Commit 70f7af78e19e98c7d1518ca6590deae79657ab57
1 parent
7a2ef592
Fix QPDFOutlineObjectHelper loop detectection
Check for direct outline items. Fixes oss-fuzz case 389339260.
Showing
4 changed files
with
3 additions
and
2 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/389339260.fuzz
0 → 100644
No preview for this file type
fuzz/qtest/fuzz.test
| @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | ||
| 11 | 11 | ||
| 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; | 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; |
| 13 | 13 | ||
| 14 | -my $n_qpdf_files = 87; # increment when adding new files | 14 | +my $n_qpdf_files = 88; # increment when adding new files |
| 15 | 15 | ||
| 16 | my @fuzzers = ( | 16 | my @fuzzers = ( |
| 17 | ['ascii85' => 1], | 17 | ['ascii85' => 1], |
libqpdf/QPDFOutlineObjectHelper.cc
| @@ -25,7 +25,7 @@ QPDFOutlineObjectHelper::QPDFOutlineObjectHelper( | @@ -25,7 +25,7 @@ QPDFOutlineObjectHelper::QPDFOutlineObjectHelper( | ||
| 25 | 25 | ||
| 26 | QPDFObjGen::set children; | 26 | QPDFObjGen::set children; |
| 27 | QPDFObjectHandle cur = oh.getKey("/First"); | 27 | QPDFObjectHandle cur = oh.getKey("/First"); |
| 28 | - while (!cur.isNull() && children.add(cur)) { | 28 | + while (!cur.isNull() && cur.isIndirect() && children.add(cur)) { |
| 29 | QPDFOutlineObjectHelper new_ooh(cur, dh, 1 + depth); | 29 | QPDFOutlineObjectHelper new_ooh(cur, dh, 1 + depth); |
| 30 | new_ooh.m->parent = std::make_shared<QPDFOutlineObjectHelper>(*this); | 30 | new_ooh.m->parent = std::make_shared<QPDFOutlineObjectHelper>(*this); |
| 31 | m->kids.push_back(new_ooh); | 31 | m->kids.push_back(new_ooh); |