QPDF Manual
QPDF Manual
QPDF Manual
Table of Contents
General Information ............................................................................................................................ iv
1. What is QPDF? ............................................................................................................................... 1
2. Building and Installing QPDF ............................................................................................................ 2
2.1. System Requirements ............................................................................................................. 2
2.2. Build Instructions .................................................................................................................. 2
3. Running QPDF ............................................................................................................................... 4
3.1. Basic Invocation ................................................................................................................... 4
3.2. Basic Options ....................................................................................................................... 4
3.3. Encryption Options ............................................................................................................... 5
3.4. Page Selection Options .......................................................................................................... 6
3.5. Advanced Transformation Options ........................................................................................... 8
3.6. Testing, Inspection, and Debugging Options ............................................................................ 10
4. QDF Mode ................................................................................................................................... 12
5. Using the QPDF Library ................................................................................................................. 14
6. Design and Library Notes ............................................................................................................... 15
6.1. Introduction ........................................................................................................................ 15
6.2. Design Goals ...................................................................................................................... 15
6.3. Casting Policy .................................................................................................................... 17
6.4. Encryption ......................................................................................................................... 18
6.5. Random Number Generation ................................................................................................. 19
6.6. Adding and Removing Pages ................................................................................................. 19
6.7. Reserving Object Numbers ................................................................................................... 19
6.8. Copying Objects From Other PDF Files .................................................................................. 20
6.9. Writing PDF Files ............................................................................................................... 20
6.10. Filtered Streams ................................................................................................................ 21
7. Linearization ................................................................................................................................. 22
7.1. Basic Strategy for Linearization ............................................................................................. 22
7.2. Preparing For Linearization ................................................................................................... 22
7.3. Optimization ....................................................................................................................... 22
7.4. Writing Linearized Files ....................................................................................................... 23
7.5. Calculating Linearization Data ............................................................................................... 23
7.6. Known Issues with Linearization ........................................................................................... 23
7.7. Debugging Note .................................................................................................................. 24
8. Object and Cross-Reference Streams ................................................................................................. 25
8.1. Object Streams .................................................................................................................... 25
8.2. Cross-Reference Streams ...................................................................................................... 25
8.2.1. Cross-Reference Stream Data ...................................................................................... 26
8.3. Implications for Linearized Files ............................................................................................ 26
8.4. Implementation Notes .......................................................................................................... 27
A. Release Notes ............................................................................................................................... 28
B. Upgrading from 2.0 to 2.1 .............................................................................................................. 38
C. Upgrading to 3.0 ........................................................................................................................... 39
D. Upgrading to 4.0 ........................................................................................................................... 40
iii
General Information
QPDF is a program that does structural, content-preserving transformations on PDF files. QPDF's website is located
at http://qpdf.sourceforge.net/. QPDF's source code is hosted on github at https://github.com/qpdf/qpdf.
QPDF has been released under the terms of Version 2.0 of the Artistic License [http://www.opensource.org/licenses/
artistic-license-2.0.php], a copy of which appears in the file Artistic-2.0 in the source distribution.
QPDF was originally created in 2001 and modified periodically between 2001 and 2005 during my employment at
Apex CoVantage [http://www.apexcovantage.com]. Upon my departure from Apex, the company graciously allowed
me to take ownership of the software and continue maintaining as an open source project, a decision for which I am
very grateful. I have made considerable enhancements to it since that time. I feel fortunate to have worked for people
who would make such a decision. This work would not have been possible without their support.
iv
./configure
make
You can also run make check to run the test suite and make install to install. Please run ./configure --help for
options on what can be configured. You can also set the value of DESTDIR during installation to install to a temporary
location, as is common with many open source packages. Please see also the README and INSTALL files in the
source distribution.
Building on Windows is a little bit more complicated. For details, please see README-windows.txt in the source
distribution. You can also download a binary distribution for Windows. There is a port of qpdf to Visual C++ version 6
in the contrib area generously contributed by Jian Ma. This is also discussed in more detail in README-windows.txt.
There are some other things you can do with the build. Although qpdf uses autoconf, it does not use automake but
instead uses a hand-crafted non-recursive Makefile that requires gnu make. If you're really interested, please read the
comments in the top-level Makefile.
Running QPDF
Password-protected files may be opened by specifying a password. By default, qpdf will preserve any encryption data
associated with a file. If --decrypt is specified, qpdf will attempt to remove any encryption information. If --encrypt
is specified, qpdf will replace the document's encryption parameters with whatever is specified.
Note that qpdf does not obey encryption restrictions already imposed on the file. Doing so would be meaningless since
qpdf can be used to remove encryption from the file entirely. This functionality is not intended to be used for bypassing
copyright restrictions or other restrictions placed on files by their producers.
In all cases where qpdf allows specification of a password, care must be taken if the password contains characters
that fall outside of the 7-bit US-ASCII character range to ensure that the exact correct byte sequence is provided. It
is possible that a future version of qpdf may handle this more gracefully. For example, if a password was encrypted
using a password that was encoded in ISO-8859-1 and your terminal is configured to use UTF-8, the password you
supply may not work properly. There are various approaches to handling this. For example, if you are using Linux and
have the iconv executable (part of the ICU package) installed, you could pass --password=`echo password | iconv
-t iso-8859-1` to qpdf where password is a password specified in your terminal's locale. A detailed discussion of
this is out of scope for this manual, but just be aware of this issue if you have trouble with a password that contains
8-bit characters.
Running QPDF
Running QPDF
Multiple input files may be specified. Each one is given as the name of the input file, an optional password (if required
to open the file), and the range of pages. Note that -- terminates parsing of page selection flags.
