From df73754d738cd478d8dd831c273f1a80e9246e2d Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@aquaticape.us>
Date: Sun, 6 Sep 2015 09:35:44 -0500
Subject: [PATCH] Fix JBIG2Decode infinite loop and stack overflow

Creating a JBIG2Decode filter can create a stack overflow or infinite
loop.  Fix stack overflow by adding 'recursion' argument to fetch
call.  Fix infinite loop by removing the reference lookup loop.
Chains of references aren't allowed by the spec anyway.

Bug #91186
---
 poppler/Stream.cc | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d2dd761..22c97a1 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -340,13 +340,8 @@ Stream *Stream::makeFilter(char *name, Stream *str, Object *params, int recursio
   } else if (!strcmp(name, "JBIG2Decode")) {
     if (params->isDict()) {
       XRef *xref = params->getDict()->getXRef();
-      params->dictLookupNF("JBIG2Globals", &globals);
-      while (globals.isRef()) {
-        obj.free();
-        globals.copy(&obj);
-        globals.free();
-        obj.fetch(xref, &globals);
-      }
+      params->dictLookupNF("JBIG2Globals", &obj);
+      obj.fetch(xref, &globals, recursion);
     }
     str = new JBIG2Stream(str, &globals, &obj);
     globals.free();
-- 
2.1.4