OpenSystemsDevelopment / qpdf

Commit 2cb2412fbff6f91bdda2e86d40107ab5c5c96a48

Authored by m-holger
Committed by GitHub
2 parents 529501aa c2ff89ae

Merge pull request #1294 from m-holger/fuzz 

Add additional xref and object stream sanity checks
Inline Side-by-side
Showing 6 changed files with 17 additions and 1 deletions
fuzz/CMakeLists.txt
  View file @2cb2412
@@ -146,6 +146,9 @@ set(CORPUS_OTHER @@ -146,6 +146,9 @@ set(CORPUS_OTHER
146 99999b.fuzz 146 99999b.fuzz
147 99999c.fuzz 147 99999c.fuzz
148 99999d.fuzz 148 99999d.fuzz
  149 + 99999e.fuzz
  150 + 369662293.fuzz
  151 + 369662293a.fuzz
149 ) 152 )
150 153
151 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) 154 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
fuzz/qpdf_extra/369662293.fuzz 0 โ†’ 100644
View file @2cb2412
No preview for this file type
fuzz/qpdf_extra/369662293a.fuzz 0 โ†’ 100644
View file @2cb2412
No preview for this file type
fuzz/qpdf_extra/99999e.fuzz 0 โ†’ 100644
View file @2cb2412
No preview for this file type
fuzz/qtest/fuzz.test
  View file @2cb2412
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
11 11
12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; 12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
13 13
14 -my $n_qpdf_files = 83; # increment when adding new files 14 +my $n_qpdf_files = 86; # increment when adding new files
15 15
16 my @fuzzers = ( 16 my @fuzzers = (
17 ['ascii85' => 1], 17 ['ascii85' => 1],
libqpdf/QPDF.cc
  View file @2cb2412
@@ -1295,6 +1295,9 @@ QPDF::Xref_table::process_stream(qpdf_offset_t xref_offset, QPDFObjectHandle& xr @@ -1295,6 +1295,9 @@ QPDF::Xref_table::process_stream(qpdf_offset_t xref_offset, QPDFObjectHandle& xr
1295 1295
1296 if (!trailer_) { 1296 if (!trailer_) {
1297 trailer_ = dict; 1297 trailer_ = dict;
  1298 + if (size > toS(max_id_)) {
  1299 + throw damaged("Cross-reference stream /Size entry is impossibly large");
  1300 + }
1298 table.resize(size); 1301 table.resize(size);
1299 } 1302 }
1300 1303
@@ -2061,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number) @@ -2061,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
2061 (m->file->getName() + " object stream " + std::to_string(obj_stream_number)), 2064 (m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
2062 bp.get())); 2065 bp.get()));
2063 2066
  2067 + qpdf_offset_t last_offset = -1;
2064 for (int i = 0; i < n; ++i) { 2068 for (int i = 0; i < n; ++i) {
2065 QPDFTokenizer::Token tnum = readToken(*input); 2069 QPDFTokenizer::Token tnum = readToken(*input);
2066 QPDFTokenizer::Token toffset = readToken(*input); 2070 QPDFTokenizer::Token toffset = readToken(*input);
@@ -2086,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number) @@ -2086,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
2086 "object stream claims to contain itself")); 2090 "object stream claims to contain itself"));
2087 continue; 2091 continue;
2088 } 2092 }
  2093 + if (offset <= last_offset) {
  2094 + throw damagedPDF(
  2095 + *input,
  2096 + m->last_object_description,
  2097 + input->getLastOffset(),
  2098 + "expected offsets in object stream to be increasing");
  2099 + }
  2100 + last_offset = offset;
  2101 +
2089 offsets[num] = toI(offset + first); 2102 offsets[num] = toI(offset + first);
2090 } 2103 }
2091 2104