For each file that pages should be taken from, specify the file, a password needed to open the file (if any), and a page
range. The password needs to be given only once per file. If any of the input files are the same as the primary input
file or the file used to copy encryption parameters (if specified), you do not need to repeat the password here. The
same file can be repeated multiple times. If a file that is repeated has a password, the password only has to be given
the first time. All non-page data (info, outlines, page numbers, etc.) are taken from the primary input file. To discard
these, use --empty as the primary input.
Starting with qpdf 5.0.0, it is possible to omit the page range. If qpdf sees a value in the place where it expects a page
range and that value is not a valid range but is a valid file name, qpdf will implicitly use the range 1-z, meaning that
it will include all pages in the file. This makes it possible to easily combine all pages in a set of files with a command
like qpdf --empty out.pdf --pages *.pdf --.
It is not presently possible to specify the same page from the same file directly more than once, but you can make this
work by specifying two different paths to the same file (such as by putting ./ somewhere in the path). This can also be
used if you want to repeat a page from one of the input files in the output file. This may be made more convenient in
a future version of qpdf if there is enough demand for this feature.
The page range is a set of numbers separated by commas, ranges of numbers separated dashes, or combinations of
those. The character z represents the last page. Pages can appear in any order. Ranges can appear with a high number
followed by a low number, which causes the pages to appear in reverse. Repeating a number will cause an error, but
you can use the workaround discussed above should you really want to include the same page twice.
Example page ranges:
1,3,5-9,15-12: pages 1, 2, 3, 5, 6, 7, 8, 9, 15, 14, 13, and 12.
z-1: all pages in the document in reverse
Note that qpdf doesn't presently do anything special about other constructs in a PDF file that may know about pages,
so semantics of splitting and merging vary across features. For example, the document's outlines (bookmarks) point
to actual page objects, so if you select some pages and not others, bookmarks that point to pages that are in the output
file will work, and remaining bookmarks will not work. On the other hand, page labels (page numbers specified in the
file) are just sequential, so page labels will be messed up in the output file. A future version of qpdf may do a better
job at handling these issues. (Note that the qpdf library already contains all of the APIs required in order to implement
this in your own application if you need it.) In the mean time, you can always use --empty as the primary input file to
avoid copying all of that from the first file. For example, to take pages 1 through 5 from a infile.pdf while preserving
all metadata associated with that file, you could use
qpdf infile.pdf --pages infile.pdf 1-5 -- outfile.pdf
If you wanted pages 1 through 5 from infile.pdf but you wanted the rest of the metadata to be dropped, you could
instead run
qpdf --empty --pages infile.pdf 1-5 -- outfile.pdf
If you wanted to take pages 15 from file1.pdf and pages 1115 from file2.pdf in reverse, you would run
qpdf file1.pdf --pages file1.pdf 1-5 file2.pdf 15-11 -- outfile.pdf
If, for some reason, you wanted to take the first page of an encrypted file called encrypted.pdf with password pass
and repeat it twice in an output file, and if you wanted to drop metadata (like page numbers and outlines) but preserve
encryption, you would use
Running QPDF
Running QPDF
that extension levels can be set. In some cases, forcing the output file's PDF version to be lower than that of the
input file will cause qpdf to disable certain features of the document. Specifically, 256-bit keys are disabled if
the version is less than 1.7 with extension level 8 (except R5 is disabled if less than 1.7 with extension level 3),
AES encryption is disabled if the version is less than 1.6, cleartext metadata and object streams are disabled if less
than 1.5, 128-bit encryption keys are disabled if less than 1.4, and all encryption is disabled if less than 1.3. Even
with these precautions, qpdf won't be able to do things like eliminate use of newer image compression schemes,
transparency groups, or other features that may have been added in more recent versions of PDF.
As a general rule, with the exception of big structural things like the use of object streams or AES encryption,
PDF viewers are supposed to ignore features in files that they don't support from newer versions. This means that
forcing the version to a lower version may make it possible to open your PDF file with an older version, though
bear in mind that some of the original document's functionality may be lost.
By default, when a stream is encoded using non-lossy filters that qpdf understands and is not already compressed
using a good compression scheme, qpdf will uncompress and recompress streams. Assuming proper filter implements,
this is safe and generally results in smaller files. This behavior may also be explicitly requested with --streamdata=compress.
When --stream-data=preserve is specified, qpdf will never attempt to change the filtering of any stream data.
When --stream-data=uncompress is specified, qpdf will attempt to remove any non-lossy filters that it supports. This
includes /FlateDecode, /LZWDecode, /ASCII85Decode, and /ASCIIHexDecode. This can be very useful
for inspecting the contents of various streams.
When --normalize-content=y is specified, qpdf will attempt to normalize whitespace and newlines in page content
streams. This is generally safe but could, in some cases, cause damage to the content streams. This option is intended
for people who wish to study PDF content streams or to debug PDF content. You should not use this for production
PDF files.
Ordinarily, qpdf will attempt to recover from certain types of errors in PDF files. These include errors in the crossreference table, certain types of object numbering errors, and certain types of stream length errors. Sometimes, qpdf
may think it has recovered but may not have actually recovered, so care should be taken when using this option as
some data loss is possible. The --suppress-recovery option will prevent qpdf from attempting recovery. In this case,
it will fail on the first error that it encounters.
Object streams, also known as compressed objects, were introduced into the PDF specification at version 1.5,
corresponding to Acrobat 6. Some older PDF viewers may not support files with object streams. qpdf can be used to
transform files with object streams to files without object streams or vice versa. As mentioned above, there are three
object stream modes: preserve, disable, and generate.
