Commit 542a4282da0b0b867fb14794e1714e95a02b5c0b
Committed by
GitHub
GitHub
Merge pull request #1344 from m-holger/fuzz
Fix bugs found during fuzzing
Showing
9 changed files
with
11 additions
and
2 deletions
fuzz/CMakeLists.txt
| @@ -146,7 +146,11 @@ set(CORPUS_OTHER | @@ -146,7 +146,11 @@ set(CORPUS_OTHER | ||
| 146 | 99999e.fuzz | 146 | 99999e.fuzz |
| 147 | 369662293.fuzz | 147 | 369662293.fuzz |
| 148 | 369662293a.fuzz | 148 | 369662293a.fuzz |
| 149 | + 376305073.fuzz | ||
| 149 | 377977949.fuzz | 150 | 377977949.fuzz |
| 151 | + 389339260.fuzz | ||
| 152 | + 389974979.fuzz | ||
| 153 | + 391974927.fuzz | ||
| 150 | ) | 154 | ) |
| 151 | 155 | ||
| 152 | set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) | 156 | set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) |
fuzz/qpdf_extra/376305073.fuzz
0 → 100644
No preview for this file type
fuzz/qpdf_extra/389339260.fuzz
0 → 100644
No preview for this file type
fuzz/qpdf_extra/389974979.fuzz
0 → 100644
No preview for this file type
fuzz/qpdf_extra/391974927.fuzz
0 → 100644
No preview for this file type
fuzz/qtest/fuzz.test
| @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | ||
| 11 | 11 | ||
| 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; | 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; |
| 13 | 13 | ||
| 14 | -my $n_qpdf_files = 84; # increment when adding new files | 14 | +my $n_qpdf_files = 88; # increment when adding new files |
| 15 | 15 | ||
| 16 | my @fuzzers = ( | 16 | my @fuzzers = ( |
| 17 | ['ascii85' => 1], | 17 | ['ascii85' => 1], |
libqpdf/Pl_ASCII85Decoder.cc
| @@ -58,6 +58,7 @@ Pl_ASCII85Decoder::write(unsigned char const* buf, size_t len) | @@ -58,6 +58,7 @@ Pl_ASCII85Decoder::write(unsigned char const* buf, size_t len) | ||
| 58 | 58 | ||
| 59 | default: | 59 | default: |
| 60 | if ((buf[i] < 33) || (buf[i] > 117)) { | 60 | if ((buf[i] < 33) || (buf[i] > 117)) { |
| 61 | + error = true; | ||
| 61 | throw std::runtime_error("character out of range during base 85 decode"); | 62 | throw std::runtime_error("character out of range during base 85 decode"); |
| 62 | } else { | 63 | } else { |
| 63 | this->inbuf[this->pos++] = buf[i]; | 64 | this->inbuf[this->pos++] = buf[i]; |
| @@ -103,6 +104,9 @@ Pl_ASCII85Decoder::flush() | @@ -103,6 +104,9 @@ Pl_ASCII85Decoder::flush() | ||
| 103 | void | 104 | void |
| 104 | Pl_ASCII85Decoder::finish() | 105 | Pl_ASCII85Decoder::finish() |
| 105 | { | 106 | { |
| 107 | + if (error) { | ||
| 108 | + return; | ||
| 109 | + } | ||
| 106 | flush(); | 110 | flush(); |
| 107 | next()->finish(); | 111 | next()->finish(); |
| 108 | } | 112 | } |
libqpdf/QPDFOutlineObjectHelper.cc
| @@ -25,7 +25,7 @@ QPDFOutlineObjectHelper::QPDFOutlineObjectHelper( | @@ -25,7 +25,7 @@ QPDFOutlineObjectHelper::QPDFOutlineObjectHelper( | ||
| 25 | 25 | ||
| 26 | QPDFObjGen::set children; | 26 | QPDFObjGen::set children; |
| 27 | QPDFObjectHandle cur = oh.getKey("/First"); | 27 | QPDFObjectHandle cur = oh.getKey("/First"); |
| 28 | - while (!cur.isNull() && children.add(cur)) { | 28 | + while (!cur.isNull() && cur.isIndirect() && children.add(cur)) { |
| 29 | QPDFOutlineObjectHelper new_ooh(cur, dh, 1 + depth); | 29 | QPDFOutlineObjectHelper new_ooh(cur, dh, 1 + depth); |
| 30 | new_ooh.m->parent = std::make_shared<QPDFOutlineObjectHelper>(*this); | 30 | new_ooh.m->parent = std::make_shared<QPDFOutlineObjectHelper>(*this); |
| 31 | m->kids.push_back(new_ooh); | 31 | m->kids.push_back(new_ooh); |
libqpdf/qpdf/Pl_ASCII85Decoder.hh
| @@ -17,6 +17,7 @@ class Pl_ASCII85Decoder final: public Pipeline | @@ -17,6 +17,7 @@ class Pl_ASCII85Decoder final: public Pipeline | ||
| 17 | unsigned char inbuf[5]{117, 117, 117, 117, 117}; | 17 | unsigned char inbuf[5]{117, 117, 117, 117, 117}; |
| 18 | size_t pos{0}; | 18 | size_t pos{0}; |
| 19 | size_t eod{0}; | 19 | size_t eod{0}; |
| 20 | + bool error{false}; | ||
| 20 | }; | 21 | }; |
| 21 | 22 | ||
| 22 | #endif // PL_ASCII85DECODER_HH | 23 | #endif // PL_ASCII85DECODER_HH |