Merge pull request #14350 from Snuffleupagus/ccitt-infinite-loop

Prevent an infinite loop when parsing corrupt /CCITTFaxDecode data (issue 14305)

Author: timvandermeij

src/core/ccitt.js

@@ -19,7 +19,7 @@
  * license.
  */
 
-import { info } from "../shared/util.js";
+import { FormatError, info } from "../shared/util.js";
 
 /**
  * @typedef {Object} CCITTFaxDecoderSource
@@ -811,6 +811,12 @@ class CCITTFaxDecoder {
       bits = 8;
       c = 0;
       do {
+        if (typeof this.outputBits !== "number") {
+          throw new FormatError(
+            'Invalid /CCITTFaxDecode data, "outputBits" must be a number.'
+          );
+        }
+
         if (this.outputBits > bits) {
           c <<= bits;
           if (!(this.codingPos & 1)) {

test/pdfs/.gitignore

@@ -499,3 +499,4 @@
 !poppler-742-0-fuzzed.pdf
 !poppler-937-0-fuzzed.pdf
 !PDFBOX-3148-2-fuzzed.pdf
+!poppler-90-0-fuzzed.pdf

test/pdfs/poppler-90-0-fuzzed.pdf

@@ -2263,6 +2263,26 @@ sozialökonomische Gerechtigkeit.`)
       await loadingTask.destroy();
     });
 
+    it("gets operatorList, with page resources containing corrupt /CCITTFaxDecode data", async function () {
+      const loadingTask = getDocument(
+        buildGetDocumentParams("poppler-90-0-fuzzed.pdf")
+      );
+      expect(loadingTask instanceof PDFDocumentLoadingTask).toEqual(true);
+
+      const pdfDoc = await loadingTask.promise;
+      expect(pdfDoc.numPages).toEqual(16);
+
+      const pdfPage = await pdfDoc.getPage(6);
+      expect(pdfPage instanceof PDFPageProxy).toEqual(true);
+
+      const opList = await pdfPage.getOperatorList();
+      expect(opList.fnArray.length).toBeGreaterThan(25);
+      expect(opList.argsArray.length).toBeGreaterThan(25);
+      expect(opList.lastChunk).toEqual(true);
+
+      await loadingTask.destroy();
+    });
+
     it("gets document stats after parsing page", async function () {
       await page.getOperatorList();
       const stats = pdfDocument.stats;