In preserve mode, the relationship to objects and the streams that contain them is preserved from the original file. In
disable mode, all objects are written as regular, uncompressed objects. The resulting file should be readable by older
PDF viewers. (Of course, the content of the files may include features not supported by older viewers, but at least
the structure will be supported.) In generate mode, qpdf will create its own object streams. This will usually result in
more compact PDF files, though they may not be readable by older viewers. In this mode, qpdf will also make sure
the PDF version number in the header is at least 1.5.
Ordinarily, qpdf reads cross-reference streams when they are present in a PDF file. If --ignore-xref-streams is
specified, qpdf will ignore any cross-reference streams for hybrid PDF files. The purpose of hybrid files is to make
some content available to viewers that are not aware of cross-reference streams. It is almost never desirable to ignore
them. The only time when you might want to use this feature is if you are testing creation of hybrid PDF files and wish
to see how a PDF consumer that doesn't understand object and cross-reference streams would interpret such a file.
The --qdf flag turns on QDF mode, which changes some of the defaults described above. Specifically, in QDF mode,
by default, stream data is uncompressed, content streams are normalized, and encryption is removed. These defaults
Running QPDF
can still be overridden by specifying the appropriate options as described above. Additionally, in QDF mode, stream
lengths are stored as indirect objects, objects are laid out in a less efficient but more readable fashion, and the documents
are interspersed with comments that make it easier for the user to find things and also make it possible for fix-qdf to
work properly. QDF mode is intended for people, mostly developers, who wish to inspect or modify PDF files in a
text editor. For details, please see Chapter 4, QDF Mode, page 12.
10
Running QPDF
--filtered-stream-data
When used along with the --show-object option, if the object is a stream, shows the filtered stream data instead
of object's contents. If the stream is filtered using filters that qpdf does not support, an error will be issued.
--show-npages
Prints the number of pages in the input file on a line by itself. Since the number of pages appears by itself on a
line, this option can be useful for scripting if you need to know the number of pages in a file.
--show-pages
Shows the object and generation number for each page dictionary object and for each content stream associated
with the page. Having this information makes it more convenient to inspect objects from a particular page.
--with-images
When used along with --show-pages, also shows the object and generation numbers for the image objects on each
page. (At present, information about images in shared resource dictionaries are not output by this command. This
is discussed in a comment in the source code.)
--check
Checks file structure and well as encryption, linearization, and encoding of stream data. A file for which --check
reports no errors may still have errors in stream data content but should otherwise be structurally sound. If --check
any errors, qpdf will exit with a status of 2. There are some recoverable conditions that --check detects. These
are issued as warnings instead of errors. If qpdf finds no errors but finds warnings, it will exit with a status of
3 (as of version 2.0.4).
The --raw-stream-data and --filtered-stream-data options are ignored unless --show-object is given. Either of these
options will cause the stream data to be written to standard output. In order to avoid commingling of stream data with
other output, it is recommend that these objects not be combined with other test/inspection options.
If --filtered-stream-data is given and --normalize-content=y is also given, qpdf will attempt to normalize the stream
data as if it is a page content stream. This attempt will be made even if it is not a page content stream, in which case
it will produce unusable results.
11
12
QDF Mode
the pairs of numbers representing object numbers and offsets of objects in object streams
all stream lengths
the cross-reference table or cross-reference stream
the offset to the cross-reference table or cross-reference stream following the startxref token
13
14
15
Instances of QPDFObjectHandle can be directly created and modified using static factory methods in the
QPDFObjectHandle class. There are factory methods for each type of object as well as a convenience method
QPDFObjectHandle::parse that creates an object from a string representation of the object. Existing instances of
QPDFObjectHandle can also be modified in several ways. See comments in QPDFObjectHandle.hh for details.
When the QPDF class creates a new object, it dynamically allocates the appropriate type of QPDFObject and
immediately hands the pointer to an instance of QPDFObjectHandle. The parser reads a token from the current
file position. If the token is a not either a dictionary or array opener, an object is immediately constructed from
the single token and the parser returns. Otherwise, the parser is invoked recursively in a special mode in which it
accumulates objects until it finds a balancing closer. During this process, the R keyword is recognized and an indirect
QPDFObjectHandle may be constructed.
The QPDF::resolve() method, which is used to resolve an indirect object, may be invoked from the
QPDFObjectHandle class. It first checks a cache to see whether this object has already been read. If not, it reads the
object from the PDF file and caches it. It the returns the resulting QPDFObjectHandle. The calling object handle
then replaces its PointerHolder<QDFObject> with the one from the newly returned QPDFObjectHandle. In this
way, only a single copy of any direct object need exist and clients can access objects transparently without knowing
caring whether they are direct or indirect objects. Additionally, no object is ever read from the file more than once. That
means that only the portions of the PDF file that are actually needed are ever read from the input file, thus allowing
the qpdf package to take advantage of this important design goal of PDF files.
If the requested object is inside of an object stream, the object stream itself is first read into memory. Then the tokenizer
reads objects from the memory stream based on the offset information stored in the stream. Those individual objects
are cached, after which the temporary buffer holding the object stream contents are discarded. In this way, the first
time an object in an object stream is requested, all objects in the stream are cached.
An instance of QPDF is constructed by using the class's default constructor. If desired, the QPDF object may be
configured with various methods that change its default behavior. Then the QPDF::processFile() method is passed
the name of a PDF file, which permanently associates the file with that QPDF object. A password may also be given
for access to password-protected files. QPDF does not enforce encryption parameters and will treat user and owner
passwords equivalently. Either password may be used to access an encrypted file. 1 QPDF will allow recovery of a
user password given an owner password. The input PDF file must be seekable. (Output files written by QPDFWriter
need not be seekable, even when creating linearized files.) During construction, QPDF validates the PDF file's header,
and then reads the cross reference tables and trailer dictionaries. The QPDF class keeps only the first trailer dictionary
though it does read all of them so it can check the /Prev key. QPDF class users may request the root object and
the trailer dictionary specifically. The cross reference table is kept private. Objects may then be requested by number
of by walking the object tree.
