Merge pull request #1194 from m-holger/fuzz

Fix bugs in #1161

Merge pull request #1194 from m-holger/fuzz
Fix bugs in #1161
Jay Berkenbilt · GitHub
2 parents 8f792b7e e85b98b7
Showing 7 changed files with 27 additions and 14 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/68374.fuzz
fuzz/qpdf_extra/68377.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDF.cc
libqpdf/QPDF_optimization.cc
libqpdf/qpdf/ObjTable.hh
@@ -114,6 +114,8 @@ set(CORPUS_OTHER
   65681.fuzz
   65773.fuzz
   65777.fuzz
+  68374.fuzz
+  68377.fuzz
 )
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
@@ -21,7 +21,7 @@ my @fuzzers = (
     ['pngpredictor' => 1],
     ['runlength' => 6],
     ['tiffpredictor' => 2],
-    ['qpdf' => 56],             # increment when adding new files
+    ['qpdf' => 58],             # increment when adding new files
     );
 my $n_tests = 0;
@@ -1117,8 +1117,7 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle&amp; xref_obj)
         if (obj == 0) {
             // This is needed by checkLinearization()
             m->first_xref_item_offset = xref_offset;
-        }
-        if (fields[0] == 0) {
+        } else if (fields[0] == 0) {
             // Ignore fields[2], which we don't care about in this case. This works around the issue
             // of some PDF files that put invalid values, like -1, here for deleted objects.
             insertFreeXrefEntry(QPDFObjGen(obj, 0));
@@ -1196,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og)
 void
 QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2)
 {
-    if (!(obj > 0 && 0 <= f2 && f2 < 65535)) {
+    // Various tables are indexed by object id, with potential size id + 1
+    constexpr static int max_id = std::numeric_limits<int>::max() - 1;
+    if (!(obj > 0 && obj <= max_id && 0 <= f2 && f2 < 65535)) {
         QTC::TC("qpdf", "QPDF xref overwrite invalid objgen");
         return;
     }
@@ -416,22 +416,26 @@ QPDF::filterCompressedObjects(QPDFWriter::ObjTable const&amp; obj)
         ObjUser const& ou = i1.first;
         // Loop over objects.
         for (auto const& og: i1.second) {
-            if (auto const& i2 = obj[og].object_stream; i2 <= 0) {
-                t_obj_user_to_objects[ou].insert(og);
-            } else {
-                t_obj_user_to_objects[ou].insert(QPDFObjGen(i2, 0));
+            if (obj.contains(og)) {
+                if (auto const& i2 = obj[og].object_stream; i2 <= 0) {
+                    t_obj_user_to_objects[ou].insert(og);
+                } else {
+                    t_obj_user_to_objects[ou].insert(QPDFObjGen(i2, 0));
+                }
             }
         }
     }
     for (auto const& i1: m->object_to_obj_users) {
         QPDFObjGen const& og = i1.first;
-        // Loop over obj_users.
-        for (auto const& ou: i1.second) {
-            if (auto i2 = obj[og].object_stream; i2 <= 0) {
-                t_object_to_obj_users[og].insert(ou);
-            } else {
-                t_object_to_obj_users[QPDFObjGen(i2, 0)].insert(ou);
+        if (obj.contains(og)) {
+            // Loop over obj_users.
+            for (auto const& ou: i1.second) {
+                if (auto i2 = obj[og].object_stream; i2 <= 0) {
+                    t_object_to_obj_users[og].insert(ou);
+                } else {
+                    t_object_to_obj_users[QPDFObjGen(i2, 0)].insert(ou);
+                }
             }
         }
     }
@@ -63,6 +63,12 @@ class ObjTable: public std::vector&lt;T&gt;
     }
     inline bool
+    contains(QPDFObjGen og) const
+    {
+        return contains(static_cast<size_t>(og.getObj()));
+    }
+
+    inline bool
     contains(QPDFObjectHandle oh) const
     {
         return contains(static_cast<size_t>(oh.getObjectID()));