From 841b4a09efc8b2fe2ceb0d517f97eb6a45b614ff Mon Sep 17 00:00:00 2001 From: m-holger Date: Sat, 8 Nov 2025 01:12:53 +0000 Subject: [PATCH] Prevent infinite recursion in /AcroForm traversal by checking for self-referencing fields. --- fuzz/CMakeLists.txt | 1 + fuzz/qpdf_extra/5344352869351424.fuzz | Bin 0 -> 749 bytes fuzz/qtest/fuzz.test | 2 +- libqpdf/QPDFAcroFormDocumentHelper.cc | 4 ++++ 4 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 fuzz/qpdf_extra/5344352869351424.fuzz diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt index ea516f0..96e85e3 100644 --- a/fuzz/CMakeLists.txt +++ b/fuzz/CMakeLists.txt @@ -163,6 +163,7 @@ set(CORPUS_OTHER 440747125.fuzz 4720043549327360.fuzz 5109284021272576.fuzz + 5344352869351424.fuzz 5828408539152384.fuzz 6310410941956096.fuzz 6322553212960768.fuzz diff --git a/fuzz/qpdf_extra/5344352869351424.fuzz b/fuzz/qpdf_extra/5344352869351424.fuzz new file mode 100644 index 0000000..e08073c Binary files /dev/null and b/fuzz/qpdf_extra/5344352869351424.fuzz differ diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test index d0036a4..3acd790 100644 --- a/fuzz/qtest/fuzz.test +++ b/fuzz/qtest/fuzz.test @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; -my $n_qpdf_files = 104; # increment when adding new files +my $n_qpdf_files = 105; # increment when adding new files my @fuzzers = ( ['ascii85' => 1], diff --git a/libqpdf/QPDFAcroFormDocumentHelper.cc b/libqpdf/QPDFAcroFormDocumentHelper.cc index 4a39734..2f0d629 100644 --- a/libqpdf/QPDFAcroFormDocumentHelper.cc +++ b/libqpdf/QPDFAcroFormDocumentHelper.cc @@ -328,6 +328,10 @@ QPDFAcroFormDocumentHelper::traverseField( "ignoring field or annotation"); return; } + if (field == parent) { + field.warn("loop detected while traversing /AcroForm"); + return; + } if (!field.isDictionary()) { field.warn( "encountered a non-dictionary as a field or annotation while traversing /AcroForm; " -- libgit2 0.21.4