Add sanity check on trailer /Size entry

m-holger
1 parent 44a13951
Showing 5 changed files with 25 additions and 1 deletions
libqpdf/QPDF.cc
qpdf/qpdf.testcov
qpdf/qtest/qpdf/issue-fuzz.out
qpdf/qtest/qpdf/issue-fuzz.pdf
qpdf/qtest/specific-bugs.test
@@ -1057,7 +1057,10 @@ QPDF::Xref_table::process_section(qpdf_offset_t xref_offset)
             QTC::TC("qpdf", "QPDF trailer size not integer");
             throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is not an integer");
         }
-
+        if (sz >= static_cast<unsigned int>(max_id_)) {
+            QTC::TC("qpdf", "QPDF trailer size impossibly large");
+            throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is impossibly large");
+        }
         table.resize(sz);
     }
@@ -55,6 +55,7 @@ QPDF invalid xref entry 0
 QPDF missing trailer 0
 QPDF trailer lacks size 0
 QPDF trailer size not integer 0
+QPDF trailer size impossibly large 0
 QPDF trailer prev not integer 0
 QPDFParser bad brace 0
 QPDFParser bad brace in parseRemainder 0
+WARNING: issue-fuzz.pdf: can't find PDF header
+WARNING: issue-fuzz.pdf (xref table, offset 19): accepting invalid xref table entry
+WARNING: issue-fuzz.pdf (trailer, offset 36): unknown token while reading object; treating as string
+WARNING: issue-fuzz.pdf (trailer, offset 53): unexpected >
+WARNING: issue-fuzz.pdf (trailer, offset 54): unknown token while reading object; treating as string
+WARNING: issue-fuzz.pdf (trailer, offset 58): unknown token while reading object; treating as string
+WARNING: issue-fuzz.pdf (trailer, offset 72): unknown token while reading object; treating as string
+WARNING: issue-fuzz.pdf (trailer, offset 36): dictionary ended prematurely; using null as value for last key
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake1
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake2
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake3
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake4
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake5
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake6
+WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake7
+WARNING: issue-fuzz.pdf: file is damaged
+WARNING: issue-fuzz.pdf (trailer, offset 32): /Size key in trailer dictionary is impossibly large
+WARNING: issue-fuzz.pdf: Attempting to reconstruct cross-reference table
+qpdf: issue-fuzz.pdf: unable to find /Root dictionary
@@ -38,6 +38,7 @@ my @bug_tests = (
     ["263", "empty xref stream", 2],
     ["335a", "ozz-fuzz-12152", 2],
     ["335b", "ozz-fuzz-14845", 2],
+    ["fuzz", "impossibly large trailer /Size"],
 #    ["fuzz-16214", "stream in object stream", 3, "--preserve-unreferenced"],
     # When adding to this list, consider adding to CORPUS_FROM_TEST in
     # fuzz/CMakeLists.txt and updating the count in