OpenSystemsDevelopment / qpdf

Commit 722148de3df872ef00a43a5dc693c95e59a2cb47

Authored by m-holger
1 parent e914bbbb

Further limit size of uncompressed JPEG for fuzzing 

Try a  limit of 50MB. For very large limits processing time before
damage is encountered may exceed oss-fuzz limits.
Add further test cases.
Inline Side-by-side
Showing 5 changed files with 7 additions and 6 deletions
fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b 0 → 100644
View file @722148d
No preview for this file type
fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12 0 → 100644
View file @722148d
No preview for this file type
fuzz/qtest/fuzz.test
  View file @722148d
... ... @@ -13,7 +13,7 @@ my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
13 13  
14 14 my @fuzzers = (
15 15 ['ascii85' => 1],
16   - ['dct' => 2],
  16 + ['dct' => 4],
17 17 ['flate' => 1],
18 18 ['hex' => 1],
19 19 ['json' => 40],
... ...
libqpdf/Pl_DCT.cc
  View file @722148d
... ... @@ -335,10 +335,11 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b)
335 335 (void)jpeg_calc_output_dimensions(cinfo);
336 336 unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components);
337 337 if (memory_limit > 0 &&
338   - width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) {
339   - // Even if jpeglib does not run out of memory, qpdf will while buffering thye data before
340   - // writing it.
341   - throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit");
  338 + width > (static_cast<unsigned long>(memory_limit) / (20U * cinfo->output_height))) {
  339 + // Even if jpeglib does not run out of memory, qpdf will while buffering the data before
  340 + // writing it. Furthermore, for very large images runtime can be significant before the
  341 + // first warning is encountered causing a timeout in oss-fuzz.
  342 + throw std::runtime_error("Pl_DCT::decompress: JPEG data large - may be too slow");
342 343 }
343 344 JSAMPARRAY buffer =
344 345 (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1);
... ...
libqpdf/QPDF_pages.cc
  View file @722148d
... ... @@ -99,7 +99,7 @@ QPDF::getAllPagesInternal(
99 99 for (int i = 0; i < n; ++i) {
100 100 auto kid = kids.getArrayItem(i);
101 101 if (!kid.isDictionary()) {
102   - kid.warnIfPossible("Pages tree includes non-dictionary object; removing");
  102 + kid.warnIfPossible("Pages tree includes non-dictionary object; ignoring");
103 103 continue;
104 104 }
105 105 if (kid.hasKey("/Kids")) {
... ...