Commit 722148de3df872ef00a43a5dc693c95e59a2cb47
1 parent
e914bbbb
Further limit size of uncompressed JPEG for fuzzing
Try a limit of 50MB. For very large limits processing time before damage is encountered may exceed oss-fuzz limits. Add further test cases.
Showing
5 changed files
with
7 additions
and
6 deletions
fuzz/dct_fuzzer_seed_corpus/25297ce5437bb882fbbd5073334d2eb64fb9c40b
0 → 100644
No preview for this file type
fuzz/dct_fuzzer_seed_corpus/f48621948bc5b8c7debabe2fbec04cad56927e12
0 → 100644
No preview for this file type
fuzz/qtest/fuzz.test
| @@ -13,7 +13,7 @@ my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; | @@ -13,7 +13,7 @@ my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; | ||
| 13 | 13 | ||
| 14 | my @fuzzers = ( | 14 | my @fuzzers = ( |
| 15 | ['ascii85' => 1], | 15 | ['ascii85' => 1], |
| 16 | - ['dct' => 2], | 16 | + ['dct' => 4], |
| 17 | ['flate' => 1], | 17 | ['flate' => 1], |
| 18 | ['hex' => 1], | 18 | ['hex' => 1], |
| 19 | ['json' => 40], | 19 | ['json' => 40], |
libqpdf/Pl_DCT.cc
| @@ -335,10 +335,11 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b) | @@ -335,10 +335,11 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b) | ||
| 335 | (void)jpeg_calc_output_dimensions(cinfo); | 335 | (void)jpeg_calc_output_dimensions(cinfo); |
| 336 | unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components); | 336 | unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components); |
| 337 | if (memory_limit > 0 && | 337 | if (memory_limit > 0 && |
| 338 | - width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) { | ||
| 339 | - // Even if jpeglib does not run out of memory, qpdf will while buffering thye data before | ||
| 340 | - // writing it. | ||
| 341 | - throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit"); | 338 | + width > (static_cast<unsigned long>(memory_limit) / (20U * cinfo->output_height))) { |
| 339 | + // Even if jpeglib does not run out of memory, qpdf will while buffering the data before | ||
| 340 | + // writing it. Furthermore, for very large images runtime can be significant before the | ||
| 341 | + // first warning is encountered causing a timeout in oss-fuzz. | ||
| 342 | + throw std::runtime_error("Pl_DCT::decompress: JPEG data large - may be too slow"); | ||
| 342 | } | 343 | } |
| 343 | JSAMPARRAY buffer = | 344 | JSAMPARRAY buffer = |
| 344 | (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1); | 345 | (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1); |
libqpdf/QPDF_pages.cc
| @@ -99,7 +99,7 @@ QPDF::getAllPagesInternal( | @@ -99,7 +99,7 @@ QPDF::getAllPagesInternal( | ||
| 99 | for (int i = 0; i < n; ++i) { | 99 | for (int i = 0; i < n; ++i) { |
| 100 | auto kid = kids.getArrayItem(i); | 100 | auto kid = kids.getArrayItem(i); |
| 101 | if (!kid.isDictionary()) { | 101 | if (!kid.isDictionary()) { |
| 102 | - kid.warnIfPossible("Pages tree includes non-dictionary object; removing"); | 102 | + kid.warnIfPossible("Pages tree includes non-dictionary object; ignoring"); |
| 103 | continue; | 103 | continue; |
| 104 | } | 104 | } |
| 105 | if (kid.hasKey("/Kids")) { | 105 | if (kid.hasKey("/Kids")) { |