From 78db34d25f559b0a5c9e7d33ab7732ad69d71afd Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Thu, 24 Jul 2025 14:54:13 +0100
Subject: [PATCH] Add check for shared appearance stream in QPDFFormFieldObjectHelper::generateTextAppearance

---
 fuzz/CMakeLists.txt                  | 1 +
 fuzz/qpdf_extra/433311400.fuzz       | Bin 0 -> 280982 bytes
 fuzz/qtest/fuzz.test                 | 2 +-
 libqpdf/QPDFFormFieldObjectHelper.cc | 7 ++++++-
 4 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 fuzz/qpdf_extra/433311400.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 38b55c6..87c0c54 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -158,6 +158,7 @@ set(CORPUS_OTHER
   398060137.fuzz
   409905355.fuzz
   411312393.fuzz
+  433311400.fuzz
   5109284021272576.fuzz
 )
 
diff --git a/fuzz/qpdf_extra/433311400.fuzz b/fuzz/qpdf_extra/433311400.fuzz
new file mode 100644
index 0000000..ea84c27
Binary files /dev/null and b/fuzz/qpdf_extra/433311400.fuzz differ
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 8d1f863..530c935 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 96;       # increment when adding new files
+my $n_qpdf_files = 97;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/QPDFFormFieldObjectHelper.cc b/libqpdf/QPDFFormFieldObjectHelper.cc
index 91c3a65..f806888 100644
--- a/libqpdf/QPDFFormFieldObjectHelper.cc
+++ b/libqpdf/QPDFFormFieldObjectHelper.cc
@@ -773,6 +773,12 @@ QPDFFormFieldObjectHelper::generateTextAppearance(QPDFAnnotationObjectHelper& ao
         aoh.getObjectHandle().warnIfPossible("unable to get normal appearance stream for update");
         return;
     }
+
+    if (AS.getObj().use_count() > 4) {
+        aoh.getObjectHandle().warnIfPossible(
+            "unable to generate text appearance from shared appearance stream for update");
+        return;
+    }
     QPDFObjectHandle bbox_obj = AS.getDict().getKey("/BBox");
     if (!bbox_obj.isRectangle()) {
         aoh.getObjectHandle().warnIfPossible("unable to get appearance stream bounding box");
@@ -831,7 +837,6 @@ QPDFFormFieldObjectHelper::generateTextAppearance(QPDFAnnotationObjectHelper& ao
     for (size_t i = 0; i < opt.size(); ++i) {
         opt.at(i) = (*encoder)(opt.at(i), '?');
     }
-
     AS.addTokenFilter(
         std::shared_ptr<QPDFObjectHandle::TokenFilter>(new ValueSetter(DA, V, opt, tf, bbox)));
 }
--
libgit2 0.21.4