Commit 21f176d374dd229401b5de5bf8a4cb89b10e1731
1 parent
44a13951
Add sanity check on trailer /Size entry
Showing
5 changed files
with
25 additions
and
1 deletions
libqpdf/QPDF.cc
| ... | ... | @@ -1057,7 +1057,10 @@ QPDF::Xref_table::process_section(qpdf_offset_t xref_offset) |
| 1057 | 1057 | QTC::TC("qpdf", "QPDF trailer size not integer"); |
| 1058 | 1058 | throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is not an integer"); |
| 1059 | 1059 | } |
| 1060 | - | |
| 1060 | + if (sz >= static_cast<unsigned int>(max_id_)) { | |
| 1061 | + QTC::TC("qpdf", "QPDF trailer size impossibly large"); | |
| 1062 | + throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is impossibly large"); | |
| 1063 | + } | |
| 1061 | 1064 | table.resize(sz); |
| 1062 | 1065 | } |
| 1063 | 1066 | ... | ... |
qpdf/qpdf.testcov
| ... | ... | @@ -55,6 +55,7 @@ QPDF invalid xref entry 0 |
| 55 | 55 | QPDF missing trailer 0 |
| 56 | 56 | QPDF trailer lacks size 0 |
| 57 | 57 | QPDF trailer size not integer 0 |
| 58 | +QPDF trailer size impossibly large 0 | |
| 58 | 59 | QPDF trailer prev not integer 0 |
| 59 | 60 | QPDFParser bad brace 0 |
| 60 | 61 | QPDFParser bad brace in parseRemainder 0 | ... | ... |
qpdf/qtest/qpdf/issue-fuzz.out
0 → 100644
| 1 | +WARNING: issue-fuzz.pdf: can't find PDF header | |
| 2 | +WARNING: issue-fuzz.pdf (xref table, offset 19): accepting invalid xref table entry | |
| 3 | +WARNING: issue-fuzz.pdf (trailer, offset 36): unknown token while reading object; treating as string | |
| 4 | +WARNING: issue-fuzz.pdf (trailer, offset 53): unexpected > | |
| 5 | +WARNING: issue-fuzz.pdf (trailer, offset 54): unknown token while reading object; treating as string | |
| 6 | +WARNING: issue-fuzz.pdf (trailer, offset 58): unknown token while reading object; treating as string | |
| 7 | +WARNING: issue-fuzz.pdf (trailer, offset 72): unknown token while reading object; treating as string | |
| 8 | +WARNING: issue-fuzz.pdf (trailer, offset 36): dictionary ended prematurely; using null as value for last key | |
| 9 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake1 | |
| 10 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake2 | |
| 11 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake3 | |
| 12 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake4 | |
| 13 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake5 | |
| 14 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake6 | |
| 15 | +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake7 | |
| 16 | +WARNING: issue-fuzz.pdf: file is damaged | |
| 17 | +WARNING: issue-fuzz.pdf (trailer, offset 32): /Size key in trailer dictionary is impossibly large | |
| 18 | +WARNING: issue-fuzz.pdf: Attempting to reconstruct cross-reference table | |
| 19 | +qpdf: issue-fuzz.pdf: unable to find /Root dictionary | ... | ... |
qpdf/qtest/qpdf/issue-fuzz.pdf
0 → 100644
No preview for this file type
qpdf/qtest/specific-bugs.test
| ... | ... | @@ -38,6 +38,7 @@ my @bug_tests = ( |
| 38 | 38 | ["263", "empty xref stream", 2], |
| 39 | 39 | ["335a", "ozz-fuzz-12152", 2], |
| 40 | 40 | ["335b", "ozz-fuzz-14845", 2], |
| 41 | + ["fuzz", "impossibly large trailer /Size"], | |
| 41 | 42 | # ["fuzz-16214", "stream in object stream", 3, "--preserve-unreferenced"], |
| 42 | 43 | # When adding to this list, consider adding to CORPUS_FROM_TEST in |
| 43 | 44 | # fuzz/CMakeLists.txt and updating the count in | ... | ... |