From a79d0bbb854710eb1256057a9668e188bdf33864 Mon Sep 17 00:00:00 2001
From: Miklos Vajna <vmiklos@collabora.co.uk>
Date: Fri, 24 Feb 2017 11:47:40 +0100
Subject: xmlsecurity PDF verify: handle multiple startxref in the last 1024
 bytes

Usually this is not a problem, but it's easy to construct a document
manually that contains multiple startxref tokens at the last 1024 bytes.
Make sure we read the last of those, not the first one.

This is triggered by an upcoming unit test for tdf#106059.

Change-Id: I94fbb5d407c4a03b7c2c6e207200127bb374e750
Reviewed-on: https://gerrit.libreoffice.org/34607
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
(cherry picked from commit 7737457558cafe35c2efe613b4be8ad7abe50dea)
---
 xmlsecurity/source/pdfio/pdfdocument.cxx | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'xmlsecurity')

diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx
index 899250bd27ae..f4206c6343dd 100644
--- a/xmlsecurity/source/pdfio/pdfdocument.cxx
+++ b/xmlsecurity/source/pdfio/pdfdocument.cxx
@@ -1403,14 +1403,27 @@ size_t PDFDocument::FindStartXRef(SvStream& rStream)
     if (nSize != aBuf.size())
         aBuf.resize(nSize);
     OString aPrefix("startxref");
-    auto it = std::search(aBuf.begin(), aBuf.end(), aPrefix.getStr(), aPrefix.getStr() + aPrefix.getLength());
-    if (it == aBuf.end())
+    // Find the last startxref at the end of the document.
+    std::vector<char>::iterator itLastValid = aBuf.end();
+    std::vector<char>::iterator it = aBuf.begin();
+    while (true)
+    {
+        it = std::search(it, aBuf.end(), aPrefix.getStr(), aPrefix.getStr() + aPrefix.getLength());
+        if (it == aBuf.end())
+            break;
+        else
+        {
+            itLastValid = it;
+            ++it;
+        }
+    }
+    if (itLastValid == aBuf.end())
     {
         SAL_WARN("xmlsecurity.pdfio", "PDFDocument::FindStartXRef: found no startxref");
         return 0;
     }
 
-    rStream.SeekRel(it - aBuf.begin() + aPrefix.getLength());
+    rStream.SeekRel(itLastValid - aBuf.begin() + aPrefix.getLength());
     if (rStream.IsEof())
     {
         SAL_WARN("xmlsecurity.pdfio", "PDFDocument::FindStartXRef: unexpected end of stream after startxref");
-- 
cgit