From 722148de3df872ef00a43a5dc693c95e59a2cb47 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Thu, 11 Jul 2024 13:27:50 +0100
Subject: [PATCH] Further limit size of uncompressed JPEG for fuzzing

---
 fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b | Bin 0 -> 28472 bytes
 fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12 | Bin 0 -> 883063 bytes
 fuzz/qtest/fuzz.test                                                 |  2 +-
 libqpdf/Pl_DCT.cc                                                    |  9 +++++----
 libqpdf/QPDF_pages.cc                                                |  2 +-
 5 files changed, 7 insertions(+), 6 deletions(-)
 create mode 100644 fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b
 create mode 100644 fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12

diff --git a/fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b b/fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b
new file mode 100644
index 0000000..c633d7a
Binary files /dev/null and b/fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b differ
diff --git a/fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12 b/fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12
new file mode 100644
index 0000000..821e122
Binary files /dev/null and b/fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12 differ
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 16da1d9..952a26e 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -13,7 +13,7 @@ my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
 my @fuzzers = (
     ['ascii85' => 1],
-    ['dct' => 2],
+    ['dct' => 4],
     ['flate' => 1],
     ['hex' => 1],
     ['json' => 40],
diff --git a/libqpdf/Pl_DCT.cc b/libqpdf/Pl_DCT.cc
index 7073c61..fe3da5c 100644
--- a/libqpdf/Pl_DCT.cc
+++ b/libqpdf/Pl_DCT.cc
@@ -335,10 +335,11 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b)
     (void)jpeg_calc_output_dimensions(cinfo);
     unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components);
     if (memory_limit > 0 &&
-        width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) {
-        // Even if jpeglib does not run out of memory, qpdf will while buffering thye data before
-        // writing it.
-        throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit");
+        width > (static_cast<unsigned long>(memory_limit) / (20U * cinfo->output_height))) {
+        // Even if jpeglib does not run out of memory, qpdf will while buffering the data before
+        // writing it. Furthermore, for very large images runtime can be significant before the
+        // first warning is encountered causing a timeout in oss-fuzz.
+        throw std::runtime_error("Pl_DCT::decompress: JPEG data large - may be too slow");
     }
     JSAMPARRAY buffer =
         (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1);
diff --git a/libqpdf/QPDF_pages.cc b/libqpdf/QPDF_pages.cc
index f5727d2..aeae7ce 100644
--- a/libqpdf/QPDF_pages.cc
+++ b/libqpdf/QPDF_pages.cc
@@ -99,7 +99,7 @@ QPDF::getAllPagesInternal(
     for (int i = 0; i < n; ++i) {
         auto kid = kids.getArrayItem(i);
         if (!kid.isDictionary()) {
-            kid.warnIfPossible("Pages tree includes non-dictionary object; removing");
+            kid.warnIfPossible("Pages tree includes non-dictionary object; ignoring");
             continue;
         }
         if (kid.hasKey("/Kids")) {
--
libgit2 0.21.4