectHandle obj);
+@@ -1065,6 +1084,7 @@ class QPDF
+     std::map<QPDFObjGen, QPDFXRefEntry> xref_table;
+     std::set<int> deleted_objects;
+     std::map<QPDFObjGen, ObjCache> obj_cache;
++    std::set<QPDFObjGen> resolving;
+     QPDFObjectHandle trailer;
+     std::vector<QPDFObjectHandle> all_pages;
+     std::map<QPDFObjGen, int> pageobj_to_pages_pos;
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions	2015-11-10 18:48:52.000000000 +0100
++++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-02 08:42:19.070393817 +0200
+@@ -1453,6 +1453,20 @@ QPDF::resolve(int objid, int generation)
+     // to insert things into the object cache that don't actually
+     // exist in the file.
+     QPDFObjGen og(objid, generation);
++    if (this->resolving.count(og))
++    {
++        // This can happen if an object references itself directly or
++        // indirectly in some key that has to be resolved during
++        // object parsing, such as stream length.
++       warn(QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
++		        "", this->file->getLastOffset(),
++		        "loop detected resolving object " +
++		        QUtil::int_to_string(objid) + " " +
++		        QUtil::int_to_string(generation)));
++        return new QPDF_Null;
++    }
++    ResolveRecorder rr(this, og);
++
+     if (! this->obj_cache.count(og))
+     {
+ 	if (! this->xref_table.count(og))
diff --git a/qpdf.spec b/qpdf.spec
index 87521d3..2a5e05f 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -1,13 +1,14 @@
 Summary: Command-line tools and library for transforming PDF files
 Name:    qpdf
 Version: 6.0.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 # MIT: e.g. libqpdf/sha2.c
 License: Artistic 2.0 and MIT
 URL:     http://qpdf.sourceforge.net/
 Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz
 
 Patch0:  qpdf-doc.patch
+Patch1:  qpdf-6.0.0-detect-recursions.patch
 
 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@@ -63,6 +64,7 @@ QPDF Manual
 
 # fix 'complete manual location' note in man pages
 %patch0 -p1 -b .doc
+%patch1 -p1 -b .detect-recursions
 
 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
 
@@ -108,6 +110,9 @@ make check
 
 
 %changelog
+* Thu Aug 03 2017 Zdenek Dohnal <zdohnal@redhat.com> - 6.0.0-4
+- 1477213 - Detect recursions loop resolving objects
+
 * Wed Aug 03 2016 Jiri Popelka <jpopelka@redhat.com> - 6.0.0-3
 - %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir}
 

From bfb8fcadbca01fa6438dc3e6fe09d63dea7008ce Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 3 Aug 2017 09:01:44 +0200
Subject: [PATCH 2/4] 1454820 - CVE-2017-9208

---
 qpdf-6.0.0-CVE-2017-9208.patch | 36 ++++++++++++++++++++++++++++++++++
 qpdf.spec                      |  3 +++
 2 files changed, 39 insertions(+)
 create mode 100644 qpdf-6.0.0-CVE-2017-9208.patch

diff --git a/qpdf-6.0.0-CVE-2017-9208.patch b/qpdf-6.0.0-CVE-2017-9208.patch
new file mode 100644
index 0000000..0dce309
--- /dev/null
+++ b/qpdf-6.0.0-CVE-2017-9208.patch
@@ -0,0 +1,36 @@
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208	2017-08-03 08:53:32.806072781 +0200
++++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-03 08:55:39.529073703 +0200
+@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove
+ 	objid = atoi(tobjid.getValue().c_str());
+ 	generation = atoi(tgen.getValue().c_str());
+ 
++   if (objid == 0)
++   {
++       throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
++                     this->last_object_description, offset,
++                     "object with ID 0");
++   }
++
+ 	if ((exp_objid >= 0) &&
+ 	    (! ((objid == exp_objid) && (generation == exp_generation))))
+ 	{
+diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
+--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208	2015-11-10 18:48:52.000000000 +0100
++++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc	2017-08-03 08:54:50.264499428 +0200
+@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH
+ QPDFObjectHandle
+ QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation)
+ {
++    if (objid == 0)
++    {
++        // Special case: QPDF uses objid 0 as a sentinel for direct
++        // objects, and the PDF specification doesn't allow for object
++        // 0. Treat indirect references to object 0 as null so that we
++        // never create an indirect object with objid 0.
++        return newNull();
++    }
++
+     return QPDFObjectHandle(qpdf, objid, generation);
+ }
+ 
diff --git a/qpdf.spec b/qpdf.spec
index 2a5e05f..3b075c6 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -9,6 +9,7 @@ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.g
 
 Patch0:  qpdf-doc.patch
 Patch1:  qpdf-6.0.0-detect-recursions.patch
+Patch2:  qpdf-6.0.0-CVE-2017-9208.patch
 
 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@@ -65,6 +66,7 @@ QPDF Manual
 # fix 'complete manual location' note in man pages
 %patch0 -p1 -b .doc
 %patch1 -p1 -b .detect-recursions
+%patch2 -p1 -b .CVE-2017-9208
 
 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
 
@@ -112,6 +114,7 @@ make check
 %changelog
 * Thu Aug 03 2017 Zdenek Dohnal <zdohnal@redhat.com> - 6.0.0-4
 - 1477213 - Detect recursions loop resolving objects
+- 1454820 - CVE-2017-9208
 
 * Wed Aug 03 2016 Jiri Popelka <jpopelka@redhat.com> - 6.0.0-3
 - %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir}

From 1c452dd5abd49c36c2e32724061576bcfae58cf0 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 3 Aug 2017 10:08:27 +0200
Subject: [PATCH 3/4] 1454820 - CVE-2017-9209

