Commit 2eefa580aa0ecf70ae3864d5c47e728480055c38
Committed by
GitHub
GitHub
Merge pull request #1200 from m-holger/fuzz
Fix QPDF::tableSize
Showing
1 changed file
with
7 additions
and
0 deletions
libqpdf/QPDF.cc
| @@ -2391,6 +2391,13 @@ QPDF::tableSize() | @@ -2391,6 +2391,13 @@ QPDF::tableSize() | ||
| 2391 | // objects. | 2391 | // objects. |
| 2392 | auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0; | 2392 | auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0; |
| 2393 | auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0; | 2393 | auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0; |
| 2394 | + auto max_id = std::numeric_limits<int>::max() - 1; | ||
| 2395 | + if (max_obj >= max_id || max_xref >= max_id) { | ||
| 2396 | + // Temporary fix. Long-term solution is | ||
| 2397 | + // - QPDFObjGen to enforce objgens are valid and sensible | ||
| 2398 | + // - xref table and obj cache to protect against insertion of impossibly large obj ids | ||
| 2399 | + stopOnError("Impossibly large object id encountered."); | ||
| 2400 | + } | ||
| 2394 | if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) { | 2401 | if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) { |
| 2395 | return toS(++max_obj); | 2402 | return toS(++max_obj); |
| 2396 | } | 2403 | } |