When a PDF file has a cross-reference stream instead of a cross-reference table and trailer, requesting the document's
trailer dictionary returns the stream dictionary from the cross-reference stream instead.
There are some convenience routines for very common operations such as walking the page tree and returning a vector
of all page objects. For full details, please see the header file QPDF.hh.
The following example should clarify how QPDF processes a simple file.
Client constructs QPDF pdf and calls pdf.processFile("a.pdf");.
The QPDF class checks the beginning of a.pdf for %!PDF-1.[0-9]+. It then reads the cross reference table
mentioned at the end of the file, ensuring that it is looking before the last %%EOF. After getting to trailer
keyword, it invokes the parser.
1
As pointed out earlier, the intention is not for qpdf to be used to bypass security on files. but as any open source PDF consumer may be easily
modified to bypass basic PDF document security, and qpdf offers may transformations that can do this as well, there seems to be little point in the
added complexity of conditionally enforcing document security.
16
The parser sees <<, so it calls itself recursively in dictionary creation mode.
In dictionary creation mode, the parser keeps accumulating objects until it encounters >>. Each object that is
read is pushed onto a stack. If R is read, the last two objects on the stack are inspected. If they are integers,
they are popped off the stack and their values are used to construct an indirect object handle which is then pushed
onto the stack. When >> is finally read, the stack is converted into a QPDF_Dictionary which is placed in a
QPDFObjectHandle and returned.
The resulting dictionary is saved as the trailer dictionary.
The /Prev key is searched. If present, QPDF seeks to that point and repeats except that the new trailer dictionary
is not saved. If /Prev is not present, the initial parsing process is complete.
If there is an encryption dictionary, the document's encryption parameters are initialized.
The client requests root object. The QPDF class gets the value of root key from trailer dictionary and returns it. It
is an unresolved indirect QPDFObjectHandle.
The client requests the /Pages key from root QPDFObjectHandle. The QPDFObjectHandle notices that it
is indirect so it asks QPDF to resolve it. QPDF looks in the object cache for an object with the root dictionary's
object ID and generation number. Upon not seeing it, it checks the cross reference table, gets the offset, and reads
the object present at that offset. It stores the result in the object cache and returns the cached result. The calling
QPDFObjectHandle replaces its object pointer with the one from the resolved QPDFObjectHandle, verifies
that it a valid dictionary object, and returns the (unresolved indirect) QPDFObject handle to the top of the Pages
hierarchy.
As the client continues to request objects, the same process is followed for each new requested object.
17
Non-const unsigned char* used in the Pipeline interface. The pipeline interface has a write call that uses
unsigned char* without a const qualifier. The main reason for this is to support pipelines that make calls to
third-party libraries, such as zlib, that don't include const in their interfaces. Unfortunately, there are many places
in the code where it is desirable to have const char* with pipelines. None of the pipeline implementations in
qpdf currently modify the data passed to write, and doing so would be counter to the intent of Pipeline, but there
is nothing in the code to prevent this from being done. There are places in the code where const_cast is used to
remove the const-ness of pointers going into Pipelines. This could theoretically be unsafe, but there is adequate
testing to assert that it is safe and will remain safe in qpdf's code.
size_t vs. qpdf_offset_t. This is pretty much unavoidable since sizes are unsigned types and offsets are
signed types. Whenever it is necessary to seek by an amount given by a size_t, it becomes necessary to mix and
match between size_t and qpdf_offset_t. Additionally, qpdf sometimes treats memory buffers like files (as
with BufferInputSource, and those seek interfaces have to be consistent with file-based input sources. Neither
gcc nor MSVC give warnings for this case by default, but both have warning flags that can enable this. (MSVC:
/W14267 or /W3, which also enables some additional warnings that we ignore; gcc: -Wconversion -Wsignconversion). This could matter for files whose sizes are larger than 263 bytes, but it is reasonable to expect that a
world where such files are common would also have larger size_t and qpdf_offset_t types in it. On most
64-bit systems at the time of this writing (the release of version 4.1.0 of qpdf), both size_t and qpdf_offset_t
are 64-bit integer types, while on many current 32-bit systems, size_t is a 32-bit type while qpdf_offset_t is
a 64-bit type. I am not aware of any cases where 32-bit systems that have size_t smaller than qpdf_offset_t
could run into problems. Although I can't conclusively rule out the possibility of such problems existing, I suspect
any cases would be pretty contrived. In the event that someone should produce a file that qpdf can't handle because
of what is suspected to be issues involving the handling of size_t vs. qpdf_offset_t (such files may behave
properly on 64-bit systems but not on 32-bit systems because they have very large embedded files or streams, for
example), the above mentioned warning flags could be enabled and all those implicit conversions could be carefully
scrutinized. (I have already gone through that exercise once in adding support for files larger than 4 GB in size.) I
continue to be committed to supporting large files on 32-bit systems, but I would not go to any lengths to support
corner cases involving large embedded files or large streams that work on 64-bit systems but not on 32-bit systems
because of size_t being too small. It is reasonable to assume that anyone working with such files would be using
a 64-bit system anyway since many 32-bit applications would have similar difficulties.
size_t vs. int or long. There are some cases where size_t and int or long or size_t and unsigned
int or unsigned long are used interchangeably. These cases occur when working with very small amounts of
memory, such as with the bit readers (where we're working with just a few bytes at a time), some cases of strlen, and
a few other cases. I have scrutinized all of these cases and determined them to be safe, but there is no mechanism in
the code to ensure that new unsafe conversions between int and size_t aren't introduced short of good testing
and strong awareness of the issues. Again, if any such bugs are suspected in the future, enabling the additional
warning flags and scrutinizing the warnings would be in order.
