Bug#1054119: data loss patch for qpdf targeted at stable (11.3.0)

To: submit@bugs.debian.org
Subject: Bug#1054119: data loss patch for qpdf targeted at stable (11.3.0)
From: "Jay Berkenbilt" <ejb@ql.org>
Date: Tue, 17 Oct 2023 07:32:06 -0400
Message-id: <[🔎] a0cb6bd5-95df-4a1e-85c4-6a9ce59a6e6e@app.fastmail.com>
Reply-to: "Jay Berkenbilt" <ejb@ql.org>, 1054119@bugs.debian.org

Package: release.debian.org
X-Debbugs-CC: qjb@debian.org

The attached patch to qpdf 11.3.0 fixes a bug that could potentially
result in loss of data. I'd like permission from the release team to
upload this to stable. I've been a debian developer since 2005, but
it's been years since I've last prepared a release to the stable
distribution. As far as I can tell, the current procedure is to upload
with the target distribution as "stable" and upload to ftp-master.
This will direct the package the proposed-updates queue. Is this
correct?

The nature of the bug is that, if a quoted octal character with one or
two digits instead of three digits appears in the file, the following
character will be dropped from the string. This bug snuck in in a pull
request I accepted that performed significant performance optimization
on the tokenizer. Because it only affects strings in metadata when
qpdf is used in its default configuration, and because such quoted
characters of this type don't appear very often, it's somewhat of a
corner case, but I think the bug is critical to fix because there is a
chance that it could silently damage files in ways that would be hard
to detect.

Please let me know if I should proceed with an update to stable.

--Jay Berkenbilt (a.k.a. qjb@debian.org)

--- libqpdf/QPDFTokenizer.cc.orig	2023-10-17 07:19:31.829119946 -0400
+++ libqpdf/QPDFTokenizer.cc	2023-10-17 07:20:55.689510562 -0400
@@ -739,17 +739,22 @@
 void
 QPDFTokenizer::inCharCode(char ch)
 {
+    bool handled = false;
     if (('0' <= ch) && (ch <= '7')) {
         this->char_code = 8 * this->char_code + (int(ch) - int('0'));
         if (++(this->digit_count) < 3) {
             return;
         }
-        // We've accumulated \ddd.  PDF Spec says to ignore
-        // high-order overflow.
+        handled = true;
     }
+    // We've accumulated \ddd or we have \d or \dd followed by other
+    // than an octal digit. The PDF Spec says to ignore high-order
+    // overflow.
     this->val += char(this->char_code % 256);
     this->state = st_in_string;
-    return;
+    if (!handled) {
+        inString(ch);
+    }
 }
 
 void

Reply to:

Follow-Ups:
- Bug#1054119: data loss patch for qpdf targeted at stable (11.3.0)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1054119: data loss patch for qpdf targeted at stable (11.3.0)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bookworm-pu: package iotop-c/1.23-1+deb12u1
Next by Date: Bug#1020303: Ping
Previous by thread: Processed: bookworm-pu: package iotop-c/1.23-1+deb12u1
Next by thread: Bug#1054119: data loss patch for qpdf targeted at stable (11.3.0)
Index(es):
- Date
- Thread