Commit 2eefa580aa0ecf70ae3864d5c47e728480055c38
Committed by
GitHub
GitHub
Merge pull request #1200 from m-holger/fuzz
Fix QPDF::tableSize
Showing
1 changed file
with
7 additions
and
0 deletions
libqpdf/QPDF.cc
| ... | ... | @@ -2391,6 +2391,13 @@ QPDF::tableSize() |
| 2391 | 2391 | // objects. |
| 2392 | 2392 | auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0; |
| 2393 | 2393 | auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0; |
| 2394 | + auto max_id = std::numeric_limits<int>::max() - 1; | |
| 2395 | + if (max_obj >= max_id || max_xref >= max_id) { | |
| 2396 | + // Temporary fix. Long-term solution is | |
| 2397 | + // - QPDFObjGen to enforce objgens are valid and sensible | |
| 2398 | + // - xref table and obj cache to protect against insertion of impossibly large obj ids | |
| 2399 | + stopOnError("Impossibly large object id encountered."); | |
| 2400 | + } | |
| 2394 | 2401 | if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) { |
| 2395 | 2402 | return toS(++max_obj); |
| 2396 | 2403 | } | ... | ... |