---
 qpdf-6.0.0-CVE-2017-9209.patch | 37 ++++++++++++++++++++++++++++++++++
 qpdf.spec                      |  3 +++
 2 files changed, 40 insertions(+)
 create mode 100644 qpdf-6.0.0-CVE-2017-9209.patch

diff --git a/qpdf-6.0.0-CVE-2017-9209.patch b/qpdf-6.0.0-CVE-2017-9209.patch
new file mode 100644
index 0000000..6af336f
--- /dev/null
+++ b/qpdf-6.0.0-CVE-2017-9209.patch
@@ -0,0 +1,37 @@
+diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 qpdf-6.0.0/include/qpdf/QPDF.hh
+--- qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209	2017-08-03 10:00:17.489291722 +0200
++++ qpdf-6.0.0/include/qpdf/QPDF.hh	2017-08-03 10:00:17.494291685 +0200
+@@ -1095,6 +1095,7 @@ class QPDF
+     // copied_stream_data_provider is owned by copied_streams
+     CopiedStreamDataProvider* copied_stream_data_provider;
+     std::set<QPDFObjGen> attachment_streams;
++    bool reconstructed_xref;    
+ 
+     // Linearization data
+     qpdf_offset_t first_xref_item_offset; // actual value from file
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209	2017-08-03 10:00:17.491291707 +0200
++++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-03 10:01:43.243661883 +0200
+@@ -93,6 +93,7 @@ QPDF::QPDF() :
+     cached_key_generation(0),
+     pushed_inherited_attributes_to_pages(false),
+     copied_stream_data_provider(0),
++    reconstructed_xref(false),
+     first_xref_item_offset(0),
+     uncompressed_after_compressed(false)
+ {
+@@ -331,6 +332,14 @@ QPDF::setTrailer(QPDFObjectHandle obj)
+ void
+ QPDF::reconstruct_xref(QPDFExc& e)
+ {
++    if (this->reconstructed_xref)
++    {
++        // Avoid xref reconstruction infinite loops
++        throw e;
++    }
++
++    this->reconstructed_xref = true;
++
+     PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
+     PCRE endobj_re("^\\s*endobj\\b");
+     PCRE trailer_re("^\\s*trailer\\b");
diff --git a/qpdf.spec b/qpdf.spec
index 3b075c6..3ab8a21 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -10,6 +10,7 @@ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.g
 Patch0:  qpdf-doc.patch
 Patch1:  qpdf-6.0.0-detect-recursions.patch
 Patch2:  qpdf-6.0.0-CVE-2017-9208.patch
+Patch3:  qpdf-6.0.0-CVE-2017-9209.patch
 
 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@@ -67,6 +68,7 @@ QPDF Manual
 %patch0 -p1 -b .doc
 %patch1 -p1 -b .detect-recursions
 %patch2 -p1 -b .CVE-2017-9208
+%patch3 -p1 -b .CVE-2017-9209
 
 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
 
@@ -115,6 +117,7 @@ make check
 * Thu Aug 03 2017 Zdenek Dohnal <zdohnal@redhat.com> - 6.0.0-4
 - 1477213 - Detect recursions loop resolving objects
 - 1454820 - CVE-2017-9208
+- 1454820 - CVE-2017-9209
 
 * Wed Aug 03 2016 Jiri Popelka <jpopelka@redhat.com> - 6.0.0-3
 - %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir}

From 322263014577e9c17f976429fb747a23515ba6ff Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 3 Aug 2017 10:19:44 +0200
Subject: [PATCH 4/4] 1454820 - CVE-2017-9210

---
 qpdf-6.0.0-CVE-2017-9210.patch | 13 +++++++++++++
 qpdf.spec                      |  3 +++
 2 files changed, 16 insertions(+)
 create mode 100644 qpdf-6.0.0-CVE-2017-9210.patch

diff --git a/qpdf-6.0.0-CVE-2017-9210.patch b/qpdf-6.0.0-CVE-2017-9210.patch
new file mode 100644
index 0000000..e3ce8e9
--- /dev/null
+++ b/qpdf-6.0.0-CVE-2017-9210.patch
@@ -0,0 +1,13 @@
+diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
+--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210	2017-08-03 10:09:46.670111267 +0200
++++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc	2017-08-03 10:10:56.430600663 +0200
+@@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerH
+ 		throw QPDFExc(
+ 		    qpdf_e_damaged_pdf,
+ 		    input->getName(), object_description, offset,
+-		    std::string("dictionary key not name (") +
+-		    key_obj.unparse() + ")");
++        std::string("dictionary key is not not a name token"));        
+ 	    }
+ 	    dict[key_obj.getName()] = val;
+ 	}
diff --git a/qpdf.spec b/qpdf.spec
index 3ab8a21..7ec69dd 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -11,6 +11,7 @@ Patch0:  qpdf-doc.patch
 Patch1:  qpdf-6.0.0-detect-recursions.patch
 Patch2:  qpdf-6.0.0-CVE-2017-9208.patch
 Patch3:  qpdf-6.0.0-CVE-2017-9209.patch
+Patch4:  qpdf-6.0.0-CVE-2017-9210.patch
 
 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@@ -69,6 +70,7 @@ QPDF Manual
 %patch1 -p1 -b .detect-recursions
 %patch2 -p1 -b .CVE-2017-9208
 %patch3 -p1 -b .CVE-2017-9209
+%patch4 -p1 -b .CVE-2017-9210
 
 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
 
@@ -118,6 +120,7 @@ make check
 - 1477213 - Detect recursions loop resolving objects
 - 1454820 - CVE-2017-9208
 - 1454820 - CVE-2017-9209
+- 1454820 - CVE-2017-9210
 
 * Wed Aug 03 2016 Jiri Popelka <jpopelka@redhat.com> - 6.0.0-3
 - %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir}