2016-03-28 11:53:40 -04:00
|
|
|
/*
|
2025-02-14 10:24:30 -05:00
|
|
|
* Copyright (C) 2016-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2016-03-28 11:53:40 -04:00
|
|
|
*
|
|
|
|
|
* Author: Kevin Lin
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*
|
|
|
|
|
* In addition, as a special exception, the copyright holders give
|
|
|
|
|
* permission to link the code of portions of this program with the
|
|
|
|
|
* OpenSSL library under certain conditions as described in each
|
|
|
|
|
* individual source file, and distribute linked combinations
|
|
|
|
|
* including the two.
|
2019-05-04 17:28:16 -04:00
|
|
|
*
|
2016-03-28 11:53:40 -04:00
|
|
|
* You must obey the GNU General Public License in all respects
|
|
|
|
|
* for all of the code used other than OpenSSL. If you modify
|
|
|
|
|
* file(s) with this exception, you may extend this exception to your
|
|
|
|
|
* version of the file(s), but you are not obligated to do so. If you
|
|
|
|
|
* do not wish to do so, delete this exception statement from your
|
|
|
|
|
* version. If you delete this exception statement from all source
|
|
|
|
|
* files in the program, then also delete it here.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
2018-12-03 12:40:13 -05:00
|
|
|
#include <stddef.h>
|
2016-03-28 11:53:40 -04:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <errno.h>
|
2018-12-03 12:40:13 -05:00
|
|
|
#ifdef HAVE_LIMITS_H
|
2016-03-28 11:53:40 -04:00
|
|
|
#include <limits.h>
|
|
|
|
|
#endif
|
2018-12-03 12:40:13 -05:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2016-03-28 11:53:40 -04:00
|
|
|
#include <unistd.h>
|
|
|
|
|
#endif
|
|
|
|
|
#include <zlib.h>
|
|
|
|
|
|
|
|
|
|
#if HAVE_ICONV
|
|
|
|
|
#include <iconv.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include "clamav.h"
|
|
|
|
|
#include "others.h"
|
|
|
|
|
#include "pdf.h"
|
2016-03-30 16:39:37 -04:00
|
|
|
#include "pdfdecode.h"
|
2016-03-28 11:53:40 -04:00
|
|
|
#include "str.h"
|
|
|
|
|
#include "bytecode.h"
|
|
|
|
|
#include "bytecode_api.h"
|
2016-04-13 18:46:50 -04:00
|
|
|
#include "lzw/lzwdec.h"
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2016-04-18 17:11:12 -04:00
|
|
|
#define PDFTOKEN_FLAG_XREF 0x1
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
#define INFLATE_CHUNK_SIZE (1024 * 256)
|
|
|
|
|
|
2016-03-28 11:53:40 -04:00
|
|
|
struct pdf_token {
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t flags; /* tracking flags */
|
|
|
|
|
uint32_t success; /* successfully decoded filters */
|
2025-06-30 10:47:02 -04:00
|
|
|
size_t length; /* length of current content; TODO: transition to size_t */
|
2018-12-03 12:40:13 -05:00
|
|
|
uint8_t *content; /* content stream */
|
2016-03-28 11:53:40 -04:00
|
|
|
};
|
|
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
static size_t pdf_decodestream_internal(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token, int fout, cl_error_t *status, struct objstm_struct *objstm);
|
2018-08-14 14:00:31 -07:00
|
|
|
|
|
|
|
|
static cl_error_t filter_ascii85decode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_token *token);
|
|
|
|
|
static cl_error_t filter_rldecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_token *token);
|
|
|
|
|
static cl_error_t filter_flatedecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token);
|
|
|
|
|
static cl_error_t filter_asciihexdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_token *token);
|
|
|
|
|
static cl_error_t filter_decrypt(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token, int mode);
|
|
|
|
|
static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Wrapper function for pdf_decodestream_internal.
|
2019-05-04 17:28:16 -04:00
|
|
|
*
|
2018-08-14 14:00:31 -07:00
|
|
|
* Allocate a token object to store decoded filter data.
|
|
|
|
|
* Parse/decode the filter data and scan it.
|
2019-05-04 17:28:16 -04:00
|
|
|
*
|
2018-08-14 14:00:31 -07:00
|
|
|
* @param pdf Pdf context structure.
|
|
|
|
|
* @param obj The object we found the filter content in.
|
|
|
|
|
* @param params (optional) Dictionary parameters describing the filter data.
|
|
|
|
|
* @param stream Filter stream buffer pointer.
|
|
|
|
|
* @param streamlen Length of filter stream buffer.
|
|
|
|
|
* @param xref Indicates if the stream is an /XRef stream. Do not apply forced decryption on /XRef streams.
|
2023-11-26 15:01:19 -08:00
|
|
|
* @param fout File descriptor to write to be scanned.
|
2018-08-14 14:00:31 -07:00
|
|
|
* @param[out] rc Return code ()
|
|
|
|
|
* @param objstm (optional) Object stream context structure.
|
2018-10-01 19:46:23 -04:00
|
|
|
* @return size_t The number of bytes written to 'fout' to be scanned.
|
2018-08-14 14:00:31 -07:00
|
|
|
*/
|
2018-10-01 19:46:23 -04:00
|
|
|
size_t pdf_decodestream(
|
2018-08-14 14:00:31 -07:00
|
|
|
struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params,
|
|
|
|
|
const char *stream, uint32_t streamlen, int xref, int fout, cl_error_t *status,
|
|
|
|
|
struct objstm_struct *objstm)
|
|
|
|
|
{
|
|
|
|
|
struct pdf_token *token = NULL;
|
2018-12-03 12:40:13 -05:00
|
|
|
size_t bytes_scanned = 0;
|
2016-03-30 17:30:06 -04:00
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
if (!status) {
|
|
|
|
|
/* invalid args, and no way to pass back the status code */
|
2018-10-01 19:46:23 -04:00
|
|
|
return 0;
|
2018-08-14 14:00:31 -07:00
|
|
|
}
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
if (!pdf || !obj) {
|
|
|
|
|
/* Invalid args */
|
2018-10-01 19:46:23 -04:00
|
|
|
*status = CL_EARG;
|
2018-08-14 14:00:31 -07:00
|
|
|
goto done;
|
|
|
|
|
}
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2016-03-31 16:32:26 -04:00
|
|
|
if (!stream || !streamlen || fout < 0) {
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("pdf_decodestream: no filters or stream on obj %u %u\n", obj->id >> 8, obj->id & 0xff);
|
2018-10-01 19:46:23 -04:00
|
|
|
*status = CL_ENULLARG;
|
2018-08-14 14:00:31 -07:00
|
|
|
goto done;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
*status = CL_SUCCESS;
|
|
|
|
|
|
2016-03-30 16:39:37 -04:00
|
|
|
#if 0
|
|
|
|
|
if (params)
|
|
|
|
|
pdf_print_dict(params, 0);
|
|
|
|
|
#endif
|
|
|
|
|
|
2025-08-27 14:22:35 -04:00
|
|
|
CLI_CALLOC_OR_GOTO_DONE(
|
|
|
|
|
token, 1, sizeof(struct pdf_token),
|
|
|
|
|
*status = CL_EMEM);
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2016-04-18 17:11:12 -04:00
|
|
|
token->flags = 0;
|
|
|
|
|
if (xref)
|
|
|
|
|
token->flags |= PDFTOKEN_FLAG_XREF;
|
|
|
|
|
|
2016-04-18 17:11:59 -04:00
|
|
|
token->success = 0;
|
|
|
|
|
|
2025-08-27 14:22:35 -04:00
|
|
|
CLI_MAX_CALLOC_OR_GOTO_DONE(
|
|
|
|
|
token->content, 1, streamlen,
|
|
|
|
|
*status = CL_EMEM);
|
2022-08-23 16:59:14 -07:00
|
|
|
|
2016-03-28 11:53:40 -04:00
|
|
|
memcpy(token->content, stream, streamlen);
|
|
|
|
|
token->length = streamlen;
|
|
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
cli_dbgmsg("pdf_decodestream: detected %lu applied filters\n", (long unsigned)(obj->numfilters));
|
2016-03-31 16:32:26 -04:00
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
bytes_scanned = pdf_decodestream_internal(pdf, obj, params, token, fout, status, objstm);
|
2022-08-23 16:59:14 -07:00
|
|
|
if (CL_VIRUS == *status) {
|
2018-10-01 19:46:23 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
2018-08-14 14:00:31 -07:00
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
if (0 == token->success) {
|
2018-08-14 14:00:31 -07:00
|
|
|
/*
|
2018-10-01 19:46:23 -04:00
|
|
|
* Either:
|
|
|
|
|
* a) it failed to decode any filters, or
|
|
|
|
|
* b) there were no filters.
|
|
|
|
|
*
|
|
|
|
|
* Write out the raw stream to be scanned.
|
|
|
|
|
*
|
|
|
|
|
* Nota bene: If it did decode any filters, the internal() function would
|
|
|
|
|
* have written out the decoded stream to be scanned.
|
2018-08-14 14:00:31 -07:00
|
|
|
*/
|
2016-04-18 17:11:59 -04:00
|
|
|
if (!cli_checklimits("pdf", pdf->ctx, streamlen, 0, 0)) {
|
2018-08-14 14:00:31 -07:00
|
|
|
cli_dbgmsg("pdf_decodestream: no non-forced filters decoded, returning raw stream\n");
|
2016-04-18 17:11:59 -04:00
|
|
|
|
|
|
|
|
if (cli_writen(fout, stream, streamlen) != streamlen) {
|
2018-10-01 19:46:23 -04:00
|
|
|
cli_errmsg("pdf_decodestream: failed to write raw stream to output file\n");
|
|
|
|
|
} else {
|
|
|
|
|
bytes_scanned = streamlen;
|
2016-04-18 17:11:59 -04:00
|
|
|
}
|
2016-03-30 16:39:37 -04:00
|
|
|
}
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
done:
|
|
|
|
|
/*
|
|
|
|
|
* Free up the token, and token content, if any.
|
|
|
|
|
*/
|
2018-12-03 12:40:13 -05:00
|
|
|
if (NULL != token) {
|
2018-08-14 14:00:31 -07:00
|
|
|
if (NULL != token->content) {
|
|
|
|
|
free(token->content);
|
|
|
|
|
token->content = NULL;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = 0;
|
2018-08-14 14:00:31 -07:00
|
|
|
}
|
|
|
|
|
free(token);
|
|
|
|
|
token = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return bytes_scanned;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
/**
|
2019-05-04 17:28:16 -04:00
|
|
|
* @brief Decode filter buffer data.
|
|
|
|
|
*
|
2018-08-14 14:00:31 -07:00
|
|
|
* Attempt to decompress, decrypt or otherwise parse it.
|
2019-05-04 17:28:16 -04:00
|
|
|
*
|
2018-08-14 14:00:31 -07:00
|
|
|
* @param pdf Pdf context structure.
|
|
|
|
|
* @param obj The object we found the filter content in.
|
|
|
|
|
* @param params (optional) Dictionary parameters describing the filter data.
|
|
|
|
|
* @param token Pointer to and length of filter data.
|
2023-11-26 15:01:19 -08:00
|
|
|
* @param fout File handle to write data to be scanned.
|
2018-08-14 14:00:31 -07:00
|
|
|
* @param[out] status CL_CLEAN/CL_SUCCESS or CL_VIRUS/CL_E<error>
|
|
|
|
|
* @param objstm (optional) Object stream context structure.
|
|
|
|
|
* @return ptrdiff_t The number of bytes we wrote to 'fout'. -1 if failed out.
|
|
|
|
|
*/
|
2018-10-01 19:46:23 -04:00
|
|
|
static size_t pdf_decodestream_internal(
|
2018-08-14 14:00:31 -07:00
|
|
|
struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params,
|
|
|
|
|
struct pdf_token *token, int fout, cl_error_t *status, struct objstm_struct *objstm)
|
2016-03-28 11:53:40 -04:00
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
cl_error_t retval = CL_SUCCESS;
|
2018-10-01 19:46:23 -04:00
|
|
|
size_t bytes_scanned = 0;
|
2018-12-03 12:40:13 -05:00
|
|
|
const char *filter = NULL;
|
2019-05-04 17:28:16 -04:00
|
|
|
uint32_t i;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
if (!status) {
|
|
|
|
|
/* invalid args, and no way to pass back the status code */
|
2018-10-01 19:46:23 -04:00
|
|
|
return 0;
|
2018-08-14 14:00:31 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!pdf || !obj || !token) {
|
|
|
|
|
/* Invalid args */
|
2018-10-01 19:46:23 -04:00
|
|
|
*status = CL_EARG;
|
2018-08-14 14:00:31 -07:00
|
|
|
goto done;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
*status = CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
|
2016-04-01 15:18:32 -04:00
|
|
|
/*
|
|
|
|
|
* if pdf is decryptable, scan for CRYPT filter
|
|
|
|
|
* if none, force a DECRYPT filter application
|
|
|
|
|
*/
|
|
|
|
|
if ((pdf->flags & (1 << DECRYPTABLE_PDF)) && !(obj->flags & (1 << OBJ_FILTER_CRYPT))) {
|
2016-04-18 17:11:12 -04:00
|
|
|
if (token->flags & PDFTOKEN_FLAG_XREF) /* TODO: is this on all crypt filters or only the assumed one? */
|
2018-08-14 14:00:31 -07:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: skipping decoding => non-filter CRYPT (reason: xref)\n");
|
2016-04-18 17:11:12 -04:00
|
|
|
else {
|
2018-08-14 14:00:31 -07:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding => non-filter CRYPT\n");
|
|
|
|
|
retval = filter_decrypt(pdf, obj, params, token, 1);
|
|
|
|
|
if (retval != CL_SUCCESS) {
|
2018-10-01 19:46:23 -04:00
|
|
|
*status = CL_EPARSE;
|
2018-08-14 14:00:31 -07:00
|
|
|
goto done;
|
2016-04-18 17:11:12 -04:00
|
|
|
}
|
2016-04-01 15:18:32 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-28 11:53:40 -04:00
|
|
|
for (i = 0; i < obj->numfilters; i++) {
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (obj->filterlist[i]) {
|
|
|
|
|
case OBJ_FILTER_A85:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding [%u] => ASCII85DECODE\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = filter_ascii85decode(pdf, obj, token);
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_RL:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding [%u] => RLDECODE\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = filter_rldecode(pdf, obj, token);
|
|
|
|
|
break;
|
2016-03-29 12:52:08 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_FLATE:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding [%u] => FLATEDECODE\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = filter_flatedecode(pdf, obj, params, token);
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_AH:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding [%u] => ASCIIHEXDECODE\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = filter_asciihexdecode(pdf, obj, token);
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_CRYPT:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding [%u] => CRYPT\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = filter_decrypt(pdf, obj, params, token, 0);
|
|
|
|
|
break;
|
2016-03-30 16:39:37 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_LZW:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: decoding [%u] => LZWDECODE\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = filter_lzwdecode(pdf, obj, params, token);
|
|
|
|
|
break;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_JPX:
|
|
|
|
|
if (!filter) filter = "JPXDECODE";
|
2020-01-14 17:48:02 -05:00
|
|
|
/*fallthrough*/
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_DCT:
|
|
|
|
|
if (!filter) filter = "DCTDECODE";
|
2020-01-14 17:48:02 -05:00
|
|
|
/*fallthrough*/
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_FAX:
|
|
|
|
|
if (!filter) filter = "FAXDECODE";
|
2020-01-14 17:48:02 -05:00
|
|
|
/*fallthrough*/
|
2018-12-03 12:40:13 -05:00
|
|
|
case OBJ_FILTER_JBIG2:
|
|
|
|
|
if (!filter) filter = "JBIG2DECODE";
|
|
|
|
|
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: unimplemented filter type [%u] => %s\n", obj->filterlist[i], filter);
|
2018-12-03 12:40:13 -05:00
|
|
|
filter = NULL;
|
|
|
|
|
retval = CL_BREAK;
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
default:
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: unknown filter type [%u]\n", obj->filterlist[i]);
|
2018-12-03 12:40:13 -05:00
|
|
|
retval = CL_BREAK;
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
2016-03-30 17:39:45 -04:00
|
|
|
if (!(token->content) || !(token->length)) {
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: empty content, breaking after %u (of %u) filters\n", i, obj->numfilters);
|
2016-03-30 17:39:45 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
if (retval != CL_SUCCESS) {
|
2022-08-23 16:59:14 -07:00
|
|
|
const char *reason;
|
|
|
|
|
|
|
|
|
|
switch (retval) {
|
|
|
|
|
case CL_VIRUS:
|
|
|
|
|
*status = CL_VIRUS;
|
|
|
|
|
reason = "detection";
|
|
|
|
|
break;
|
|
|
|
|
case CL_BREAK:
|
|
|
|
|
*status = CL_SUCCESS;
|
|
|
|
|
reason = "decoding break";
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
*status = CL_EPARSE;
|
|
|
|
|
reason = "decoding error";
|
|
|
|
|
break;
|
2016-04-14 15:17:02 -04:00
|
|
|
}
|
2022-08-23 16:59:14 -07:00
|
|
|
|
|
|
|
|
cli_dbgmsg("pdf_decodestream_internal: stopping after %d (of %u) filters (reason: %s)\n", i, obj->numfilters, reason);
|
|
|
|
|
break;
|
2016-03-30 17:39:45 -04:00
|
|
|
}
|
2016-04-18 17:11:59 -04:00
|
|
|
token->success++;
|
2018-08-14 14:00:31 -07:00
|
|
|
}
|
2016-03-31 15:51:23 -04:00
|
|
|
|
2018-11-14 16:58:30 -05:00
|
|
|
if ((token->success > 0) && (NULL != token->content)) {
|
2018-08-14 14:00:31 -07:00
|
|
|
/*
|
2018-10-01 19:46:23 -04:00
|
|
|
* Looks like we successfully decoded some or all of the stream filters,
|
|
|
|
|
* so lets write it out to a file descriptor we scan.
|
|
|
|
|
*
|
|
|
|
|
* In the event that we didn't decode any filters (or maybe there
|
|
|
|
|
* weren't any filters), the calling function will do the same with
|
|
|
|
|
* the raw stream.
|
2018-08-14 14:00:31 -07:00
|
|
|
*/
|
2018-10-01 19:46:23 -04:00
|
|
|
if (CL_SUCCESS == cli_checklimits("pdf", pdf->ctx, token->length, 0, 0)) {
|
2018-08-14 14:00:31 -07:00
|
|
|
if (cli_writen(fout, token->content, token->length) != token->length) {
|
2018-10-01 19:46:23 -04:00
|
|
|
cli_errmsg("pdf_decodestream_internal: failed to write decoded stream content to output file\n");
|
|
|
|
|
} else {
|
|
|
|
|
bytes_scanned = token->length;
|
2018-08-14 14:00:31 -07:00
|
|
|
}
|
2016-03-30 17:30:06 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
if ((NULL != objstm) &&
|
2022-08-23 16:59:14 -07:00
|
|
|
(CL_SUCCESS == *status)) {
|
2019-05-04 17:28:16 -04:00
|
|
|
unsigned int objs_found = pdf->nobjs;
|
2018-10-01 19:46:23 -04:00
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
/*
|
|
|
|
|
* The caller indicated that the decoded data is an object stream.
|
|
|
|
|
* Perform experimental object stream parsing to extract objects from the stream.
|
|
|
|
|
*/
|
2018-12-03 12:40:13 -05:00
|
|
|
objstm->streambuf = (char *)token->content;
|
2018-08-14 14:00:31 -07:00
|
|
|
objstm->streambuf_len = (size_t)token->length;
|
|
|
|
|
|
|
|
|
|
/* Take ownership of the malloc'd buffer */
|
|
|
|
|
token->content = NULL;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = 0;
|
2018-08-14 14:00:31 -07:00
|
|
|
|
2018-10-01 19:46:23 -04:00
|
|
|
/* Don't store the result. It's ok if some or all objects failed to parse.
|
|
|
|
|
It would be far worse to add objects from a stream to the list, and then free
|
|
|
|
|
the stream buffer due to an "error". */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (CL_SUCCESS != pdf_find_and_parse_objs_in_objstm(pdf, objstm)) {
|
2018-08-14 14:00:31 -07:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: pdf_find_and_parse_objs_in_objstm failed!\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pdf->nobjs <= objs_found) {
|
|
|
|
|
cli_dbgmsg("pdf_decodestream_internal: pdf_find_and_parse_objs_in_objstm did not find any new objects!\n");
|
|
|
|
|
} else {
|
2019-05-04 17:28:16 -04:00
|
|
|
cli_dbgmsg("pdf_decodestream_internal: pdf_find_and_parse_objs_in_objstm found %u new objects.\n", pdf->nobjs - objs_found);
|
2018-08-14 14:00:31 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
|
|
|
|
|
return bytes_scanned;
|
2016-03-30 17:30:06 -04:00
|
|
|
}
|
|
|
|
|
|
2016-03-30 16:39:37 -04:00
|
|
|
/*
|
|
|
|
|
* ascii85 inflation
|
|
|
|
|
* See http://www.piclist.com/techref/method/encode.htm (look for base85)
|
|
|
|
|
*/
|
2018-08-14 14:00:31 -07:00
|
|
|
static cl_error_t filter_ascii85decode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_token *token)
|
2016-03-28 11:53:40 -04:00
|
|
|
{
|
2016-04-01 15:18:32 -04:00
|
|
|
uint8_t *decoded, *dptr;
|
2016-03-28 11:53:40 -04:00
|
|
|
uint32_t declen = 0;
|
|
|
|
|
|
|
|
|
|
const uint8_t *ptr = (uint8_t *)token->content;
|
2025-06-30 10:47:02 -04:00
|
|
|
size_t remaining = token->length;
|
2016-03-28 11:53:40 -04:00
|
|
|
int quintet = 0, rc = CL_SUCCESS;
|
|
|
|
|
uint64_t sum = 0;
|
|
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
/* Check for overflow */
|
|
|
|
|
if (remaining > (SIZE_MAX / 4)) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: ascii85decode: overflow detected\n");
|
|
|
|
|
return CL_EFORMAT;
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-01 15:18:32 -04:00
|
|
|
/* 5:4 decoding ratio, with 1:4 expansion sequences => (4*length)+1 */
|
2022-05-09 14:28:34 -07:00
|
|
|
if (!(dptr = decoded = (uint8_t *)cli_max_malloc((4 * remaining) + 1))) {
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_memstr((const char *)ptr, remaining, "~>", 2) == NULL)
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_dbgmsg("cli_pdf: no EOF marker found\n");
|
|
|
|
|
|
|
|
|
|
while (remaining > 0) {
|
|
|
|
|
int byte = (remaining--) ? (int)*ptr++ : EOF;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((byte == '~') && (remaining > 0) && (*ptr == '>'))
|
2016-03-28 11:53:40 -04:00
|
|
|
byte = EOF;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (byte >= '!' && byte <= 'u') {
|
2016-03-28 11:53:40 -04:00
|
|
|
sum = (sum * 85) + ((uint32_t)byte - '!');
|
2018-12-03 12:40:13 -05:00
|
|
|
if (++quintet == 5) {
|
2016-04-01 15:18:32 -04:00
|
|
|
*dptr++ = (unsigned char)(sum >> 24);
|
|
|
|
|
*dptr++ = (unsigned char)((sum >> 16) & 0xFF);
|
|
|
|
|
*dptr++ = (unsigned char)((sum >> 8) & 0xFF);
|
|
|
|
|
*dptr++ = (unsigned char)(sum & 0xFF);
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
declen += 4;
|
|
|
|
|
quintet = 0;
|
2018-12-03 12:40:13 -05:00
|
|
|
sum = 0;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (byte == 'z') {
|
|
|
|
|
if (quintet) {
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_dbgmsg("cli_pdf: unexpected 'z'\n");
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-01 15:18:32 -04:00
|
|
|
*dptr++ = '\0';
|
|
|
|
|
*dptr++ = '\0';
|
|
|
|
|
*dptr++ = '\0';
|
|
|
|
|
*dptr++ = '\0';
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
declen += 4;
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (byte == EOF) {
|
2016-04-05 17:04:10 -04:00
|
|
|
cli_dbgmsg("cli_pdf: last quintet contains %d bytes\n", quintet);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (quintet) {
|
2016-03-28 11:53:40 -04:00
|
|
|
int i;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (quintet == 1) {
|
2016-04-05 17:04:10 -04:00
|
|
|
cli_dbgmsg("cli_pdf: invalid last quintet (only 1 byte)\n");
|
2016-03-28 11:53:40 -04:00
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = quintet; i < 5; i++)
|
2016-03-28 11:53:40 -04:00
|
|
|
sum *= 85;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (quintet > 1)
|
2016-03-28 11:53:40 -04:00
|
|
|
sum += (0xFFFFFF >> ((quintet - 2) * 8));
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 0; i < quintet - 1; i++)
|
2016-04-01 15:18:32 -04:00
|
|
|
*dptr++ = (uint8_t)((sum >> (24 - 8 * i)) & 0xFF);
|
2018-12-03 12:40:13 -05:00
|
|
|
declen += quintet - 1;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (!isspace(byte)) {
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: invalid character 0x%x @ %zu\n",
|
|
|
|
|
byte & 0xFF, token->length - remaining);
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rc == CL_SUCCESS) {
|
|
|
|
|
free(token->content);
|
|
|
|
|
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: deflated " STDu32 " bytes from %zu total bytes\n",
|
|
|
|
|
declen, token->length);
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
token->content = decoded;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = declen;
|
2016-03-28 11:53:40 -04:00
|
|
|
} else {
|
2016-03-31 15:19:07 -04:00
|
|
|
if (!(obj->flags & ((1 << OBJ_IMAGE) | (1 << OBJ_TRUNCATED))))
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_ASCIIDECODE);
|
|
|
|
|
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: error occurred parsing byte %zu of %zu\n",
|
|
|
|
|
token->length - remaining, token->length);
|
2016-03-28 11:53:40 -04:00
|
|
|
free(decoded);
|
|
|
|
|
}
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-29 12:52:08 -04:00
|
|
|
/* imported from razorback */
|
2018-08-14 14:00:31 -07:00
|
|
|
static cl_error_t filter_rldecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_token *token)
|
2016-03-28 11:53:40 -04:00
|
|
|
{
|
2016-03-29 12:52:08 -04:00
|
|
|
uint8_t *decoded, *temp;
|
|
|
|
|
uint32_t declen = 0, capacity = 0;
|
|
|
|
|
|
|
|
|
|
uint8_t *content = (uint8_t *)token->content;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t length = token->length;
