Fix loop detection error (fuzz issue 23172)

Jay Berkenbilt
1 parent 6cc9489f
Showing 5 changed files with 17 additions and 9 deletions
ChangeLog
TODO
fuzz/qpdf_extra/23172.fuzz
include/qpdf/QPDF.hh
libqpdf/QPDF_optimization.cc
+2020-10-22  Jay Berkenbilt  <ejb@ql.org>
+
+	* Fix loop detection problem when traversing page thumbnails
+	during optimization (fuzz issue 23172).
+
 2020-10-21  Jay Berkenbilt  <ejb@ql.org>
  
 	* Bug fix: properly handle copying foreign streams that have
@@ -65,7 +65,6 @@ Fuzz Errors
 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N>
  
 * New:
-  * 23172: stack overflow (https://oss-fuzz.com/testcase-detail/5719543787028480)
   * 23599: integer overflow: https://oss-fuzz.com/testcase?key=6290807920525312
   * 23642: leak: https://oss-fuzz.com/testcase-detail/4906569690251264
  
@@ -1341,7 +1341,8 @@ class QPDF
         std::set<QPDFObjGen>& visited);
     void updateObjectMaps(ObjUser const& ou, QPDFObjectHandle oh);
     void updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
-				  std::set<QPDFObjGen>& visited, bool top);
+				  std::set<QPDFObjGen>& visited, bool top,
+                                  int depth);
     void filterCompressedObjects(std::map<int, int> const& object_stream_data);
  
     // Type conversion helper methods
@@ -354,12 +354,13 @@ void
 QPDF::updateObjectMaps(ObjUser const& ou, QPDFObjectHandle oh)
 {
     std::set<QPDFObjGen> visited;
-    updateObjectMapsInternal(ou, oh, visited, true);
+    updateObjectMapsInternal(ou, oh, visited, true, 0);
 }
  
 void
 QPDF::updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
-			       std::set<QPDFObjGen>& visited, bool top)
+			       std::set<QPDFObjGen>& visited, bool top,
+                               int depth)
 {
     // Traverse the object tree from this point taking care to avoid
     // crossing page boundaries.
@@ -397,7 +398,8 @@ QPDF::updateObjectMapsInternal(ObjUser const&amp; ou, QPDFObjectHandle oh,
 	int n = oh.getArrayNItems();
 	for (int i = 0; i < n; ++i)
 	{
-	    updateObjectMapsInternal(ou, oh.getArrayItem(i), visited, false);
+	    updateObjectMapsInternal(
+                ou, oh.getArrayItem(i), visited, false, 1 + depth);
 	}
     }
     else if (oh.isDictionary() || oh.isStream())
@@ -417,8 +419,9 @@ QPDF::updateObjectMapsInternal(ObjUser const&amp; ou, QPDFObjectHandle oh,
 	    {
 		// Traverse page thumbnail dictionaries as a special
 		// case.
-		updateObjectMaps(ObjUser(ObjUser::ou_thumb, ou.pageno),
-				 dict.getKey(key));
+		updateObjectMapsInternal(
+                    ObjUser(ObjUser::ou_thumb, ou.pageno),
+                    dict.getKey(key), visited, false, 1 + depth);
 	    }
 	    else if (is_page_node && (key == "/Parent"))
 	    {
@@ -426,8 +429,8 @@ QPDF::updateObjectMapsInternal(ObjUser const&amp; ou, QPDFObjectHandle oh,
 	    }
 	    else
 	    {
-		updateObjectMapsInternal(ou, dict.getKey(key),
-					 visited, false);
+		updateObjectMapsInternal(
+                    ou, dict.getKey(key), visited, false, 1 + depth);
 	    }
 	}
     }