Merge pull request #1600 from m-holger/fuzz

Enhance validation of xref entries for deleted objects.

Merge pull request #1600 from m-holger/fuzz
Enhance validation of xref entries for deleted objects.
m-holger · GitHub
2 parents 5303b253 aef09904
Showing 4 changed files with 6 additions and 3 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/4797504999981056.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDF_objects.cc
@@ -162,6 +162,7 @@ set(CORPUS_OTHER
   440599107.fuzz
   440747125.fuzz
   4720043549327360.fuzz
+  4797504999981056.fuzz
   4876793183272960.fuzz
   5109284021272576.fuzz
   5344352869351424.fuzz
+  xref 2147483647 1 1 5 fstartxref 2
+trailer<</Size 1>>
 \ No newline at end of file
@@ -11,7 +11,7 @@ my $td = new TestDriver(&#39;fuzz&#39;);
  
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
  
-my $n_qpdf_files = 106;       # increment when adding new files
+my $n_qpdf_files = 107;       # increment when adding new files
  
 my @fuzzers = (
     ['ascii85' => 1],
@@ -533,7 +533,7 @@ Objects::read_xref(qpdf_offset_t xref_offset, bool in_stream_recovery)
         max_obj = std::max(max_obj, *(m->deleted_objects.rbegin()));
     }
     if (size < 1 || (size - 1) != max_obj) {
-        if (size  == (max_obj + 2) && qpdf.getObject(max_obj +1, 0).isStreamOfType("/XRef")) {
+        if (size == (max_obj + 2) && qpdf.getObject(max_obj + 1, 0).isStreamOfType("/XRef")) {
             warn(damagedPDF(
                 "",
                 -1,
@@ -1132,7 +1132,7 @@ Objects::insertXrefEntry(int obj, int f0, qpdf_offset_t f1, int f2)
 void
 Objects::insertFreeXrefEntry(QPDFObjGen og)
 {
-    if (!m->xref_table.contains(og)) {
+    if (!m->xref_table.contains(og) && og.getObj() <= m->xref_table_max_id) {
         m->deleted_objects.insert(og.getObj());
     }
 }