|
|
|
|
|
uint32_t offset = 0;
|
|
|
|
|
int rc = CL_SUCCESS;
|
2016-03-29 12:52:08 -04:00
|
|
|
|
2016-03-30 17:39:45 -04:00
|
|
|
UNUSEDPARAM(obj);
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
capacity = INFLATE_CHUNK_SIZE;
|
|
|
|
|
|
2022-05-08 14:59:09 -07:00
|
|
|
if (!(decoded = (uint8_t *)malloc(capacity))) {
|
2016-03-29 12:52:08 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (offset < length) {
|
|
|
|
|
uint8_t srclen = content[offset++];
|
|
|
|
|
if (srclen < 128) {
|
|
|
|
|
/* direct copy of (srclen + 1) bytes */
|
|
|
|
|
if (offset + srclen + 1 > length) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: required source length (%lu) exceeds remaining length (%lu)\n",
|
2018-12-03 12:40:13 -05:00
|
|
|
(long unsigned)(offset + srclen + 1), (long unsigned)(length - offset));
|
2016-03-29 12:52:08 -04:00
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (declen + srclen + 1 > capacity) {
|
2019-12-20 07:53:50 -08:00
|
|
|
|
|
|
|
|
if ((rc = cli_checklimits("pdf", pdf->ctx, capacity + INFLATE_CHUNK_SIZE, 0, 0)) != CL_SUCCESS)
|
2016-03-30 17:39:45 -04:00
|
|
|
break;
|
|
|
|
|
|
2022-05-09 14:28:34 -07:00
|
|
|
if (!(temp = cli_max_realloc(decoded, capacity + INFLATE_CHUNK_SIZE))) {
|
2016-03-29 12:52:08 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
decoded = temp;
|
2019-12-20 07:53:50 -08:00
|
|
|
capacity += INFLATE_CHUNK_SIZE;
|
2016-03-29 12:52:08 -04:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
memcpy(decoded + declen, content + offset, srclen + 1);
|
2016-03-29 12:52:08 -04:00
|
|
|
offset += srclen + 1;
|
|
|
|
|
declen += srclen + 1;
|
|
|
|
|
} else if (srclen > 128) {
|
|
|
|
|
/* copy the next byte (257 - srclen) times */
|
|
|
|
|
if (offset + 1 > length) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: required source length (%lu) exceeds remaining length (%lu)\n",
|
2018-12-03 12:40:13 -05:00
|
|
|
(long unsigned)(offset + srclen + 1), (long unsigned)(length - offset));
|
2016-03-29 12:52:08 -04:00
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (declen + (257 - srclen) + 1 > capacity) {
|
2019-12-20 07:53:50 -08:00
|
|
|
if ((rc = cli_checklimits("pdf", pdf->ctx, capacity + INFLATE_CHUNK_SIZE, 0, 0)) != CL_SUCCESS) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: required buffer size to inflate compressed filter exceeds maximum: %u\n", capacity + INFLATE_CHUNK_SIZE);
|
2016-03-30 17:39:45 -04:00
|
|
|
break;
|
2019-12-20 07:53:50 -08:00
|
|
|
}
|
2016-03-30 17:39:45 -04:00
|
|
|
|
2022-05-09 14:28:34 -07:00
|
|
|
if (!(temp = cli_max_realloc(decoded, capacity + INFLATE_CHUNK_SIZE))) {
|
2016-03-29 12:52:08 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
decoded = temp;
|
2019-12-20 07:53:50 -08:00
|
|
|
capacity += INFLATE_CHUNK_SIZE;
|
2016-03-29 12:52:08 -04:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
memset(decoded + declen, content[offset], 257 - srclen);
|
2016-03-29 12:52:08 -04:00
|
|
|
offset++;
|
|
|
|
|
declen += 257 - srclen;
|
|
|
|
|
} else { /* srclen == 128 */
|
|
|
|
|
/* end of data */
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: end-of-stream marker @ offset " STDu32 " (%zu bytes remaining)\n",
|
|
|
|
|
offset, token->length - offset);
|
2016-03-29 12:52:08 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
if (rc == CL_SUCCESS) {
|
2020-04-06 15:01:53 -07:00
|
|
|
if (declen == 0) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: empty stream after inflation completed.\n");
|
|
|
|
|
rc = CL_BREAK;
|
2022-05-09 14:28:34 -07:00
|
|
|
} else if (!(temp = cli_max_realloc(decoded, declen))) {
|
2020-04-06 15:01:53 -07:00
|
|
|
/* Shrink output buffer to final the decoded data length to minimize RAM usage */
|
2019-12-20 07:53:50 -08:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
2020-01-31 10:52:55 -08:00
|
|
|
} else {
|
|
|
|
|
decoded = temp;
|
2019-12-20 07:53:50 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-06 15:01:53 -07:00
|
|
|
if (rc == CL_SUCCESS || rc == CL_BREAK) {
|
2016-03-29 12:52:08 -04:00
|
|
|
free(token->content);
|
|
|
|
|
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: decoded " STDu32 " bytes from %zu total bytes\n",
|
|
|
|
|
declen, token->length);
|
2016-03-29 12:52:08 -04:00
|
|
|
|
|
|
|
|
token->content = decoded;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = declen;
|
2016-03-29 12:52:08 -04:00
|
|
|
} else {
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: error occurred parsing byte " STDu32 " of %zu\n",
|
|
|
|
|
offset, token->length);
|
2016-03-29 12:52:08 -04:00
|
|
|
free(decoded);
|
|
|
|
|
}
|
|
|
|
|
return rc;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static uint8_t *decode_nextlinestart(uint8_t *content, uint32_t length)
|
|
|
|
|
{
|
|
|
|
|
uint8_t *pt = content;
|
|
|
|
|
uint32_t r;
|
|
|
|
|
int toggle = 0;
|
|
|
|
|
|
|
|
|
|
for (r = 0; r < length; r++, pt++) {
|
|
|
|
|
if (*pt == '\n' || *pt == '\r')
|
|
|
|
|
toggle = 1;
|
|
|
|
|
else if (toggle)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pt;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
static cl_error_t filter_flatedecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token)
|
2016-03-28 11:53:40 -04:00
|
|
|
{
|
|
|
|
|
uint8_t *decoded, *temp;
|
|
|
|
|
uint32_t declen = 0, capacity = 0;
|
|
|
|
|
|
|
|
|
|
uint8_t *content = (uint8_t *)token->content;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t length = token->length;
|
2016-03-28 11:53:40 -04:00
|
|
|
z_stream stream;
|
2019-02-27 00:47:38 -05:00
|
|
|
int zstat, rc = CL_SUCCESS;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2016-03-30 16:39:37 -04:00
|
|
|
UNUSEDPARAM(params);
|
|
|
|
|
|
2016-03-28 11:53:40 -04:00
|
|
|
if (*content == '\r') {
|
|
|
|
|
content++;
|
|
|
|
|
length--;
|
2016-03-30 16:39:37 -04:00
|
|
|
pdfobj_flag(pdf, obj, BAD_STREAMSTART);
|
2016-03-28 11:53:40 -04:00
|
|
|
/* PDF spec says stream is followed by \r\n or \n, but not \r alone.
|
|
|
|
|
* Sample 0015315109, it has \r followed by zlib header.
|
|
|
|
|
* Flag pdf as suspicious, and attempt to extract by skipping the \r.
