From 1c452dd5abd49c36c2e32724061576bcfae58cf0 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Aug 03 2017 08:08:27 +0000
Subject: 1454820 - CVE-2017-9209


---

diff --git a/qpdf-6.0.0-CVE-2017-9209.patch b/qpdf-6.0.0-CVE-2017-9209.patch
new file mode 100644
index 0000000..6af336f
--- /dev/null
+++ b/qpdf-6.0.0-CVE-2017-9209.patch
@@ -0,0 +1,37 @@
+diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 qpdf-6.0.0/include/qpdf/QPDF.hh
+--- qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209	2017-08-03 10:00:17.489291722 +0200
++++ qpdf-6.0.0/include/qpdf/QPDF.hh	2017-08-03 10:00:17.494291685 +0200
+@@ -1095,6 +1095,7 @@ class QPDF
+     // copied_stream_data_provider is owned by copied_streams
+     CopiedStreamDataProvider* copied_stream_data_provider;
+     std::set<QPDFObjGen> attachment_streams;
++    bool reconstructed_xref;    
+ 
+     // Linearization data
+     qpdf_offset_t first_xref_item_offset; // actual value from file
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209	2017-08-03 10:00:17.491291707 +0200
++++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-03 10:01:43.243661883 +0200
+@@ -93,6 +93,7 @@ QPDF::QPDF() :
+     cached_key_generation(0),
+     pushed_inherited_attributes_to_pages(false),
+     copied_stream_data_provider(0),
++    reconstructed_xref(false),
+     first_xref_item_offset(0),
+     uncompressed_after_compressed(false)
+ {
+@@ -331,6 +332,14 @@ QPDF::setTrailer(QPDFObjectHandle obj)
+ void
+ QPDF::reconstruct_xref(QPDFExc& e)
+ {
++    if (this->reconstructed_xref)
++    {
++        // Avoid xref reconstruction infinite loops
++        throw e;
++    }
++
++    this->reconstructed_xref = true;
++
+     PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
+     PCRE endobj_re("^\\s*endobj\\b");
+     PCRE trailer_re("^\\s*trailer\\b");
diff --git a/qpdf.spec b/qpdf.spec
index 3b075c6..3ab8a21 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -10,6 +10,7 @@ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.g
 Patch0:  qpdf-doc.patch
 Patch1:  qpdf-6.0.0-detect-recursions.patch
 Patch2:  qpdf-6.0.0-CVE-2017-9208.patch
+Patch3:  qpdf-6.0.0-CVE-2017-9209.patch
 
 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@@ -67,6 +68,7 @@ QPDF Manual
 %patch0 -p1 -b .doc
 %patch1 -p1 -b .detect-recursions
 %patch2 -p1 -b .CVE-2017-9208
+%patch3 -p1 -b .CVE-2017-9209
 
 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
 
@@ -115,6 +117,7 @@ make check
 * Thu Aug 03 2017 Zdenek Dohnal <zdohnal@redhat.com> - 6.0.0-4
 - 1477213 - Detect recursions loop resolving objects
 - 1454820 - CVE-2017-9208
+- 1454820 - CVE-2017-9209
 
 * Wed Aug 03 2016 Jiri Popelka <jpopelka@redhat.com> - 6.0.0-3
 - %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir}