Bound XMP stream decoding before XML parsing

Author: PrzemyslawKlys

OfficeIMO.Pdf/Reading/Core/PdfReadDocument.XmpMetadata.cs

@@ -25,15 +25,16 @@ public sealed partial class PdfReadDocument {
             return null;
         }
 
-        byte[] decoded = StreamDecoder.Decode(stream.Dictionary, stream.Data, _objects);
-        string? rawXml = decoded.Length <= MaxXmpMetadataBytes ? DecodeMetadataText(decoded) : null;
+        bool decodedWithinLimit = StreamDecoder.TryDecode(stream.Dictionary, stream.Data, MaxXmpMetadataBytes, out byte[] decoded, _objects);
+        string? rawXml = decodedWithinLimit ? DecodeMetadataText(decoded) : null;
+        int decodedSizeBytes = decodedWithinLimit ? decoded.Length : MaxXmpMetadataBytes + 1;
         XDocument? document = rawXml is null ? null : TryParseXml(rawXml);
         return new PdfXmpMetadataInfo(
             objectNumber,
             TryReadName(stream.Dictionary, "Subtype"),
             TryReadStreamFilter(stream),
             stream.Data.Length,
-            decoded.Length,
+            decodedSizeBytes,
             StreamDecoder.GetUnsupportedFilters(stream.Dictionary, _objects).AsReadOnly(),
             rawXml,
             document is not null,

OfficeIMO.Pdf/Reading/Filters/StreamDecoder.cs

@@ -53,6 +53,76 @@ public static byte[] Decode(PdfDictionary dict, byte[] data, Dictionary<int, Pdf
         return current;
     }
 
+    public static bool TryDecode(PdfDictionary dict, byte[] data, int maxOutputBytes, out byte[] decoded, Dictionary<int, PdfIndirectObject>? objects = null) {
+        decoded = Array.Empty<byte>();
+        if (maxOutputBytes < 0) {
+            return false;
+        }
+
+        if (data == null || data.Length == 0 || !dict.Items.TryGetValue("Filter", out var filterObj)) {
+            return TryUseOriginal(data ?? Array.Empty<byte>(), maxOutputBytes, out decoded);
+        }
+
+        byte[] original = data;
+        byte[] current = data;
+        int filterIndex = 0;
+        foreach (string filterName in EnumerateFilters(filterObj, objects)) {
+            try {
+                switch (GetFilterKind(filterName)) {
+                    case DecodeFilterKind.Flate:
+                        if (!FlateDecoder.TryDecode(current, maxOutputBytes, out current)) {
+                            return false;
+                        }
+
+                        current = ApplyDecodeParms(dict, filterIndex, current, objects);
+                        if (!IsWithinLimit(current, maxOutputBytes)) {
+                            return false;
+                        }
+
+                        break;
+                    case DecodeFilterKind.AsciiHex:
+                        current = AsciiHexDecoder.Decode(current);
+                        if (!IsWithinLimit(current, maxOutputBytes)) {
+                            return false;
+                        }
+
+                        break;
+                    case DecodeFilterKind.Ascii85:
+                        current = Ascii85Decoder.Decode(current);
+                        if (!IsWithinLimit(current, maxOutputBytes)) {
+                            return false;
+                        }
+
+                        break;
+                    case DecodeFilterKind.RunLength:
+                        current = RunLengthDecoder.Decode(current);
+                        if (!IsWithinLimit(current, maxOutputBytes)) {
+                            return false;
+                        }
+
+                        break;
+                    case DecodeFilterKind.Lzw:
+                        current = LzwDecoder.Decode(current, GetEarlyChange(dict, filterIndex, objects));
+                        current = ApplyDecodeParms(dict, filterIndex, current, objects);
+                        if (!IsWithinLimit(current, maxOutputBytes)) {
+                            return false;
+                        }
+
+                        break;
+                    default:
+                        return TryUseOriginal(original, maxOutputBytes, out decoded);
+                }
+            } catch {
+                return TryUseOriginal(original, maxOutputBytes, out decoded);
+            }
+
+            filterIndex++;
+        }
+
+        decoded = current;
+        return true;
+    }
+
     internal static List<string> GetUnsupportedFilters(PdfDictionary dict, Dictionary<int, PdfIndirectObject>? objects = null) {
         if (!dict.Items.TryGetValue("Filter", out var filterObj)) {
             return new List<string>(0);
@@ -104,6 +174,20 @@ private static bool ContainsFilter(List<string> filters, string filterName) {
         return false;
     }
 