|
|
|
|
|
*/
|
|
|
|
|
if (!length)
|
2016-03-30 17:39:45 -04:00
|
|
|
return CL_SUCCESS;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
capacity = INFLATE_CHUNK_SIZE;
|
|
|
|
|
|
2022-05-08 14:59:09 -07:00
|
|
|
if (!(decoded = (uint8_t *)malloc(capacity))) {
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset(&stream, 0, sizeof(stream));
|
2018-12-03 12:40:13 -05:00
|
|
|
stream.next_in = (Bytef *)content;
|
|
|
|
|
stream.avail_in = length;
|
|
|
|
|
stream.next_out = (Bytef *)decoded;
|
2019-12-20 07:53:50 -08:00
|
|
|
stream.avail_out = INFLATE_CHUNK_SIZE;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
zstat = inflateInit(&stream);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (zstat != Z_OK) {
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_warnmsg("cli_pdf: inflateInit failed\n");
|
|
|
|
|
free(decoded);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* initial inflate */
|
|
|
|
|
zstat = inflate(&stream, Z_NO_FLUSH);
|
|
|
|
|
/* check if nothing written whatsoever */
|
2019-12-20 07:53:50 -08:00
|
|
|
if ((zstat != Z_OK) && (stream.avail_out == INFLATE_CHUNK_SIZE)) {
|
2016-03-28 11:53:40 -04:00
|
|
|
/* skip till EOL, and try inflating from there, sometimes
|
|
|
|
|
* PDFs contain extra whitespace */
|
|
|
|
|
uint8_t *q = decode_nextlinestart(content, length);
|
|
|
|
|
if (q) {
|
|
|
|
|
(void)inflateEnd(&stream);
|
|
|
|
|
length -= q - content;
|
|
|
|
|
content = q;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
stream.next_in = (Bytef *)content;
|
|
|
|
|
stream.avail_in = length;
|
|
|
|
|
stream.next_out = (Bytef *)decoded;
|
2016-03-28 11:53:40 -04:00
|
|
|
stream.avail_out = capacity;
|
|
|
|
|
|
|
|
|
|
zstat = inflateInit(&stream);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (zstat != Z_OK) {
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_warnmsg("cli_pdf: inflateInit failed\n");
|
|
|
|
|
free(decoded);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-30 16:39:37 -04:00
|
|
|
pdfobj_flag(pdf, obj, BAD_FLATESTART);
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
zstat = inflate(&stream, Z_NO_FLUSH);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (zstat == Z_OK && stream.avail_in) {
|
2016-03-30 17:39:45 -04:00
|
|
|
/* extend output capacity if needed,*/
|
2018-12-03 12:40:13 -05:00
|
|
|
if (stream.avail_out == 0) {
|
2019-12-20 07:53:50 -08:00
|
|
|
if ((rc = cli_checklimits("pdf", pdf->ctx, capacity + INFLATE_CHUNK_SIZE, 0, 0)) != CL_SUCCESS) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: required buffer size to inflate compressed filter exceeds maximum: %u\n", capacity + INFLATE_CHUNK_SIZE);
|
2016-03-30 17:39:45 -04:00
|
|
|
break;
|
2019-12-20 07:53:50 -08:00
|
|
|
}
|
2016-03-30 17:39:45 -04:00
|
|
|
|
2022-05-09 14:28:34 -07:00
|
|
|
if (!(temp = cli_max_realloc(decoded, capacity + INFLATE_CHUNK_SIZE))) {
|
2016-03-30 17:39:45 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
decoded = temp;
|
|
|
|
|
stream.next_out = decoded + capacity;
|
2019-12-20 07:53:50 -08:00
|
|
|
stream.avail_out = INFLATE_CHUNK_SIZE;
|
|
|
|
|
declen += INFLATE_CHUNK_SIZE;
|
|
|
|
|
capacity += INFLATE_CHUNK_SIZE;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* continue inflation */
|
|
|
|
|
zstat = inflate(&stream, Z_NO_FLUSH);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* add stream end fragment to decoded length */
|
2019-12-20 07:53:50 -08:00
|
|
|
declen += (INFLATE_CHUNK_SIZE - stream.avail_out);
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
/* error handling */
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (zstat) {
|
|
|
|
|
case Z_OK:
|
|
|
|
|
cli_dbgmsg("cli_pdf: Z_OK on stream inflation completion\n");
|
|
|
|
|
/* intentional fall-through */
|
|
|
|
|
case Z_STREAM_END:
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: inflated " STDu32 " bytes from %zu total bytes (%u bytes remaining)\n",
|
|
|
|
|
declen, token->length, stream.avail_in);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
/* potentially fatal - *mostly* ignored as per older version */
|
|
|
|
|
case Z_STREAM_ERROR:
|
|
|
|
|
case Z_NEED_DICT:
|
|
|
|
|
case Z_DATA_ERROR:
|
|
|
|
|
case Z_MEM_ERROR:
|
|
|
|
|
default:
|
|
|
|
|
if (stream.msg)
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: after writing " STDu32 " bytes, got error \"%s\" inflating PDF stream in %u %u obj\n",
|
|
|
|
|
declen, stream.msg, obj->id >> 8, obj->id & 0xff);
|
2018-12-03 12:40:13 -05:00
|
|
|
else
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: after writing " STDu32 " bytes, got error %d inflating PDF stream in %u %u obj\n",
|
|
|
|
|
declen, zstat, obj->id >> 8, obj->id & 0xff);
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
if (declen == 0) {
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_FLATESTART);
|
|
|
|
|
cli_dbgmsg("cli_pdf: no bytes were inflated.\n");
|
|
|
|
|
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
} else {
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_FLATE);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2016-03-28 11:53:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
(void)inflateEnd(&stream);
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
if (rc == CL_SUCCESS) {
|
2020-04-06 15:01:53 -07:00
|
|
|
if (declen == 0) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: empty stream after inflation completed.\n");
|
|
|
|
|
rc = CL_BREAK;
|
2022-05-09 14:28:34 -07:00
|
|
|
} else if (!(temp = cli_max_realloc(decoded, declen))) {
|
2020-04-06 15:01:53 -07:00
|
|
|
/* Shrink output buffer to final the decoded data length to minimize RAM usage */
|
2019-12-20 07:53:50 -08:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
2020-01-31 10:52:55 -08:00
|
|
|
} else {
|
|
|
|
|
decoded = temp;
|
2019-12-20 07:53:50 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-06 15:01:53 -07:00
|
|
|
if (rc == CL_SUCCESS || rc == CL_BREAK) {
|
2016-03-28 11:53:40 -04:00
|
|
|
free(token->content);
|
|
|
|
|
|
|
|
|
|
token->content = decoded;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = declen;
|
2016-03-28 11:53:40 -04:00
|
|
|
} else {
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: error occurred parsing byte %zu of %zu\n",
|
|
|
|
|
(size_t)length - stream.avail_in, token->length);
|
2016-03-28 11:53:40 -04:00
|
|
|
free(decoded);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
static cl_error_t filter_asciihexdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_token *token)
|
2016-03-28 11:53:40 -04:00
|
|
|
{
|
|
|
|
|
uint8_t *decoded;
|
|
|
|
|
|
|
|
|
|
const uint8_t *content = (uint8_t *)token->content;
|
2025-06-30 10:47:02 -04:00
|
|
|
size_t length = token->length;
|
|
|
|
|
size_t i, j;
|
2018-08-14 14:00:31 -07:00
|
|
|
cl_error_t rc = CL_SUCCESS;
|
2016-03-28 11:53:40 -04:00
