Detect JSON object whose value is an indirect object

Jay Berkenbilt
1 parent 7ae095fa
Showing 6 changed files with 77 additions and 1 deletions
fuzz/json_fuzzer_seed_corpus/7865f715436bd6c3cdb6b073fcb44b297cb98097
fuzz/qtest/fuzz.test
libqpdf/QPDF_json.cc
qpdf/qtest/qpdf-json.test
qpdf/qtest/qpdf/qjson-object-value-indirect.json
qpdf/qtest/qpdf/qjson-object-value-indirect.out
+{"qpdf":[{},{"obj:1 0 R":{"value":"2 0 R"
 \ No newline at end of file
@@ -16,7 +16,7 @@ my @fuzzers = (
     ['dct' => 1],
     ['flate' => 1],
     ['hex' => 1],
-    ['json' => 38],
+    ['json' => 39],
     ['lzw' => 2],
     ['pngpredictor' => 1],
     ['runlength' => 6],
@@ -441,6 +441,10 @@ QPDF::JSONReactor::containerEnd(JSON const&amp; value)
 void
 QPDF::JSONReactor::replaceObject(QPDFObjectHandle&& replacement, JSON const& value)
 {
+    if (replacement.isIndirect()) {
+        error(replacement.getParsedOffset(), "the value of an object may not be an indirect object reference");
+        return;
+    }
     auto& tos = stack.back();
     auto og = tos.object.getObjGen();
     this->pdf.replaceObject(og, replacement);
@@ -28,6 +28,7 @@ my @badfiles = (
     'objects-not-dict',
     'bad-object-key',
     'object-not-dict',
+    'object-value-indirect',
     'stream-not-dict',
     'stream-dict-not-dict',
     'trailer-not-dict',
+{
+  "qpdf": [
+    {
+      "jsonversion": 2,
+      "pdfversion": "1.3",
+      "maxobjectid": 6
+    },
+    {
+      "obj:1 0 R": {
+        "value": "2 0 R"
+      },
+      "obj:2 0 R": {
+        "value": {
+          "/Count": 1,
+          "/Kids": [
+            "3 0 R"
+          ],
+          "/Type": "/Pages"
+        }
+      },
+      "obj:3 0 R": {
+        "value": {
+          "/Contents": "4 0 R",
+          "/MediaBox": [
+            0,
+            0,
+            612,
+            792
+          ],
+          "/Parent": "2 0 R",
+          "/Resources": {
+            "/Font": {
+              "/F1": "6 0 R"
+            },
+            "/ProcSet": "5 0 R"
+          },
+          "/Type": "/Page"
+        }
+      },
+      "obj:4 0 R": {
+        "stream": {
+          "data": "QlQKICAvRjEgMjQgVGYKICA3MiA3MjAgVGQKICAoUG90YXRvKSBUagpFVAo=",
+          "dict": {}
+        }
+      },
+      "obj:5 0 R": {
+        "value": [
+          "/PDF",
+          "/Text"
+        ]
+      },
+      "obj:6 0 R": {
+        "value": {
+          "/BaseFont": "/Helvetica",
+          "/Encoding": "/WinAnsiEncoding",
+          "/Subtype": "/Type1",
+          "/Type": "/Font"
+        }
+      },
+      "trailer": {
+        "value": {
+          "/Root": "1 0 R",
+          "/Size": 7
+        }
+      }
+    }
+  ]
+}
+WARNING: qjson-object-value-indirect.json (obj:1 0 R): the value of an object may not be an indirect object reference
+qpdf: qjson-object-value-indirect.json: errors found in JSON