Refine QPDFParser error handling

#1349 introduced a limit on the maximum size of arrays and dictionaries contained in objects that generate errors during parsing, and #1354 reduced that limit to 5000 objects. However, the limit was only imposed once a further error was encountered. Stop adding objects to containers once the limit is reached. Fixes oss-fuzz issue 398060137

Refine QPDFParser error handling
#1349 introduced a limit on the maximum size of arrays and dictionaries contained in objects that generate errors during parsing, and #1354 reduced that limit to 5000 objects. However, the limit was only imposed once a further error was encountered. Stop adding objects to containers once the limit is reached. Fixes oss-fuzz issue 398060137
m-holger
1 parent 33b639a0
Showing 5 changed files with 20 additions and 2 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/398060137.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDFParser.cc
libqpdf/qpdf/QPDFParser.hh
@@ -155,6 +155,7 @@ set(CORPUS_OTHER
   391974927.fuzz
   394129398.fuzz
   394463491.fuzz
+  398060137.fuzz
 )
  
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
@@ -11,7 +11,7 @@ my $td = new TestDriver(&#39;fuzz&#39;);
  
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
  
-my $n_qpdf_files = 92;       # increment when adding new files
+my $n_qpdf_files = 93;       # increment when adding new files
  
 my @fuzzers = (
     ['ascii85' => 1],
@@ -215,6 +215,11 @@ QPDFParser::parseRemainder(bool content_stream)
             continue;
  
         case QPDFTokenizer::tt_array_close:
+            if (bad_count && !max_bad_count) {
+                // Trigger warning.
+                (void)tooManyBadTokens();
+                return {QPDF_Null::create()};
+            }
             if (frame->state == st_array) {
                 auto object = QPDF_Array::create(std::move(frame->olist), frame->null_count > 100);
                 setDescription(object, frame->offset - 1);
@@ -239,6 +244,11 @@ QPDFParser::parseRemainder(bool content_stream)
             continue;
  
         case QPDFTokenizer::tt_dict_close:
+            if (bad_count && !max_bad_count) {
+                // Trigger warning.
+                (void)tooManyBadTokens();
+                return {QPDF_Null::create()};
+            }
             if (frame->state <= st_dictionary_value) {
                 // Attempt to recover more or less gracefully from invalid dictionaries.
                 auto& dict = frame->dict;
@@ -419,6 +429,12 @@ template &lt;typename T, typename... Args&gt;
 void
 QPDFParser::addScalar(Args&&... args)
 {
+    if (bad_count && (frame->olist.size() > 5'000 || frame->dict.size() > 5'000)) {
+        // Stop adding scalars. We are going to abort when the close token or a bad token is
+        // encountered.
+        max_bad_count = 0;
+        return;
+    }
     auto obj = T::create(args...);
     obj->setDescription(context, description, input.getLastOffset());
     add(std::move(obj));
@@ -83,7 +83,8 @@ class QPDFParser
  
     std::vector<StackFrame> stack;
     StackFrame* frame;
-    // Number of recent bad tokens.
+    // Number of recent bad tokens. This will always be > 0 once a bad token has been encountered as
+    // it only gets incremented or reset when a bad token is encountered.
     int bad_count{0};
     // Number of bad tokens (remaining) before giving up.
     int max_bad_count{15};