+    private static bool TryUseOriginal(byte[] data, int maxOutputBytes, out byte[] decoded) {
+        if (!IsWithinLimit(data, maxOutputBytes)) {
+            decoded = Array.Empty<byte>();
+            return false;
+        }
+
+        decoded = data;
+        return true;
+    }
+
+    private static bool IsWithinLimit(byte[] data, int maxOutputBytes) {
+        return data.LongLength <= maxOutputBytes;
+    }
+
     private static byte[] ApplyDecodeParms(PdfDictionary dict, int filterIndex, byte[] data, Dictionary<int, PdfIndirectObject>? objects) {
         var decodeParms = GetDecodeParms(dict, filterIndex, objects);
         if (decodeParms is null) {

OfficeIMO.Tests/Pdf/PdfInspectorViewerMetadataPreflightTests.cs

@@ -251,6 +251,20 @@ public void Inspect_XmpMetadataOverLimitKeepsSizeButDoesNotMaterializeRawXml() {
         Assert.False(metadata.IsWellFormedXml);
     }
 
+    [Fact]
+    public void Inspect_CompressedXmpMetadataOverLimitDoesNotMaterializeDecodedXml() {
+        string xmp = new('x', PdfReadDocument.MaxXmpMetadataBytes + 1);
+
+        PdfDocumentInfo info = PdfInspector.Inspect(BuildCompressedXmpMetadataPdfWithPayload(xmp));
+
+        Assert.True(info.HasXmpMetadata);
+        PdfXmpMetadataInfo metadata = Assert.IsType<PdfXmpMetadataInfo>(info.XmpMetadata);
+        Assert.True(metadata.StreamSizeBytes < PdfReadDocument.MaxXmpMetadataBytes);
+        Assert.Equal(PdfReadDocument.MaxXmpMetadataBytes + 1, metadata.DecodedSizeBytes);
+        Assert.Null(metadata.RawXml);
+        Assert.False(metadata.IsWellFormedXml);
+    }
+
     [Fact]
     public void Preflight_AllowsSimpleCatalogUriPdfReadAndRewrite() {
         PdfDocumentPreflight report = PdfInspector.Preflight(BuildCatalogUriPdf());
@@ -423,4 +437,44 @@ private static byte[] BuildXmpMetadataPdfWithPayload(string xmp) {
         return System.Text.Encoding.UTF8.GetBytes(pdf);
     }
 
+    private static byte[] BuildCompressedXmpMetadataPdfWithPayload(string xmp) {
+        byte[] compressed = Compress(System.Text.Encoding.UTF8.GetBytes(xmp));
+        using var output = new MemoryStream();
+        WriteAscii(output, string.Join("\n", new[] {
+            "%PDF-1.4",
+            "1 0 obj",
+            "<< /Type /Catalog /Pages 2 0 R /Metadata 5 0 R >>",
+            "endobj",
+            "2 0 obj",
+            "<< /Type /Pages /Count 1 /Kids [3 0 R] >>",
+            "endobj",
+            "3 0 obj",
+            "<< /Type /Page /Parent 2 0 R /MediaBox [0 0 200 200] /Contents 4 0 R >>",
+            "endobj",
+            "4 0 obj",
+            "<< /Length 0 >>",
+            "stream",
+            "",
+            "endstream",
+            "endobj",
+            "5 0 obj",
+            "<< /Type /Metadata /Subtype /XML /Length " + compressed.Length.ToString(System.Globalization.CultureInfo.InvariantCulture) + " /Filter /FlateDecode >>",
+            "stream"
+        }) + "\n");
+        output.Write(compressed, 0, compressed.Length);
+        WriteAscii(output, "\n" + string.Join("\n", new[] {
+            "endstream",
+            "endobj",
+            "trailer",
+            "<< /Root 1 0 R /Size 6 >>",
+            "%%EOF"
+        }));
+        return output.ToArray();
+    }
+
+    private static void WriteAscii(Stream stream, string value) {
+        byte[] bytes = System.Text.Encoding.ASCII.GetBytes(value);
+        stream.Write(bytes, 0, bytes.Length);
+    }
+
 }