|
|
|
|
2022-05-09 14:28:34 -07:00
|
|
|
if (!(decoded = (uint8_t *)cli_max_calloc(length / 2 + 1, sizeof(uint8_t)))) {
|
2016-03-28 11:53:40 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 0, j = 0; i + 1 < length; i++) {
|
2016-03-28 11:53:40 -04:00
|
|
|
if (content[i] == ' ')
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (content[i] == '>')
|
|
|
|
|
break;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_hex2str_to((const char *)content + i, (char *)decoded + j, 2) == -1) {
|
2016-03-28 11:53:40 -04:00
|
|
|
if (length - i < 4)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
i++;
|
|
|
|
|
j++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rc == CL_SUCCESS) {
|
|
|
|
|
free(token->content);
|
|
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
cli_dbgmsg("cli_pdf: deflated %zu bytes from %zu total bytes\n",
|
|
|
|
|
j, token->length);
|
2016-03-28 11:53:40 -04:00
|
|
|
|
|
|
|
|
token->content = decoded;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = j;
|
2016-03-28 11:53:40 -04:00
|
|
|
} else {
|
2016-03-31 15:19:07 -04:00
|
|
|
if (!(obj->flags & ((1 << OBJ_IMAGE) | (1 << OBJ_TRUNCATED))))
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_ASCIIDECODE);
|
|
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
cli_dbgmsg("cli_pdf: error occurred parsing byte %zu of %zu\n",
|
|
|
|
|
i, token->length);
|
2016-03-28 11:53:40 -04:00
|
|
|
free(decoded);
|
|
|
|
|
}
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
2016-03-30 16:39:37 -04:00
|
|
|
|
|
|
|
|
/* modes: 0 = use default/DecodeParms, 1 = use document setting */
|
2018-08-14 14:00:31 -07:00
|
|
|
static cl_error_t filter_decrypt(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token, int mode)
|
2016-03-30 16:39:37 -04:00
|
|
|
{
|
|
|
|
|
char *decrypted;
|
2018-12-03 12:40:13 -05:00
|
|
|
size_t length = (size_t)token->length;
|
2016-03-30 16:39:37 -04:00
|
|
|
enum enc_method enc = ENC_IDENTITY;
|
|
|
|
|
|
|
|
|
|
if (mode)
|
|
|
|
|
enc = get_enc_method(pdf, obj);
|
|
|
|
|
else if (params) {
|
|
|
|
|
struct pdf_dict_node *node = params->nodes;
|
|
|
|
|
|
|
|
|
|
while (node) {
|
|
|
|
|
if (node->type == PDF_DICT_STRING) {
|
|
|
|
|
if (!strncmp(node->key, "/Type", 6)) { /* optional field - Type */
|
|
|
|
|
/* MUST be "CryptFilterDecodeParms" */
|
2016-04-13 18:46:50 -04:00
|
|
|
if (node->value)
|
|
|
|
|
cli_dbgmsg("cli_pdf: Type: %s\n", (char *)(node->value));
|
2016-03-30 16:39:37 -04:00
|
|
|
} else if (!strncmp(node->key, "/Name", 6)) { /* optional field - Name */
|
|
|
|
|
/* overrides document and default encryption method */
|
2016-04-13 18:46:50 -04:00
|
|
|
if (node->value)
|
|
|
|
|
cli_dbgmsg("cli_pdf: Name: %s\n", (char *)(node->value));
|
2016-03-31 12:29:16 -04:00
|
|
|
enc = parse_enc_method(pdf->CF, pdf->CF_n, (char *)(node->value), enc);
|
2016-03-30 16:39:37 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
node = node->next;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-26 16:36:44 -04:00
|
|
|
decrypted = decrypt_any(pdf, obj->id, (const char *)token->content, &length, enc);
|
2016-03-30 16:39:37 -04:00
|
|
|
if (!decrypted) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: failed to decrypt stream\n");
|
2016-03-30 17:39:45 -04:00
|
|
|
return CL_EPARSE; /* TODO: what should this value be? CL_SUCCESS would mirror previous behavior */
|
2016-03-30 16:39:37 -04:00
|
|
|
}
|
|
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
cli_dbgmsg("cli_pdf: decrypted %zu bytes from %zu total bytes\n",
|
2017-08-16 17:31:45 -04:00
|
|
|
length, token->length);
|
2016-03-30 16:39:37 -04:00
|
|
|
|
|
|
|
|
free(token->content);
|
|
|
|
|
token->content = (uint8_t *)decrypted;
|
2025-06-30 10:47:02 -04:00
|
|
|
token->length = length;
|
2016-03-30 16:39:37 -04:00
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2018-08-14 14:00:31 -07:00
|
|
|
static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token)
|
2016-04-13 18:46:50 -04:00
|
|
|
{
|
2025-08-27 14:22:35 -04:00
|
|
|
uint8_t *decoded = NULL;
|
|
|
|
|
uint8_t *temp = NULL;
|
2025-06-30 10:47:02 -04:00
|
|
|
size_t declen = 0, capacity = 0;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
|
|
|
|
uint8_t *content = (uint8_t *)token->content;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t length = token->length;
|
2016-04-13 18:46:50 -04:00
|
|
|
lzw_stream stream;
|
2025-10-02 11:46:14 -04:00
|
|
|
bool stream_initialized = false;
|
2019-02-27 00:47:38 -05:00
|
|
|
int echg = 1, lzwstat, rc = CL_SUCCESS;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
if (pdf->ctx && !(pdf->ctx->dconf->other & OTHER_CONF_LZW)) {
|
|
|
|
|
rc = CL_BREAK;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
2016-04-14 15:17:02 -04:00
|
|
|
|
2016-04-13 18:46:50 -04:00
|
|
|
if (params) {
|
|
|
|
|
struct pdf_dict_node *node = params->nodes;
|
|
|
|
|
|
|
|
|
|
while (node) {
|
|
|
|
|
if (node->type == PDF_DICT_STRING) {
|
|
|
|
|
if (!strncmp(node->key, "/EarlyChange", 13)) { /* optional field - lzw flag */
|
|
|
|
|
char *end, *value = (char *)node->value;
|
|
|
|
|
long set;
|
|
|
|
|
|
|
|
|
|
if (value) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: EarlyChange: %s\n", value);
|
|
|
|
|
set = strtol(value, &end, 10);
|
|
|
|
|
if (end != value)
|
|
|
|
|
echg = (int)set;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
node = node->next;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*content == '\r') {
|
|
|
|
|
content++;
|
|
|
|
|
length--;
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_STREAMSTART);
|
|
|
|
|
/* PDF spec says stream is followed by \r\n or \n, but not \r alone.
|
|
|
|
|
* Sample 0015315109, it has \r followed by zlib header.
|
|
|
|
|
* Flag pdf as suspicious, and attempt to extract by skipping the \r.
|
|
|
|
|
*/
|
2025-06-30 10:47:02 -04:00
|
|
|
if (!length) {
|
|
|
|
|
rc = CL_SUCCESS;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
capacity = INFLATE_CHUNK_SIZE;
|
|
|
|
|
|
2022-05-08 14:59:09 -07:00
|
|
|
if (!(decoded = (uint8_t *)malloc(capacity))) {
|
2016-04-13 18:46:50 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n");
|
2025-06-30 10:47:02 -04:00
|
|
|
rc = CL_EMEM;
|
|
|
|
|
goto done;
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
2025-10-02 11:46:14 -04:00
|
|
|
stream_initialized = true;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
|
|
|
|
memset(&stream, 0, sizeof(stream));
|
2018-12-03 12:40:13 -05:00
|
|
|
stream.next_in = content;
|
|
|
|
|
stream.avail_in = length;
|
|
|
|
|
stream.next_out = decoded;
|
2019-12-20 07:53:50 -08:00
|
|
|
stream.avail_out = INFLATE_CHUNK_SIZE;
|
2016-04-14 16:42:51 -04:00
|
|
|
if (echg)
|
|
|
|
|
stream.flags |= LZW_FLAG_EARLYCHG;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2016-04-14 16:42:51 -04:00
|
|
|
