diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt index 9a30b3b..025a18c 100644 --- a/fuzz/CMakeLists.txt +++ b/fuzz/CMakeLists.txt @@ -154,6 +154,7 @@ set(CORPUS_OTHER 389974979.fuzz 391974927.fuzz 394129398.fuzz + 394463491.fuzz ) set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) diff --git a/fuzz/qpdf_extra/394463491.fuzz b/fuzz/qpdf_extra/394463491.fuzz new file mode 100644 index 0000000..7a74fe3 --- /dev/null +++ b/fuzz/qpdf_extra/394463491.fuzz diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test index 9a784d1..eb943c5 100644 --- a/fuzz/qtest/fuzz.test +++ b/fuzz/qtest/fuzz.test @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; -my $n_qpdf_files = 91; # increment when adding new files +my $n_qpdf_files = 92; # increment when adding new files my @fuzzers = ( ['ascii85' => 1], diff --git a/libqpdf/SF_FlateLzwDecode.cc b/libqpdf/SF_FlateLzwDecode.cc index d7b8c48..433d585 100644 --- a/libqpdf/SF_FlateLzwDecode.cc +++ b/libqpdf/SF_FlateLzwDecode.cc @@ -14,6 +14,8 @@ SF_FlateLzwDecode::setDecodeParms(QPDFObjectHandle decode_parms) return true; } + auto memory_limit = Pl_Flate::memory_limit(); + std::set keys = decode_parms.getKeys(); for (auto const& key: keys) { QPDFObjectHandle value = decode_parms.getKey(key); @@ -29,6 +31,11 @@ SF_FlateLzwDecode::setDecodeParms(QPDFObjectHandle decode_parms) } else if (key == "/Columns" || key == "/Colors" || key == "/BitsPerComponent") { if (value.isInteger()) { int val = value.getIntValueAsInt(); + if (memory_limit && static_cast(val) > memory_limit) { + QPDFLogger::defaultLogger()->warn( + "SF_FlateLzwDecode parameter exceeds PL_Flate memory limit\n"); + return false; + } if (key == "/Columns") { columns = val; } else if (key == "/Colors") {