Coverage Report

Created: 2026-02-14 07:09

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/ghostpdl/pdf/pdf_loop_detect.c
Line
Count
Source
1
/* Copyright (C) 2018-2026 Artifex Software, Inc.
2
   All Rights Reserved.
3
4
   This software is provided AS-IS with no warranty, either express or
5
   implied.
6
7
   This software is distributed under license and may not be copied,
8
   modified or distributed except as expressly authorized under the terms
9
   of the license contained in the file LICENSE in this distribution.
10
11
   Refer to licensing information at http://www.artifex.com or contact
12
   Artifex Software, Inc.,  39 Mesa Street, Suite 108A, San Francisco,
13
   CA 94129, USA, for further information.
14
*/
15
16
/* code for handling circular references */
17
18
#include "pdf_int.h"
19
#include "pdf_loop_detect.h"
20
21
static int pdfi_init_loop_detector(pdf_context *ctx)
22
7.69M
{
23
7.69M
    if (ctx->loop_detection) {
24
0
        dbgmprintf(ctx->memory, "Attempt to initialise loop detector while one is in operation\n");
25
0
        return_error(gs_error_unknownerror);
26
0
    }
27
28
7.69M
    ctx->loop_detection = (uint64_t *)gs_alloc_bytes(ctx->memory, INITIAL_LOOP_TRACKER_SIZE * sizeof (uint64_t), "allocate loop tracking array");
29
7.69M
    if (ctx->loop_detection == NULL)
30
0
        return_error(gs_error_VMerror);
31
32
7.69M
    ctx->loop_detection_entries = 0;
33
7.69M
    ctx->loop_detection_size = INITIAL_LOOP_TRACKER_SIZE;
34
7.69M
    return 0;
35
7.69M
}
36
37
static int pdfi_free_loop_detector(pdf_context *ctx)
38
7.69M
{
39
7.69M
    if (ctx->loop_detection == NULL) {
40
0
        dbgmprintf(ctx->memory, "Attempt to free loop detector without initialising it\n");
41
0
        return 0;
42
0
    }
43
7.69M
    if (ctx->loop_detection != NULL)
44
7.69M
        gs_free_object(ctx->memory, ctx->loop_detection, "Free array for loop tracking");
45
7.69M
    ctx->loop_detection_entries = 0;
46
7.69M
    ctx->loop_detection_size = 0;
47
7.69M
    ctx->loop_detection = NULL;
48
49
7.69M
    return 0;
50
7.69M
}
51
52
static int pdfi_loop_detector_add_object_unchecked(pdf_context *ctx, uint64_t object)
53
23.5M
{
54
23.5M
    if (ctx->loop_detection == NULL) {
55
0
        dbgmprintf(ctx->memory, "Attempt to use loop detector without initialising it\n");
56
0
        return 0;
57
0
    }
58
59
23.5M
    if (ctx->loop_detection_entries == ctx->loop_detection_size) {
60
23
        uint64_t *New;
61
62
23
        New = (uint64_t *)gs_alloc_bytes(ctx->memory, (size_t)(ctx->loop_detection_size + INITIAL_LOOP_TRACKER_SIZE) * (size_t)sizeof (uint64_t), "re-allocate loop tracking array");
63
23
        if (New == NULL) {
64
0
            return_error(gs_error_VMerror);
65
0
        }
66
23
        memcpy(New, ctx->loop_detection, ctx->loop_detection_entries * sizeof(uint64_t));
67
23
        gs_free_object(ctx->memory, ctx->loop_detection, "Free array for loop tracking");
68
23
        ctx->loop_detection_size += INITIAL_LOOP_TRACKER_SIZE;
69
23
        ctx->loop_detection = New;
70
23
    }
71
23.5M
    ctx->loop_detection[ctx->loop_detection_entries++] = object;
72
73
    /* 1000 is an arbitrary limit, it is intended to ensure we don't process files where objects are nested so deeply
74
     * that processing them leads to a C exec stack overflow. This allows objects to be nested 500 deep, with a mark
75
     * (to clear the object) for each one which really ought to be more than adequate.
76
     */
77
23.5M
    if (ctx->loop_detection_entries > 1000) {
78
0
        return_error(gs_error_Fatal);
79
0
    }
80
23.5M
    return 0;
81
23.5M
}
82
83
int pdfi_loop_detector_add_object(pdf_context *ctx, uint64_t object)
84
8.49M
{
85
8.49M
    if (object == 0) {
86
0
        dbgmprintf(ctx->memory, "Attempt to add an object number of 0 to the loop detection\n");
87
0
        return 0;
88
0
    }
89
8.49M
    return pdfi_loop_detector_add_object_unchecked(ctx, object);
90
8.49M
}
91
92
bool pdfi_loop_detector_check_object(pdf_context *ctx, uint64_t object)
93
6.14M
{
94
6.14M
    int i = 0;
95
96
6.14M
    if (ctx->loop_detection == NULL) {
97
6
        dbgmprintf(ctx->memory, "Attempt to use loop detector without initialising it\n");
98
6
        return 0;
99
6
    }
100
101
16.3M
    for (i=0;i < ctx->loop_detection_entries;i++) {
102
10.1M
        if (ctx->loop_detection[i] == object) {
103
13.3k
            char info_string[256];
104
13.3k
            gs_snprintf(info_string, sizeof(info_string), "Error! circular reference to object %"PRIu64" detected.\n", object);
105
13.3k
            pdfi_set_error(ctx, 0, NULL, E_PDF_CIRCULARREF, "pdfi_loop_detector_check_object", info_string);
106
13.3k
            return true;
107
13.3k
        }
108
10.1M
    }
109
6.13M
    return false;
110
6.14M
}
111
112
int pdfi_loop_detector_mark(pdf_context *ctx)
113
15.0M
{
114
15.0M
    int code = 0;
115
116
15.0M
    if (ctx->loop_detection == NULL) {
117
7.69M
        code = pdfi_init_loop_detector(ctx);
118
7.69M
        if (code < 0)
119
0
            return code;
120
7.69M
    }
121
122
15.0M
    return pdfi_loop_detector_add_object_unchecked(ctx, 0);
123
15.0M
}
124
125
int pdfi_loop_detector_cleartomark(pdf_context *ctx)
126
15.0M
{
127
15.0M
    if (ctx->loop_detection == NULL) {
128
0
        dbgmprintf(ctx->memory, "Attempt to use loop detector without initialising it\n");
129
0
        return 0;
130
0
    }
131
132
23.5M
    while (ctx->loop_detection[--ctx->loop_detection_entries] != 0) {
133
8.49M
        ctx->loop_detection[ctx->loop_detection_entries] = 0;
134
8.49M
    }
135
    /* FIXME - potential optimisation
136
     * Instead of freeing the loop detection array every tiome we are done with it
137
     * and then reallocating a new one next time we need one, we could just keep
138
     * the existing (empty) array. I suspect this would provide a small performance
139
     * improvement.
140
     */
141
15.0M
    if (ctx->loop_detection_entries == 0)
142
7.69M
        pdfi_free_loop_detector(ctx);
143
15.0M
    return 0;
144
15.0M
}