lzwstat = lzwInit(&stream);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (lzwstat != Z_OK) {
|
2016-04-13 18:46:50 -04:00
|
|
|
cli_warnmsg("cli_pdf: lzwInit failed\n");
|
2025-06-30 10:47:02 -04:00
|
|
|
rc = CL_EMEM;
|
|
|
|
|
goto done;
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* initial inflate */
|
|
|
|
|
lzwstat = lzwInflate(&stream);
|
|
|
|
|
/* check if nothing written whatsoever */
|
2019-12-20 07:53:50 -08:00
|
|
|
if ((lzwstat != Z_OK) && (stream.avail_out == INFLATE_CHUNK_SIZE)) {
|
2016-04-13 18:46:50 -04:00
|
|
|
/* skip till EOL, and try inflating from there, sometimes
|
|
|
|
|
* PDFs contain extra whitespace */
|
|
|
|
|
uint8_t *q = decode_nextlinestart(content, length);
|
|
|
|
|
if (q) {
|
|
|
|
|
(void)lzwInflateEnd(&stream);
|
|
|
|
|
length -= q - content;
|
|
|
|
|
content = q;
|
|
|
|
|
|
2025-09-26 18:26:00 -04:00
|
|
|
stream.next_in = content;
|
|
|
|
|
stream.avail_in = length;
|
|
|
|
|
stream.next_out = decoded;
|
|
|
|
|
stream.avail_out = INFLATE_CHUNK_SIZE;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2016-04-14 16:42:51 -04:00
|
|
|
lzwstat = lzwInit(&stream);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (lzwstat != Z_OK) {
|
2016-04-13 18:46:50 -04:00
|
|
|
cli_warnmsg("cli_pdf: lzwInit failed\n");
|
2025-06-30 10:47:02 -04:00
|
|
|
rc = CL_EMEM;
|
|
|
|
|
goto done;
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_FLATESTART);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
lzwstat = lzwInflate(&stream);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (lzwstat == Z_OK && stream.avail_in) {
|
|
|
|
|
/* extend output capacity if needed,*/
|
2018-12-03 12:40:13 -05:00
|
|
|
if (stream.avail_out == 0) {
|
2019-12-20 07:53:50 -08:00
|
|
|
if ((rc = cli_checklimits("pdf", pdf->ctx, capacity + INFLATE_CHUNK_SIZE, 0, 0)) != CL_SUCCESS) {
|
2025-06-30 10:47:02 -04:00
|
|
|
cli_dbgmsg("cli_pdf: required buffer size to inflate compressed filter exceeds maximum: %zu\n", capacity + INFLATE_CHUNK_SIZE);
|
2016-04-13 18:46:50 -04:00
|
|
|
break;
|
2019-12-20 07:53:50 -08:00
|
|
|
}
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2022-05-09 14:28:34 -07:00
|
|
|
if (!(temp = cli_max_realloc(decoded, capacity + INFLATE_CHUNK_SIZE))) {
|
2016-04-13 18:46:50 -04:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
decoded = temp;
|
|
|
|
|
stream.next_out = decoded + capacity;
|
2019-12-20 07:53:50 -08:00
|
|
|
stream.avail_out = INFLATE_CHUNK_SIZE;
|
2025-06-30 10:47:02 -04:00
|
|
|
if (declen > (SIZE_MAX - INFLATE_CHUNK_SIZE)) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n");
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
2019-12-20 07:53:50 -08:00
|
|
|
declen += INFLATE_CHUNK_SIZE;
|
2025-06-30 10:47:02 -04:00
|
|
|
if (capacity > (SIZE_MAX - INFLATE_CHUNK_SIZE)) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n");
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
2019-12-20 07:53:50 -08:00
|
|
|
capacity += INFLATE_CHUNK_SIZE;
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* continue inflation */
|
|
|
|
|
lzwstat = lzwInflate(&stream);
|
|
|
|
|
}
|
|
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
if (declen > (UINT32_MAX - (INFLATE_CHUNK_SIZE - stream.avail_out))) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n");
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-13 18:46:50 -04:00
|
|
|
/* add stream end fragment to decoded length */
|
2019-12-20 07:53:50 -08:00
|
|
|
declen += (INFLATE_CHUNK_SIZE - stream.avail_out);
|
2016-04-13 18:46:50 -04:00
|
|
|
|
|
|
|
|
/* error handling */
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (lzwstat) {
|
|
|
|
|
case LZW_OK:
|
|
|
|
|
cli_dbgmsg("cli_pdf: LZW_OK on stream inflation completion\n");
|
|
|
|
|
/* intentional fall-through */
|
|
|
|
|
case LZW_STREAM_END:
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: inflated %zu bytes from %zu total bytes (%u bytes remaining)\n",
|
|
|
|
|
declen, token->length, stream.avail_in);
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
2016-04-13 18:46:50 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
/* potentially fatal - *mostly* ignored as per older version */
|
|
|
|
|
case LZW_STREAM_ERROR:
|
|
|
|
|
case LZW_DATA_ERROR:
|
|
|
|
|
case LZW_MEM_ERROR:
|
|
|
|
|
case LZW_BUF_ERROR:
|
|
|
|
|
case LZW_DICT_ERROR:
|
|
|
|
|
default:
|
|
|
|
|
if (stream.msg)
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: after writing %zu bytes, got error \"%s\" inflating PDF stream in %u %u obj\n",
|
|
|
|
|
declen, stream.msg, obj->id >> 8, obj->id & 0xff);
|
2018-12-03 12:40:13 -05:00
|
|
|
else
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: after writing %zu bytes, got error %d inflating PDF stream in %u %u obj\n",
|
|
|
|
|
declen, lzwstat, obj->id >> 8, obj->id & 0xff);
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
if (declen == 0) {
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_FLATESTART);
|
|
|
|
|
cli_dbgmsg("cli_pdf: no bytes were inflated.\n");
|
|
|
|
|
|
|
|
|
|
rc = CL_EFORMAT;
|
|
|
|
|
} else {
|
|
|
|
|
pdfobj_flag(pdf, obj, BAD_FLATE);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
|
|
|
|
|
2025-06-30 10:47:02 -04:00
|
|
|
done:
|
2025-10-02 11:46:14 -04:00
|
|
|
if (stream_initialized) {
|
|
|
|
|
(void)lzwInflateEnd(&stream);
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-20 07:53:50 -08:00
|
|
|
if (rc == CL_SUCCESS) {
|
2020-04-06 15:01:53 -07:00
|
|
|
if (declen == 0) {
|
|
|
|
|
cli_dbgmsg("cli_pdf: empty stream after inflation completed.\n");
|
|
|
|
|
rc = CL_BREAK;
|
2022-05-09 14:28:34 -07:00
|
|
|
} else if (!(temp = cli_max_realloc(decoded, declen))) {
|
2020-04-06 15:01:53 -07:00
|
|
|
/* Shrink output buffer to final the decoded data length to minimize RAM usage */
|
2019-12-20 07:53:50 -08:00
|
|
|
cli_errmsg("cli_pdf: cannot reallocate memory for decoded output\n");
|
|
|
|
|
rc = CL_EMEM;
|
2020-01-31 10:52:55 -08:00
|
|
|
} else {
|
|
|
|
|
decoded = temp;
|
2019-12-20 07:53:50 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-27 14:22:35 -04:00
|
|
|
if ((rc == CL_SUCCESS || rc == CL_BREAK) && (NULL != decoded)) {
|
2016-04-13 18:46:50 -04:00
|
|
|
free(token->content);
|
|
|
|
|
|
|
|
|
|
token->content = decoded;
|
2018-12-03 12:40:13 -05:00
|
|
|
token->length = declen;
|
2016-04-13 18:46:50 -04:00
|
|
|
} else {
|
2025-09-26 18:26:00 -04:00
|
|
|
cli_dbgmsg("cli_pdf: error occurred parsing byte decoding lzw filter\n");
|
|
|
|
|
if (NULL != decoded) {
|
|
|
|
|
free(decoded);
|
|
|
|
|
}
|
2016-04-13 18:46:50 -04:00
|
|
|
}
|
|
|
|
|
|
2016-05-26 15:25:54 -04:00
|
|
|
/*
|
|
|
|
|
heuristic checks:
|
|
|
|
|
- full dictionary heuristics?
|
|
|
|
|
- invalid code points?
|
|
|
|
|
*/
|
2016-04-14 16:42:51 -04:00
|
|
|
|
2016-04-13 18:46:50 -04:00
|
|
|
return rc;
|
|
|
|
|
}
|
