Merge pull request #1527 from m-holger/fuzz

Improve null key/value handling in `NNTree`, add checks across insert…

Merge pull request #1527 from m-holger/fuzz
Improve null key/value handling in `NNTree`, add checks across insert…
m-holger · GitHub
2 parents 059d9a9b bdeb1036
Showing 1 changed file with 9 additions and 5 deletions
libqpdf/NNTree.cc
@@ -106,7 +106,7 @@ NNTreeIterator::getNextKid(PathElement&amp; pe, bool backward)
 bool
 NNTreeIterator::valid() const
 {
-    return item_number >= 0;
+    return item_number >= 0 && ivalue.first && ivalue.second;
 }
  
 void
@@ -381,6 +381,9 @@ NNTreeIterator::insertAfter(QPDFObjectHandle const&amp; key, QPDFObjectHandle const&amp;
     if (std::cmp_less(items.size(), item_number + 2)) {
         impl.error(node, "insert: items array is too short");
     }
+    if (!(key && value)) {
+        impl.error(node, "insert: key or value is null");
+    }
     items.insert(item_number + 2, key);
     items.insert(item_number + 3, value);
     resetLimits(node, lastPathElement());
@@ -737,11 +740,9 @@ NNTreeImpl::repair()
     new_node.replaceKey(details.itemsKey(), Array());
     NNTreeImpl repl(details, qpdf, new_node, false);
     for (auto const& [key, value]: *this) {
-//        if (key && value) {
+        if (key && value) {
             repl.insert(key, value);
-//        } else {
-//            std::cerr << key.unparse() << "\n";
-//        }
+        }
     }
     oh.replaceKey("/Kids", new_node.getKey("/Kids"));
     oh.replaceKey(details.itemsKey(), new_node.getKey(details.itemsKey()));
@@ -824,6 +825,9 @@ NNTreeImpl::insertFirst(QPDFObjectHandle const&amp; key, QPDFObjectHandle const&amp; val
     if (!items) {
         error(oh, "unable to find a valid items node");
     }
+    if (!(key && value)) {
+        error(oh, "unable to insert null key or value");
+    }
     items.insert(0, key);
     items.insert(1, value);
     iter.setItemNumber(iter.node, 0);