OpenSystemsDevelopment / qpdf

Commit 6bc4cc3d48dd2216c9415215967e46d429b7f6b1

Authored by Jay Berkenbilt
1 parent 94e86e25

Fix fuzz issue 15475

Inline Side-by-side
Showing 3 changed files with 13 additions and 6 deletions
fuzz/lzw_fuzzer_seed_corpus/a19f987b885f5a96069f4bc7f12b9e84ceba7dfa 0 → 100644
  View file @6bc4cc3
  1 +˙˙
0 2 \ No newline at end of file
... ...
fuzz/qtest/fuzz.test
  View file @6bc4cc3
... ... @@ -23,7 +23,7 @@ my @fuzzers = (
23 23 ['dct' => 1],
24 24 ['flate' => 1],
25 25 ['hex' => 1],
26   - ['lzw' => 1],
  26 + ['lzw' => 2],
27 27 ['pngpredictor' => 1],
28 28 ['runlength' => 6],
29 29 ['tiffpredictor' => 1],
... ...
libqpdf/Pl_LZWDecoder.cc
  View file @6bc4cc3
... ... @@ -107,7 +107,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code)
107 107 unsigned int idx = code - 258;
108 108 if (idx >= table.size())
109 109 {
110   - throw std::logic_error(
  110 + throw std::runtime_error(
111 111 "Pl_LZWDecoder::getFirstChar: table overflow");
112 112 }
113 113 Buffer& b = table.at(idx);
... ... @@ -115,7 +115,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code)
115 115 }
116 116 else
117 117 {
118   - throw std::logic_error(
  118 + throw std::runtime_error(
119 119 "Pl_LZWDecoder::getFirstChar called with invalid code (" +
120 120 QUtil::int_to_string(code) + ")");
121 121 }
... ... @@ -140,7 +140,7 @@ Pl_LZWDecoder::addToTable(unsigned char next)
140 140 unsigned int idx = this->last_code - 258;
141 141 if (idx >= table.size())
142 142 {
143   - throw std::logic_error(
  143 + throw std::runtime_error(
144 144 "Pl_LZWDecoder::addToTable: table overflow");
145 145 }
146 146 Buffer& b = table.at(idx);
... ... @@ -149,7 +149,7 @@ Pl_LZWDecoder::addToTable(unsigned char next)
149 149 }
150 150 else
151 151 {
152   - throw std::logic_error(
  152 + throw std::runtime_error(
153 153 "Pl_LZWDecoder::addToTable called with invalid code (" +
154 154 QUtil::int_to_string(this->last_code) + ")");
155 155 }
... ... @@ -239,7 +239,13 @@ Pl_LZWDecoder::handleCode(unsigned int code)
239 239 }
240 240 else
241 241 {
242   - Buffer& b = table.at(code - 258);
  242 + unsigned int idx = code - 258;
  243 + if (idx >= table.size())
  244 + {
  245 + throw std::runtime_error(
  246 + "Pl_LZWDecoder::handleCode: table overflow");
  247 + }
  248 + Buffer& b = table.at(idx);
243 249 getNext()->write(b.getBuffer(), b.getSize());
244 250 }
245 251 }
... ...