Validate even more dictionary properties

This checks primarily Arrays, but also some other properties, that we'll end up sending (sometimes indirectly) to the main-thread.
2025-04-26 10:08:06 +02:00 · 2024-04-29 23:07:41 +02:00 · 2024-04-29 23:07:41 +02:00 · 52f7ff155d
commit 52f7ff155d
parent 1b811ac113
8 changed files with 125 additions and 64 deletions
--- a/src/core/annotation.js
+++ b/src/core/annotation.js
@ -43,6 +43,7 @@ import {
  getInheritableProperty,
  getRotationMatrix,
  isAscii,
+  isNumberArray,
  numberToString,
  stringToUTF16String,
 } from "./core_utils.js";
@ -550,7 +551,7 @@ function getQuadPoints(dict, rect) {
  // Each quadrilateral must consist of eight coordinates.
  const quadPoints = dict.getArray("QuadPoints");
  if (
-    !Array.isArray(quadPoints) ||
+    !isNumberArray(quadPoints, null) ||
    quadPoints.length === 0 ||
    quadPoints.length % 8 > 0
  ) {
@ -914,10 +915,9 @@ class Annotation {
   * @param {Array} rectangle - The rectangle array with exactly four entries
   */
  setRectangle(rectangle) {
-    this.rectangle =
-      Array.isArray(rectangle) && rectangle.length === 4
-        ? Util.normalizeRect(rectangle)
-        : [0, 0, 0, 0];
+    this.rectangle = isNumberArray(rectangle, 4)
+      ? Util.normalizeRect(rectangle)
+      : [0, 0, 0, 0];
  }

  /**
@ -1150,8 +1150,14 @@ class Annotation {
      ["ExtGState", "ColorSpace", "Pattern", "Shading", "XObject", "Font"],
      appearance
    );
-    const bbox = appearanceDict.getArray("BBox") || [0, 0, 1, 1];
-    const matrix = appearanceDict.getArray("Matrix") || [1, 0, 0, 1, 0, 0];
+    let bbox = appearanceDict.getArray("BBox");
+    if (!isNumberArray(bbox, 4)) {
+      bbox = [0, 0, 1, 1];
+    }
+    let matrix = appearanceDict.getArray("Matrix");
+    if (!isNumberArray(matrix, 6)) {
+      matrix = [1, 0, 0, 1, 0, 0];
+    }
    const transform = getTransformMatrix(rect, bbox, matrix);

    const opList = new OperatorList();
@ -1248,10 +1254,19 @@ class Annotation {

    if (text.length > 1 || text[0]) {
      const appearanceDict = this.appearance.dict;
+      let bbox = appearanceDict.getArray("BBox");
+      if (!isNumberArray(bbox, 4)) {
+        bbox = null;
+      }
+      let matrix = appearanceDict.getArray("Matrix");
+      if (!isNumberArray(matrix, 6)) {
+        matrix = null;
+      }
+
      this.data.textPosition = this._transformPoint(
        firstPosition,
-        appearanceDict.getArray("BBox"),
-        appearanceDict.getArray("Matrix")
+        bbox,
+        matrix
      );
      this.data.textContent = text;
    }
@ -1401,7 +1416,7 @@ class AnnotationBorderStyle {
  setWidth(width, rect = [0, 0, 0, 0]) {
    if (typeof PDFJSDev === "undefined" || PDFJSDev.test("TESTING")) {
      assert(
-        Array.isArray(rect) && rect.length === 4,
+        isNumberArray(rect, 4),
        "A valid `rect` parameter must be provided."
      );
    }
@ -2972,7 +2987,8 @@ class ButtonWidgetAnnotation extends WidgetAnnotation {
      : this.uncheckedAppearance;
    if (appearance) {
      const savedAppearance = this.appearance;
-      const savedMatrix = appearance.dict.getArray("Matrix") || IDENTITY_MATRIX;
+      const matrix = appearance.dict.getArray("Matrix");
+      const savedMatrix = isNumberArray(matrix, 6) ? matrix : IDENTITY_MATRIX;

      if (rotation) {
        appearance.dict.set(
@ -3739,10 +3755,9 @@ class PopupAnnotation extends Annotation {
    }

    const parentRect = parentItem.getArray("Rect");
-    this.data.parentRect =
-      Array.isArray(parentRect) && parentRect.length === 4
-        ? Util.normalizeRect(parentRect)
-        : null;
+    this.data.parentRect = isNumberArray(parentRect, 4)
+      ? Util.normalizeRect(parentRect)
+      : null;

    const rt = parentItem.get("RT");
    if (isName(rt, AnnotationReplyType.GROUP)) {
@ -4030,7 +4045,10 @@ class LineAnnotation extends MarkupAnnotation {
    this.data.hasOwnCanvas = this.data.noRotate;
    this.data.noHTML = false;

-    const lineCoordinates = dict.getArray("L");
+    let lineCoordinates = dict.getArray("L");
+    if (!isNumberArray(lineCoordinates, 4)) {
+      lineCoordinates = [0, 0, 0, 0];
+    }
    this.data.lineCoordinates = Util.normalizeRect(lineCoordinates);

    if (typeof PDFJSDev === "undefined" || !PDFJSDev.test("MOZCENTRAL")) {
@ -4225,7 +4243,7 @@ class PolylineAnnotation extends MarkupAnnotation {
    // horizontal and vertical coordinates, respectively, of each vertex.
    // Convert this to an array of objects with x and y coordinates.
    const rawVertices = dict.getArray("Vertices");
-    if (!Array.isArray(rawVertices)) {
+    if (!isNumberArray(rawVertices, null)) {
      return;
    }
    for (let i = 0, ii = rawVertices.length; i < ii; i += 2) {
@ -4314,11 +4332,15 @@ class InkAnnotation extends MarkupAnnotation {
      // of each vertex. Convert this to an array of objects with x and y
      // coordinates.
      this.data.inkLists.push([]);
+      if (!Array.isArray(rawInkLists[i])) {
+        continue;
+      }
      for (let j = 0, jj = rawInkLists[i].length; j < jj; j += 2) {
-        this.data.inkLists[i].push({
-          x: xref.fetchIfRef(rawInkLists[i][j]),
-          y: xref.fetchIfRef(rawInkLists[i][j + 1]),
-        });
+        const x = xref.fetchIfRef(rawInkLists[i][j]),
+          y = xref.fetchIfRef(rawInkLists[i][j + 1]);
+        if (typeof x === "number" && typeof y === "number") {
+          this.data.inkLists[i].push({ x, y });
+        }
      }
    }