Refine QPDFParser error handling

Fail if a bad token is encountered while parsing an array or dictionary with more than 100,000 elements. Fixes oss-fuzz case 388571629.

Refine QPDFParser error handling
Fail if a bad token is encountered while parsing an array or dictionary with more than 100,000 elements. Fixes oss-fuzz case 388571629.
m-holger
1 parent 671b6e2e
Showing 4 changed files with 7 additions and 1 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/388571629.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDFParser.cc
@@ -149,6 +149,7 @@ set(CORPUS_OTHER
   376305073.fuzz
   376305073a.fuzz
   377977949.fuzz
+  388571629.fuzz
   389339260.fuzz
   389974979.fuzz
   391974927.fuzz
@@ -11,7 +11,7 @@ my $td = new TestDriver(&#39;fuzz&#39;);
  
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
  
-my $n_qpdf_files = 90;       # increment when adding new files
+my $n_qpdf_files = 91;       # increment when adding new files
  
 my @fuzzers = (
     ['ascii85' => 1],
@@ -470,6 +470,11 @@ bool
 QPDFParser::tooManyBadTokens()
 {
     if (--max_bad_count > 0 && good_count > 4) {
+        if (frame->olist.size() > 100'000 || frame->dict.size() > 100'000) {
+            warn("encountered errors while parsing an array or dictionary with more than 100000 "
+                 "elements; giving up on reading object");
+            return true;
+        }
         good_count = 0;
         bad_count = 1;
         return false;