OpenSystemsDevelopment / qpdf

Commit 841b4a09efc8b2fe2ceb0d517f97eb6a45b614ff

Authored by m-holger
1 parent 7edafea8

Prevent infinite recursion in /AcroForm traversal by checking for self-referencing fields.

Inline Side-by-side
Showing 4 changed files with 6 additions and 1 deletions
fuzz/CMakeLists.txt
  View file @841b4a0
@@ -163,6 +163,7 @@ set(CORPUS_OTHER @@ -163,6 +163,7 @@ set(CORPUS_OTHER
163 440747125.fuzz 163 440747125.fuzz
164 4720043549327360.fuzz 164 4720043549327360.fuzz
165 5109284021272576.fuzz 165 5109284021272576.fuzz
  166 + 5344352869351424.fuzz
166 5828408539152384.fuzz 167 5828408539152384.fuzz
167 6310410941956096.fuzz 168 6310410941956096.fuzz
168 6322553212960768.fuzz 169 6322553212960768.fuzz
fuzz/qpdf_extra/5344352869351424.fuzz 0 → 100644
View file @841b4a0
No preview for this file type
fuzz/qtest/fuzz.test
  View file @841b4a0
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
11 11
12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; 12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
13 13
14 -my $n_qpdf_files = 104; # increment when adding new files 14 +my $n_qpdf_files = 105; # increment when adding new files
15 15
16 my @fuzzers = ( 16 my @fuzzers = (
17 ['ascii85' => 1], 17 ['ascii85' => 1],
libqpdf/QPDFAcroFormDocumentHelper.cc
  View file @841b4a0
@@ -328,6 +328,10 @@ QPDFAcroFormDocumentHelper::traverseField( @@ -328,6 +328,10 @@ QPDFAcroFormDocumentHelper::traverseField(
328 "ignoring field or annotation"); 328 "ignoring field or annotation");
329 return; 329 return;
330 } 330 }
  331 + if (field == parent) {
  332 + field.warn("loop detected while traversing /AcroForm");
  333 + return;
  334 + }
331 if (!field.isDictionary()) { 335 if (!field.isDictionary()) {
332 field.warn( 336 field.warn(
333 "encountered a non-dictionary as a field or annotation while traversing /AcroForm; " 337 "encountered a non-dictionary as a field or annotation while traversing /AcroForm; "