To be clear, I believe qpdf to be well-behaved with respect to sizes and offsets, and qpdf's test suite includes actual
generation and full processing of files larger than 4 GB in size. The issues raised here are largely academic and should
not in any way be interpreted to mean that qpdf has practical problems involving sloppiness with integer types. I also
believe that appropriate measures have been taken in the code to avoid problems with signed vs. unsigned integers
from resulting in memory overwrites or other issues with potential security implications, though there are never any
absolute guarantees.
6.4. Encryption
Encryption is supported transparently by qpdf. When opening a PDF file, if an encryption dictionary exists, the QPDF
object processes this dictionary using the password (if any) provided. The primary decryption key is computed and
cached. No further access is made to the encryption dictionary after that time. When an object is read from a file, the
object ID and generation of the object in which it is contained is always known. Using this information along with
the stored encryption key, all stream and string objects are transparently decrypted. Raw encrypted objects are never
stored in memory. This way, nothing in the library ever has to know or care whether it is reading an encrypted file.
18
An interface is also provided for writing encrypted streams and strings given an encryption key. This is used by
QPDFWriter when it rewrites encrypted files.
When copying encrypted files, unless otherwise directed, qpdf will preserve any encryption in force in the original
file. qpdf can do this with either the user or the owner password. There is no difference in capability based on which
password is used. When 40 or 128 bit encryption keys are used, the user password can be recovered with the owner
password. With 256 keys, the user and owner passwords are used independently to encrypt the actual encryption key,
so while either can be used, the owner password can no longer be used to recover the user password.
Starting with version 4.0.0, qpdf can read files that are not encrypted but that contain encrypted attachments, but it
cannot write such files. qpdf also requires the password to be specified in order to open the file, not just to extract
attachments, since once the file is open, all decryption is handled transparently. When copying files like this while
preserving encryption, qpdf will apply the file's encryption to everything in the file, not just to the attachments. When
decrypting the file, qpdf will decrypt the attachments. In general, when copying PDF files with multiple encryption
formats, qpdf will choose the newest format. The only exception to this is that clear-text metadata will be preserved
as clear-text if it is that way in the original file.
19
20
If object is null, whether direct or indirect, write out null, thus eliminating unresolvable indirect object references.
If the object is a stream stream, write stream contents, piped through any filters as required, to a memory buffer.
Use this buffer to determine the stream length.
If object is not a stream, array, or dictionary, write out its contents.
If object is an array or dictionary (including stream), traverse its elements (for array) or values (for dictionaries),
handling recursive dictionaries and arrays, looking for indirect objects. When an indirect object is found, if it is
not resolvable, ignore. (This case is handled when writing it out.) Otherwise, look it up in the renumbering table.
If not found, grab the next available object number, assign to the referenced object in the renumbering table, and
push the referenced object onto the queue. As a special case, when writing out a stream dictionary, replace length,
filters, and decode parameters as required.
Write out dictionary or array, replacing any unresolvable indirect object references with null (pdf spec says
reference to non-existent object is legal and resolves to null) and any resolvable ones with references to the
renumbered objects.
If the object is a stream, write stream\n, the stream contents (from the memory buffer), and \nendstream\n.
When done, write endobj.
Once we have finished the queue, all referenced objects will have been written out and all deleted objects or
unreferenced objects will have been skipped. The new cross-reference table will contain an offset for every new object
number from 1 up to the number of objects written. This can be used to write out a new xref table. Finally we can
write out the trailer dictionary with appropriately computed /ID (see spec, 8.3, File Identifiers), the cross reference
table offset, and %%EOF.
21
Chapter 7. Linearization
This chapter describes how QPDF and QPDFWriter implement creation and processing of linearized PDFS.
7.3. Optimization
In order to perform various operations such as linearization and splitting files into pages, it is necessary to know which
objects are referenced by which pages, page thumbnails, and root and trailer dictionary keys. It is also necessary to
ensure that all page-level attributes appear directly at the page level and are not inherited from parents in the pages tree.
We refer to the process of enforcing these constraints as optimization. As mentioned above, note that some applications
refer to linearization as optimization. Although this optimization was initially motivated by the need to create linearized
files, we are using these terms separately.
PDF file optimization is implemented in the QPDF_optimization.cc source file. That file is richly commented and
serves as the primary reference for the optimization process.
After optimization has been completed, the private member variables obj_user_to_objects and object_to_obj_users in
QPDF have been populated. Any object that has more than one value in the object_to_obj_users table is shared. Any
object that has exactly one value in the object_to_obj_users table is private. To find all the private objects in a page or
a trailer or root dictionary key, one merely has make this determination for each element in the obj_user_to_objects
table for the given page or key.
Note that pages and thumbnails have different object user types, so the above test on a page will not include objects
referenced by the page's thumbnail dictionary and nothing else.
22
Linearization
23
Linearization
24
25
For hybrid files (files containing both xref tables and cross-reference streams), the xref table's trailer dictionary contains
the key /XRefStm whose value is the byte offset to a cross-reference stream that supplements the xref table. A
PDF 1.5-compliant application should read the xref table first. Then it should replace any object that it has already
seen with any defined in the xref stream. Then it should follow any /Prev pointer in the original xref table's trailer
dictionary. The specification is not clear about what should be done, if anything, with a /Prev pointer in the xref
stream referenced by an xref table. The QPDF class ignores it, which is probably reasonable since, if this case were
to appear for any sensible PDF file, the previous xref table would probably have a corresponding /XRefStm pointer
of its own. For example, if a hybrid file were appended, the appended section would have its own xref table and /
XRefStm. The appended xref table would point to the previous xref table which would point the /XRefStm, meaning
that the new /XRefStm doesn't have to point to it.
