From 65e83bed531d5b3b62e957390acdeba124802820 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julian=20Offenh=C3=A4user?= <metalvoidzz@gmail.com>
Date: Sat, 20 Aug 2022 09:00:51 +0200
Subject: [PATCH] LibPDF: Disallow parsing indirect values as operands

An operation like 0 0 0 RG would have been confused for [ 0, 0 0 R ] G
---
 Userland/Libraries/LibPDF/Parser.cpp | 15 +++++++++++----
 Userland/Libraries/LibPDF/Parser.h   |  7 ++++++-
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/Userland/Libraries/LibPDF/Parser.cpp b/Userland/Libraries/LibPDF/Parser.cpp
index 4df9d59f6e..3df89edb17 100644
--- a/Userland/Libraries/LibPDF/Parser.cpp
+++ b/Userland/Libraries/LibPDF/Parser.cpp
@@ -53,7 +53,7 @@ String Parser::parse_comment()
     return str;
 }
 
-PDFErrorOr<Value> Parser::parse_value()
+PDFErrorOr<Value> Parser::parse_value(CanBeIndirectValue can_be_indirect_value)
 {
     parse_comment();
 
@@ -75,8 +75,12 @@ PDFErrorOr<Value> Parser::parse_value()
         return Value(false);
     }
 
-    if (m_reader.matches_number())
-        return parse_possible_indirect_value_or_ref();
+    if (m_reader.matches_number()) {
+        if (can_be_indirect_value == CanBeIndirectValue::Yes)
+            return parse_possible_indirect_value_or_ref();
+        else
+            return parse_number();
+    }
 
     if (m_reader.matches('/'))
         return MUST(parse_name());
@@ -513,7 +517,10 @@ PDFErrorOr<Vector<Operator>> Parser::parse_operators()
             continue;
         }
 
-        operator_args.append(TRY(parse_value()));
+        // Note: We disallow parsing indirect values here, since
+        //       operations like 0 0 0 RG would confuse the parser
+        auto v = TRY(parse_value(CanBeIndirectValue::No));
+        operator_args.append(v);
     }
 
     return operators;
diff --git a/Userland/Libraries/LibPDF/Parser.h b/Userland/Libraries/LibPDF/Parser.h
index c9e7c317a7..0d3fcd0373 100644
--- a/Userland/Libraries/LibPDF/Parser.h
+++ b/Userland/Libraries/LibPDF/Parser.h
@@ -38,7 +38,12 @@ public:
     void move_by(size_t count) { m_reader.move_by(count); }
     void move_to(size_t offset) { m_reader.move_to(offset); }
 
-    PDFErrorOr<Value> parse_value();
+    enum class CanBeIndirectValue {
+        No,
+        Yes
+    };
+
+    PDFErrorOr<Value> parse_value(CanBeIndirectValue = CanBeIndirectValue::Yes);
     PDFErrorOr<Value> parse_possible_indirect_value_or_ref();
     PDFErrorOr<NonnullRefPtr<IndirectValue>> parse_indirect_value(u32 index, u32 generation);
     PDFErrorOr<NonnullRefPtr<IndirectValue>> parse_indirect_value();