OpenSystemsDevelopment / qpdf

Commit 2cb2412fbff6f91bdda2e86d40107ab5c5c96a48

Authored by m-holger
Committed by GitHub
2 parents 529501aa c2ff89ae

Merge pull request #1294 from m-holger/fuzz 

Add additional xref and object stream sanity checks
Inline Side-by-side
Showing 6 changed files with 17 additions and 1 deletions
fuzz/CMakeLists.txt
  View file @2cb2412
... ... @@ -146,6 +146,9 @@ set(CORPUS_OTHER
146 146 99999b.fuzz
147 147 99999c.fuzz
148 148 99999d.fuzz
  149 + 99999e.fuzz
  150 + 369662293.fuzz
  151 + 369662293a.fuzz
149 152 )
150 153  
151 154 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
... ...
fuzz/qpdf_extra/369662293.fuzz 0 โ†’ 100644
View file @2cb2412
No preview for this file type
fuzz/qpdf_extra/369662293a.fuzz 0 โ†’ 100644
View file @2cb2412
No preview for this file type
fuzz/qpdf_extra/99999e.fuzz 0 โ†’ 100644
View file @2cb2412
No preview for this file type
fuzz/qtest/fuzz.test
  View file @2cb2412
... ... @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
11 11  
12 12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
13 13  
14   -my $n_qpdf_files = 83; # increment when adding new files
  14 +my $n_qpdf_files = 86; # increment when adding new files
15 15  
16 16 my @fuzzers = (
17 17 ['ascii85' => 1],
... ...
libqpdf/QPDF.cc
  View file @2cb2412
... ... @@ -1295,6 +1295,9 @@ QPDF::Xref_table::process_stream(qpdf_offset_t xref_offset, QPDFObjectHandle& xr
1295 1295  
1296 1296 if (!trailer_) {
1297 1297 trailer_ = dict;
  1298 + if (size > toS(max_id_)) {
  1299 + throw damaged("Cross-reference stream /Size entry is impossibly large");
  1300 + }
1298 1301 table.resize(size);
1299 1302 }
1300 1303  
... ... @@ -2061,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
2061 2064 (m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
2062 2065 bp.get()));
2063 2066  
  2067 + qpdf_offset_t last_offset = -1;
2064 2068 for (int i = 0; i < n; ++i) {
2065 2069 QPDFTokenizer::Token tnum = readToken(*input);
2066 2070 QPDFTokenizer::Token toffset = readToken(*input);
... ... @@ -2086,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
2086 2090 "object stream claims to contain itself"));
2087 2091 continue;
2088 2092 }
  2093 + if (offset <= last_offset) {
  2094 + throw damagedPDF(
  2095 + *input,
  2096 + m->last_object_description,
  2097 + input->getLastOffset(),
  2098 + "expected offsets in object stream to be increasing");
  2099 + }
  2100 + last_offset = offset;
  2101 +
2089 2102 offsets[num] = toI(offset + first);
2090 2103 }
2091 2104  
... ...