Since xref streams must be read very early, they may not be encrypted, and the may not contain indirect objects for
keys required to read them, which are these:
/Type: value /XRef
/Size: value n+1: where n is highest object number (same as /Size in the trailer dictionary)
/Index (optional): value [n count ...] used to determine which objects' information is stored in this stream.
The default is [0 /Size].
/Prev: value offset: byte offset of previous xref stream (same as /Prev in the trailer dictionary)
/W [...]: sizes of each field in the xref table
The other fields in the xref stream, which may be indirect if desired, are the union of those from the xref table's trailer
dictionary.
26
Hint data refers to object streams themselves, not the objects in the streams. Shared object references should also be
made to the object streams. There are no reference in any hint tables to the object numbers of compressed objects
(objects within object streams).
When numbering objects, all shared objects within both the first and second halves of the linearized files must be
numbered consecutively after all normal uncompressed objects in that half.
27
28
Release Notes
Introduce a number of small fixes for compilation on the latest clang in MacOS and the latest Visual C++ in
Windows.
Be able to handle broken files that end the xref table header with a space instead of a newline.
5.0.1: October 18, 2013
Thanks to a detailed review by Florian Weimer and the Red Hat Product Security Team, this release includes a
number of non-user-visible security hardening changes. Please see the ChangeLog file in the source distribution
for the complete list.
When available, operating system-specific secure random number generation is used for generating
initialization vectors and other random values used during encryption or file creation. For the Windows build,
this results in an added dependency on Microsoft's cryptography API. To disable the OS-specific cryptography
and use the old version, pass the --enable-insecure-random option to ./configure.
The qpdf command-line tool now issues a warning when -accessibility=n is specified for newer encryption
versions stating that the option is ignored. qpdf, per the spec, has always ignored this flag, but it previously
did so silently. This warning is issued only by the command-line tool, not by the library. The library's handling
of this flag is unchanged.
5.0.0: July 10, 2013
Bug fix: previous versions of qpdf would lose objects with generation != 0 when generating object streams.
Fixing this required changes to the public API.
Removed methods from public API that were only supposed to be called by QPDFWriter and couldn't
realistically be called anywhere else. See ChangeLog for details.
New QPDFObjGen class added to represent an object ID/generation pair. QPDFObjectHandle::getObjGen() is
now preferred over QPDFObjectHandle::getObjectID() and QPDFObjectHandle::getGeneration() as it makes
it less likely for people to accidentally write code that ignores the generation number. See QPDF.hh and
QPDFObjectHandle.hh for additional notes.
Add --show-npages command-line option to the qpdf command to show the number of pages in a file.
Allow omission of the page range within --pages for the qpdf command. When omitted, the page range is
implicitly taken to be all the pages in the file.
Various enhancements were made to support different types of broken files or broken readers. Details can be
found in ChangeLog.
4.1.0: April 14, 2013
Note to people including qpdf in distributions: the .la files generated by libtool are now installed by qpdf's make
install target. Before, they were not installed. This means that if your distribution does not want to include .la
files, you must remove them as part of your packaging process.
Major enhancement: API enhancements have been made to support parsing of content streams. This
enhancement includes the following changes:
QPDFObjectHandle::parseContentStream method parses objects in a content stream and calls handlers in a
callback class. The example examples/pdf-parse-content.cc illustrates how this may be used.
QPDFObjectHandle can now represent operators and inline images, object types that may only appear
in content streams.
29
Release Notes
30
Release Notes
specified in ISO 32000-2, the PDF 2.0 specification. This scheme can be chosen from the command line by
specifying use of 256-bit keys. qpdf also supports the deprecated encryption method used by Acrobat IX. This
encryption style has known security weaknesses and should not be used in practice. However, such files exist in
the wild, so support for this scheme is still useful. New methods QPDFWriter::setR6EncryptionParameters
(for the PDF 2.0 scheme) and QPDFWriter::setR5EncryptionParameters (for the deprecated scheme) have
been added to enable these new encryption schemes. Corresponding functions have been added to the C API
as well.
Full support for Adobe extension levels in PDF version information. Starting with PDF version 1.7,
corresponding to ISO 32000, Adobe adds new functionality by increasing the extension level rather
than increasing the version. This support includes addition of the QPDF::getExtensionLevel method for
retrieving the document's extension level, addition of versions of QPDFWriter::setMinimumPDFVersion
and QPDFWriter::forcePDFVersion that accept an extension level, and extended syntax for specifying
forced and minimum versions on the command line as described in Section 3.5, Advanced Transformation
Options, page 8. Corresponding functions have been added to the C API as well.
Minor fixes to prevent qpdf from referencing objects in the file that are not referenced in the file's overall
structure. Most files don't have any such objects, but some files have contain unreferenced objects with errors,
so these fixes prevent qpdf from needlessly rejecting or complaining about such objects.
Add new generalized methods for reading and writing files from/to programmer-defined sources. The
method QPDF::processInputSource allows the programmer to use any input source for the input file, and
QPDFWriter::setOutputPipeline allows the programmer to write the output file through any pipeline. These
methods would make it possible to perform any number of specialized operations, such as accessing external
storage systems, creating bindings for qpdf in other programming languages that have their own I/O systems,
etc.
Add new method QPDF::getEncryptionKey for retrieving the underlying encryption key used in the file.
