diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index e9802b5..5a38ec9 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -1057,7 +1057,10 @@ QPDF::Xref_table::process_section(qpdf_offset_t xref_offset) QTC::TC("qpdf", "QPDF trailer size not integer"); throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is not an integer"); } - + if (sz >= static_cast(max_id_)) { + QTC::TC("qpdf", "QPDF trailer size impossibly large"); + throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is impossibly large"); + } table.resize(sz); } diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov index b66ba83..25e4dd7 100644 --- a/qpdf/qpdf.testcov +++ b/qpdf/qpdf.testcov @@ -55,6 +55,7 @@ QPDF invalid xref entry 0 QPDF missing trailer 0 QPDF trailer lacks size 0 QPDF trailer size not integer 0 +QPDF trailer size impossibly large 0 QPDF trailer prev not integer 0 QPDFParser bad brace 0 QPDFParser bad brace in parseRemainder 0 diff --git a/qpdf/qtest/qpdf/issue-fuzz.out b/qpdf/qtest/qpdf/issue-fuzz.out new file mode 100644 index 0000000..456485b --- /dev/null +++ b/qpdf/qtest/qpdf/issue-fuzz.out @@ -0,0 +1,19 @@ +WARNING: issue-fuzz.pdf: can't find PDF header +WARNING: issue-fuzz.pdf (xref table, offset 19): accepting invalid xref table entry +WARNING: issue-fuzz.pdf (trailer, offset 36): unknown token while reading object; treating as string +WARNING: issue-fuzz.pdf (trailer, offset 53): unexpected > +WARNING: issue-fuzz.pdf (trailer, offset 54): unknown token while reading object; treating as string +WARNING: issue-fuzz.pdf (trailer, offset 58): unknown token while reading object; treating as string +WARNING: issue-fuzz.pdf (trailer, offset 72): unknown token while reading object; treating as string +WARNING: issue-fuzz.pdf (trailer, offset 36): dictionary ended prematurely; using null as value for last key +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake1 +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake2 +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake3 +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake4 +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake5 +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake6 +WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake7 +WARNING: issue-fuzz.pdf: file is damaged +WARNING: issue-fuzz.pdf (trailer, offset 32): /Size key in trailer dictionary is impossibly large +WARNING: issue-fuzz.pdf: Attempting to reconstruct cross-reference table +qpdf: issue-fuzz.pdf: unable to find /Root dictionary diff --git a/qpdf/qtest/qpdf/issue-fuzz.pdf b/qpdf/qtest/qpdf/issue-fuzz.pdf new file mode 100644 index 0000000..288a6b5 --- /dev/null +++ b/qpdf/qtest/qpdf/issue-fuzz.pdf diff --git a/qpdf/qtest/specific-bugs.test b/qpdf/qtest/specific-bugs.test index 99a7e80..428471b 100644 --- a/qpdf/qtest/specific-bugs.test +++ b/qpdf/qtest/specific-bugs.test @@ -38,6 +38,7 @@ my @bug_tests = ( ["263", "empty xref stream", 2], ["335a", "ozz-fuzz-12152", 2], ["335b", "ozz-fuzz-14845", 2], + ["fuzz", "impossibly large trailer /Size"], # ["fuzz-16214", "stream in object stream", 3, "--preserve-unreferenced"], # When adding to this list, consider adding to CORPUS_FROM_TEST in # fuzz/CMakeLists.txt and updating the count in