OpenSystemsDevelopment / qpdf

Commit 43fa1b27556c64c13f43198876ce7a05069124a2

Authored by m-holger
1 parent 671b6e2e

Refine QPDFParser error handling 

Fail if a bad token is encountered while parsing an array or dictionary
with more than 100,000 elements.

Fixes oss-fuzz case 388571629.
Inline Side-by-side
Showing 4 changed files with 7 additions and 1 deletions
fuzz/CMakeLists.txt
  View file @43fa1b2
@@ -149,6 +149,7 @@ set(CORPUS_OTHER @@ -149,6 +149,7 @@ set(CORPUS_OTHER
149 376305073.fuzz 149 376305073.fuzz
150 376305073a.fuzz 150 376305073a.fuzz
151 377977949.fuzz 151 377977949.fuzz
  152 + 388571629.fuzz
152 389339260.fuzz 153 389339260.fuzz
153 389974979.fuzz 154 389974979.fuzz
154 391974927.fuzz 155 391974927.fuzz
fuzz/qpdf_extra/388571629.fuzz 0 → 100644
View file @43fa1b2
No preview for this file type
fuzz/qtest/fuzz.test
  View file @43fa1b2
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
11 11
12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; 12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
13 13
14 -my $n_qpdf_files = 90; # increment when adding new files 14 +my $n_qpdf_files = 91; # increment when adding new files
15 15
16 my @fuzzers = ( 16 my @fuzzers = (
17 ['ascii85' => 1], 17 ['ascii85' => 1],
libqpdf/QPDFParser.cc
  View file @43fa1b2
@@ -470,6 +470,11 @@ bool @@ -470,6 +470,11 @@ bool
470 QPDFParser::tooManyBadTokens() 470 QPDFParser::tooManyBadTokens()
471 { 471 {
472 if (--max_bad_count > 0 && good_count > 4) { 472 if (--max_bad_count > 0 && good_count > 4) {
  473 + if (frame->olist.size() > 100'000 || frame->dict.size() > 100'000) {
  474 + warn("encountered errors while parsing an array or dictionary with more than 100000 "
  475 + "elements; giving up on reading object");
  476 + return true;
  477 + }
473 good_count = 0; 478 good_count = 0;
474 bad_count = 1; 479 bad_count = 1;
475 return false; 480 return false;