This release includes a small handful of non-compatible API changes. While effort is made to avoid such
changes, all the non-compatible API changes in this version were to parts of the API that would likely never
be used outside the library itself. In all cases, the altered methods or structures were parts of the QPDF that
were public to enable them to be called from either QPDFWriter or were part of validation code that was overzealous in reporting problems in parts of the file that would not ordinarily be referenced. In no case did any of
the removed methods do anything worse that falsely report error conditions in files that were broken in ways
that didn't matter. The following public parts of the QPDF class were changed in a non-compatible way:
Updated nested QPDF::EncryptionData class to add fields needed by the newer encryption formats,
member variables changed to private so that future changes will not require breaking backward compatibility.
Added additional parameters to compute_data_key, which is used by QPDFWriter to compute the
encryption key used to encrypt a specific object.
Removed the method flattenScalarReferences. This method was previously used prior to writing a new PDF
file, but it has the undesired side effect of causing qpdf to read objects in the file that were not referenced.
Some otherwise files have unreferenced objects with errors in them, so this could cause qpdf to reject files
that would be accepted by virtually all other PDF readers. In fact, qpdf relied on only a very small part of
what flattenScalarReferences did, so only this part has been preserved, and it is now done directly inside
QPDFWriter.
Removed the method decodeStreams. This method was used by the --check option of the qpdf command-line
tool to force all streams in the file to be decoded, but it also suffered from the problem of opening otherwise
unreferenced streams and thus could report false positive. The --check option now causes qpdf to go through
all the motions of writing a new file based on the original one, so it will always reference and check exactly
those parts of a file that any ordinary viewer would check.
31
Release Notes
Removed the method trimTrailerForWrite. This method was used by QPDFWriter to modify the original
QPDF object by removing fields from the trailer dictionary that wouldn't apply to the newly written file.
This functionality, though generally harmless, was a poor implementation and has been replaced by having
QPDFWriter filter these out when copying the trailer rather than modifying the original QPDF object. (Note
that qpdf never modifies the original file itself.)
Allow the PDF header to appear anywhere in the first 1024 bytes of the file. This is consistent with what other
readers do.
Fix the pkg-config files to list zlib and pcre in Requires.private to better support static linking using pkg-config.
3.0.2: September 6, 2012
Bug fix: QPDFWriter::setOutputMemory did not work when not used with QPDFWriter::setStaticID, which
made it pretty much useless. This has been fixed.
New API call QPDFWriter::setExtraHeaderText inserts additional text near the header of the PDF file. The
intended use case is to insert comments that may be consumed by a downstream application, though other use
cases may exist.
3.0.1: August 11, 2012
Version 3.0.0 included addition of files for pkg-config, but this was not mentioned in the release notes. The
release notes for 3.0.0 were updated to mention this.
Bug fix: if an object stream ended with a scalar object not followed by space, qpdf would incorrectly report that
it encountered a premature EOF. This bug has been in qpdf since version 2.0.
3.0.0: August 2, 2012
Acknowledgment: I would like to express gratitude for the contributions of Tobias Hoffmann toward the release
of qpdf version 3.0. He is responsible for most of the implementation and design of the new API for manipulating
pages, and contributed code and ideas for many of the improvements made in version 3.0. Without his work,
this release would certainly not have happened as soon as it did, if at all.
Non-compatible API change: The version of QPDFObjectHandle::replaceStreamData that uses a
StreamDataProvider no longer requires (or accepts) a length parameter. See Appendix C, Upgrading to
3.0, page 39 for an explanation. While care is taken to avoid non-compatible API changes in general, an
exception was made this time because the new interface offers an opportunity to significantly simplify calling
code.
Support has been added for large files. The test suite verifies support for files larger than 4 gigabytes, and
manual testing has verified support for files larger than 10 gigabytes. Large file support is available for both
32-bit and 64-bit platforms as long as the compiler and underlying platforms support it.
Support for page selection (splitting and merging PDF files) has been added to the qpdf command-line tool.
See Section 3.4, Page Selection Options, page 6.
Options have been added to the qpdf command-line tool for copying encryption parameters from another file.
See Section 3.2, Basic Options, page 4.
New methods have been added to the QPDF object for adding and removing pages. See Section 6.6, Adding
and Removing Pages, page 19.
New methods have been added to the QPDF object for copying objects from other PDF files. See Section 6.8,
Copying Objects From Other PDF Files, page 20
32
Release Notes
A new method QPDFObjectHandle::parse has been added for constructing QPDFObjectHandle objects
from a string description.
Methods have been added to QPDFWriter to allow writing to an already open stdio FILE* addition to writing
to standard output or a named file. Methods have been added to QPDF to be able to process a file from an
already open stdio FILE*. This makes it possible to read and write PDF from secure temporary files that have
been unlinked prior to being fully read or written.
The QPDF::emptyPDF can be used to allow creation of PDF files from scratch. The example examples/pdfcreate.cc illustrates how it can be used.
Several methods to take PointerHolder<Buffer> can now also accept std::string arguments.
Many new convenience methods have been added to the library, most in QPDFObjectHandle. See
ChangeLog for a full list.
When building on a platform that supports ELF shared libraries (such as Linux), symbol versions are enabled
by default. They can be disabled by passing --disable-ld-version-script to ./configure.
The file libqpdf.pc is now installed to support pkg-config.
Image comparison tests are off by default now since they are not needed to verify a correct build or port of
qpdf. They are needed only when changing the actual PDF output generated by qpdf. You should enable them
if you are making deep changes to qpdf itself. See README for details.
Large file tests are off by default but can be turned on with ./configure or by setting an environment variable
before running the test suite. See README for details.
When qpdf's test suite fails, failures are not printed to the terminal anymore by default. Instead, find them in
build/qtest.log. For packagers who are building with an autobuilder, you can add the --enable-show-failedtest-output option to ./configure to restore the old behavior.
2.3.1: December 28, 2011
Fix thread-safety problem resulting from non-thread-safe use of the PCRE library.
