diff -up qpdf-5.1.1/libqpdf/QPDFObjectHandle.cc.CVE-2018-9918 qpdf-5.1.1/libqpdf/QPDFObjectHandle.cc
--- qpdf-5.1.1/libqpdf/QPDFObjectHandle.cc.CVE-2018-9918 2018-04-20 12:04:10.432591622 +0200
+++ qpdf-5.1.1/libqpdf/QPDFObjectHandle.cc 2018-04-20 12:09:38.592943270 +0200
@@ -930,12 +930,25 @@ QPDFObjectHandle::parseInternal(PointerH
case QPDFTokenizer::tt_array_open:
case QPDFTokenizer::tt_dict_open:
- olist_stack.push_back(std::vector<QPDFObjectHandle>());
- state = st_start;
- offset_stack.push_back(input->tell());
- state_stack.push_back(
- (token.getType() == QPDFTokenizer::tt_array_open) ?
- st_array : st_dictionary);
+ if (olist_stack.size() > 500)
+ {
+ QTC::TC("qpdf", "QPDFObjectHandle too deep");
+ throw QPDFExc(qpdf_e_damaged_pdf, input->getName(),
+ object_description,
+ input->getLastOffset(),
+ "ignoring excessively deeply nested data structure");
+ object = newNull();
+ state = st_top;
+ }
+ else
+ {
+ olist_stack.push_back(std::vector<QPDFObjectHandle>());
+ state = st_start;
+ offset_stack.push_back(input->tell());
+ state_stack.push_back(
+ (token.getType() == QPDFTokenizer::tt_array_open) ?
+ st_array : st_dictionary);
+ }
break;
case QPDFTokenizer::tt_bool:
diff -up qpdf-5.1.1/qpdf/qtest/qpdf/issue-202.out.CVE-2018-9918 qpdf-5.1.1/qpdf/qtest/qpdf/issue-202.out
--- qpdf-5.1.1/qpdf/qtest/qpdf/issue-202.out.CVE-2018-9918 2018-04-20 12:04:10.434591605 +0200
+++ qpdf-5.1.1/qpdf/qtest/qpdf/issue-202.out 2018-04-20 12:04:10.434591605 +0200
@@ -0,0 +1,5 @@
+WARNING: issue-202.pdf (trailer, offset 55770): ignoring excessively deeply nested data structure
+WARNING: issue-202.pdf: file is damaged
+WARNING: issue-202.pdf (offset 54769): expected trailer dictionary
+WARNING: issue-202.pdf: Attempting to reconstruct cross-reference table
+issue-202.pdf: unable to find trailer dictionary while recovering damaged file