Commit 6bc4cc3d48dd2216c9415215967e46d429b7f6b1
1 parent
94e86e25
Fix fuzz issue 15475
Showing
3 changed files
with
13 additions
and
6 deletions
fuzz/lzw_fuzzer_seed_corpus/a19f987b885f5a96069f4bc7f12b9e84ceba7dfa
0 → 100644
fuzz/qtest/fuzz.test
| @@ -23,7 +23,7 @@ my @fuzzers = ( | @@ -23,7 +23,7 @@ my @fuzzers = ( | ||
| 23 | ['dct' => 1], | 23 | ['dct' => 1], |
| 24 | ['flate' => 1], | 24 | ['flate' => 1], |
| 25 | ['hex' => 1], | 25 | ['hex' => 1], |
| 26 | - ['lzw' => 1], | 26 | + ['lzw' => 2], |
| 27 | ['pngpredictor' => 1], | 27 | ['pngpredictor' => 1], |
| 28 | ['runlength' => 6], | 28 | ['runlength' => 6], |
| 29 | ['tiffpredictor' => 1], | 29 | ['tiffpredictor' => 1], |
libqpdf/Pl_LZWDecoder.cc
| @@ -107,7 +107,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code) | @@ -107,7 +107,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code) | ||
| 107 | unsigned int idx = code - 258; | 107 | unsigned int idx = code - 258; |
| 108 | if (idx >= table.size()) | 108 | if (idx >= table.size()) |
| 109 | { | 109 | { |
| 110 | - throw std::logic_error( | 110 | + throw std::runtime_error( |
| 111 | "Pl_LZWDecoder::getFirstChar: table overflow"); | 111 | "Pl_LZWDecoder::getFirstChar: table overflow"); |
| 112 | } | 112 | } |
| 113 | Buffer& b = table.at(idx); | 113 | Buffer& b = table.at(idx); |
| @@ -115,7 +115,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code) | @@ -115,7 +115,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code) | ||
| 115 | } | 115 | } |
| 116 | else | 116 | else |
| 117 | { | 117 | { |
| 118 | - throw std::logic_error( | 118 | + throw std::runtime_error( |
| 119 | "Pl_LZWDecoder::getFirstChar called with invalid code (" + | 119 | "Pl_LZWDecoder::getFirstChar called with invalid code (" + |
| 120 | QUtil::int_to_string(code) + ")"); | 120 | QUtil::int_to_string(code) + ")"); |
| 121 | } | 121 | } |
| @@ -140,7 +140,7 @@ Pl_LZWDecoder::addToTable(unsigned char next) | @@ -140,7 +140,7 @@ Pl_LZWDecoder::addToTable(unsigned char next) | ||
| 140 | unsigned int idx = this->last_code - 258; | 140 | unsigned int idx = this->last_code - 258; |
| 141 | if (idx >= table.size()) | 141 | if (idx >= table.size()) |
| 142 | { | 142 | { |
| 143 | - throw std::logic_error( | 143 | + throw std::runtime_error( |
| 144 | "Pl_LZWDecoder::addToTable: table overflow"); | 144 | "Pl_LZWDecoder::addToTable: table overflow"); |
| 145 | } | 145 | } |
| 146 | Buffer& b = table.at(idx); | 146 | Buffer& b = table.at(idx); |
| @@ -149,7 +149,7 @@ Pl_LZWDecoder::addToTable(unsigned char next) | @@ -149,7 +149,7 @@ Pl_LZWDecoder::addToTable(unsigned char next) | ||
| 149 | } | 149 | } |
| 150 | else | 150 | else |
| 151 | { | 151 | { |
| 152 | - throw std::logic_error( | 152 | + throw std::runtime_error( |
| 153 | "Pl_LZWDecoder::addToTable called with invalid code (" + | 153 | "Pl_LZWDecoder::addToTable called with invalid code (" + |
| 154 | QUtil::int_to_string(this->last_code) + ")"); | 154 | QUtil::int_to_string(this->last_code) + ")"); |
| 155 | } | 155 | } |
| @@ -239,7 +239,13 @@ Pl_LZWDecoder::handleCode(unsigned int code) | @@ -239,7 +239,13 @@ Pl_LZWDecoder::handleCode(unsigned int code) | ||
| 239 | } | 239 | } |
| 240 | else | 240 | else |
| 241 | { | 241 | { |
| 242 | - Buffer& b = table.at(code - 258); | 242 | + unsigned int idx = code - 258; |
| 243 | + if (idx >= table.size()) | ||
| 244 | + { | ||
| 245 | + throw std::runtime_error( | ||
| 246 | + "Pl_LZWDecoder::handleCode: table overflow"); | ||
| 247 | + } | ||
| 248 | + Buffer& b = table.at(idx); | ||
| 243 | getNext()->write(b.getBuffer(), b.getSize()); | 249 | getNext()->write(b.getBuffer(), b.getSize()); |
| 244 | } | 250 | } |
| 245 | } | 251 | } |