Made a few minor documentation fixes.
Add workaround for a bug that appears in some versions of ghostscript to the test suite
Fix minor build issue for Visual C++ 2010.
2.3.0: August 11, 2011
Bug fix: when preserving existing encryption on encrypted files with cleartext metadata, older qpdf versions
would generate password-protected files with no valid password. This operation now works. This bug only
affected files created by copying existing encryption parameters; explicit encryption with specification of
cleartext metadata worked before and continues to work.
Enhance QPDFWriter with a new constructor that allows you to delay the specification of the output file.
When using this constructor, you may now call QPDFWriter::setOutputFilename to specify the output file,
or you may use QPDFWriter::setOutputMemory to cause QPDFWriter to write the resulting PDF file to a
memory buffer. You may then use QPDFWriter::getBuffer to retrieve the memory buffer.
Add new API call QPDF::replaceObject for replacing objects by object ID
Add new API call QPDF::swapObjects for swapping two objects by object ID
33
Release Notes
34
Release Notes
Add new method in QPDFObjectHandle: replaceOrRemoveKey, which replaces a dictionary key with a
given value unless the value is null, in which case it removes the key instead.
Add new method in QPDFObjectHandle: getRawStreamData, which returns the raw (unfiltered) stream data
into a buffer. This complements the getStreamData method, which returns the filtered (uncompressed) stream
data and can only be used when the stream's data is filterable.
Provide two new examples: pdf-double-page-size and pdf-invert-images that illustrate the newly added
interfaces.
Fix a memory leak that would cause loss of a few bytes for every object involved in a cycle of object references.
Thanks to Jian Ma for calling my attention to the leak.
2.1.5: April 25, 2010
Remove restriction of file identifier strings to 16 bytes. This unnecessary restriction was preventing qpdf from
being able to encrypt or decrypt files with identifier strings that were not exactly 16 bytes long. The specification
imposes no such restriction.
2.1.4: April 18, 2010
Apply the same padding calculation fix from version 2.1.2 to the main cross reference stream as well.
Since qpdf --check only performs limited checks, clarify the output to make it clear that there still may be
errors that qpdf can't check. This should make it less surprising to people when another PDF reader is unable
to read a file that qpdf thinks is okay.
2.1.3: March 27, 2010
Fix bug that could cause a failure when rewriting PDF files that contain object streams with unreferenced objects
that in turn reference indirect scalars.
Don't complain about (invalid) AES streams that aren't a multiple of 16 bytes. Instead, pad them before
decrypting.
2.1.2: January 24, 2010
Fix bug in padding around first half cross reference stream in linearized files. The bug could cause an assertion
failure when linearizing certain unlucky files.
2.1.1: December 14, 2009
No changes in functionality; insert missing include in an internal library header file to support gcc 4.4, and
update test suite to ignore broken Adobe Reader installations.
2.1: October 30, 2009
This is the first version of qpdf to include Windows support. On Windows, it is possible to build a DLL.
Additionally, a partial C-language API has been introduced, which makes it possible to call qpdf functions
from non-C++ environments. I am very grateful to Zarko Gagic (http://delphi.about.com/) for tirelessly testing
numerous pre-release versions of this DLL and providing many excellent suggestions on improving the
interface.
For programming to the C interface, please see the header file qpdf/qpdf-c.h and the example examples/pdflinearize.c.
Zarko Gajic has written a Delphi wrapper for qpdf, which can be downloaded from qpdf's download side.
Zarko's Delphi wrapper is released with the same licensing terms as qpdf itself and comes with this disclaimer:
35
Release Notes
Delphi wrapper unit qpdf.pas created by Zarko Gajic (http://delphi.about.com/). Use at your own risk and for
whatever purpose you want. No support is provided. Sample code is provided.
Support has been added for AES encryption and crypt filters. Although qpdf does not presently support files
that use PKI-based encryption, with the addition of AES and crypt filters, qpdf is now be able to open most
encrypted files created with newer versions of Acrobat or other PDF creation software. Note that I have not
been able to get very many files encrypted in this way, so it's possible there could still be some cases that qpdf
can't handle. Please report them if you find them.
Many error messages have been improved to include more information in hopes of making qpdf a more useful
tool for PDF experts to use in manually recovering damaged PDF files.
Attempt to avoid compressing metadata streams if possible. This is consistent with other PDF creation
applications.
Provide new command-line options for AES encrypt, cleartext metadata, and setting the minimum and forced
PDF versions of output files.
Add additional methods to the QPDF object for querying the document's permissions. Although qpdf does
not enforce these permissions, it does make them available so that applications that use qpdf can enforce
permissions.
The --check option to qpdf has been extended to include some additional information.
There have been a handful of non-compatible API changes. For details, see Appendix B, Upgrading from 2.0
to 2.1, page 38.
2.0.6: May 3, 2009
Do not attempt to uncompress streams that have decode parameters we don't recognize. Earlier versions of qpdf
would have rejected files with such streams.
2.0.5: March 10, 2009
Improve error handling in the LZW decoder, and fix a small error introduced in the previous version with regard
to handling full tables. The LZW decoder has been more strongly verified in this release.
2.0.4: February 21, 2009
Include proper support for LZW streams encoded without the early code change flag. Special thanks to Atom
Smasher who reported the problem and provided an input file compressed in this way, which I did not previously
have.
Implement some improvements to file recovery logic.
2.0.3: February 15, 2009
Compile cleanly with gcc 4.4.
Handle strings encoded as UTF-16BE properly.
2.0.2: June 30, 2008
Update test suite to work properly with a non-bash /bin/sh and with Perl 5.10. No changes were made to the
actual qpdf source code itself for this release.
36
Release Notes
37
38
39
40