Commit 8a11feacc32aa5dcf0130d7499535624805fc87e
1 parent
30bb4c64
Avoid leak by resolving object streams more than once (fuzz issue 23642)
Showing
7 changed files
with
182 additions
and
10 deletions
TODO
| 1 | Candidates for upcoming release | 1 | Candidates for upcoming release |
| 2 | =============================== | 2 | =============================== |
| 3 | 3 | ||
| 4 | -* Fuzz crashes | ||
| 5 | - * See "New" below | ||
| 6 | - | ||
| 7 | * Open "next" issues | 4 | * Open "next" issues |
| 8 | * bugs | 5 | * bugs |
| 9 | * #473: zsh completion with directories | 6 | * #473: zsh completion with directories |
| @@ -64,9 +61,6 @@ Fuzz Errors | @@ -64,9 +61,6 @@ Fuzz Errors | ||
| 64 | 61 | ||
| 65 | * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N> | 62 | * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N> |
| 66 | 63 | ||
| 67 | -* New: | ||
| 68 | - * 23642: leak: https://oss-fuzz.com/testcase-detail/4906569690251264 | ||
| 69 | - | ||
| 70 | * Ignoring these: | 64 | * Ignoring these: |
| 71 | * Problems inside the jpeg library: 15470, 15751, 18633, 18732, | 65 | * Problems inside the jpeg library: 15470, 15751, 18633, 18732, |
| 72 | 18745, 20391, 23581 | 66 | 18745, 20391, 23581 |
fuzz/qpdf_extra/23642-mod.fuzz
0 → 100644
No preview for this file type
fuzz/qpdf_extra/23642.fuzz
0 → 100644
No preview for this file type
include/qpdf/QPDF.hh
| @@ -1403,6 +1403,7 @@ class QPDF | @@ -1403,6 +1403,7 @@ class QPDF | ||
| 1403 | bool immediate_copy_from; | 1403 | bool immediate_copy_from; |
| 1404 | bool in_parse; | 1404 | bool in_parse; |
| 1405 | bool parsed; | 1405 | bool parsed; |
| 1406 | + std::set<int> resolved_object_streams; | ||
| 1406 | 1407 | ||
| 1407 | // Linearization data | 1408 | // Linearization data |
| 1408 | qpdf_offset_t first_xref_item_offset; // actual value from file | 1409 | qpdf_offset_t first_xref_item_offset; // actual value from file |
libqpdf/QPDF.cc
| @@ -2082,6 +2082,11 @@ QPDF::resolve(int objid, int generation) | @@ -2082,6 +2082,11 @@ QPDF::resolve(int objid, int generation) | ||
| 2082 | void | 2082 | void |
| 2083 | QPDF::resolveObjectsInStream(int obj_stream_number) | 2083 | QPDF::resolveObjectsInStream(int obj_stream_number) |
| 2084 | { | 2084 | { |
| 2085 | + if (this->m->resolved_object_streams.count(obj_stream_number)) | ||
| 2086 | + { | ||
| 2087 | + return; | ||
| 2088 | + } | ||
| 2089 | + this->m->resolved_object_streams.insert(obj_stream_number); | ||
| 2085 | // Force resolution of object stream | 2090 | // Force resolution of object stream |
| 2086 | QPDFObjectHandle obj_stream = getObjectByID(obj_stream_number, 0); | 2091 | QPDFObjectHandle obj_stream = getObjectByID(obj_stream_number, 0); |
| 2087 | if (! obj_stream.isStream()) | 2092 | if (! obj_stream.isStream()) |
qpdf/qtest/qpdf/fuzz-16214.out
| @@ -11,8 +11,6 @@ WARNING: fuzz-16214.pdf (object 1 0, offset 7189): expected n n obj | @@ -11,8 +11,6 @@ WARNING: fuzz-16214.pdf (object 1 0, offset 7189): expected n n obj | ||
| 11 | WARNING: fuzz-16214.pdf: Attempting to reconstruct cross-reference table | 11 | WARNING: fuzz-16214.pdf: Attempting to reconstruct cross-reference table |
| 12 | WARNING: fuzz-16214.pdf (offset 7207): error decoding stream data for object 2 0: stream inflate: inflate: data: invalid code lengths set | 12 | WARNING: fuzz-16214.pdf (offset 7207): error decoding stream data for object 2 0: stream inflate: inflate: data: invalid code lengths set |
| 13 | WARNING: fuzz-16214.pdf (offset 7207): getStreamData called on unfilterable stream | 13 | WARNING: fuzz-16214.pdf (offset 7207): getStreamData called on unfilterable stream |
| 14 | -WARNING: fuzz-16214.pdf (offset 7207): error decoding stream data for object 2 0: stream inflate: inflate: data: invalid code lengths set | ||
| 15 | -WARNING: fuzz-16214.pdf (offset 7207): getStreamData called on unfilterable stream | ||
| 16 | WARNING: fuzz-16214.pdf (object 11 0, offset 11551): supposed object stream 5 has wrong type | 14 | WARNING: fuzz-16214.pdf (object 11 0, offset 11551): supposed object stream 5 has wrong type |
| 17 | WARNING: fuzz-16214.pdf (object 21 0, offset 3639): expected endstream | 15 | WARNING: fuzz-16214.pdf (object 21 0, offset 3639): expected endstream |
| 18 | WARNING: fuzz-16214.pdf (object 21 0, offset 3112): attempting to recover stream length | 16 | WARNING: fuzz-16214.pdf (object 21 0, offset 3112): attempting to recover stream length |
qpdf/qtest/qpdf/issue-143.out
| @@ -15,6 +15,4 @@ WARNING: issue-143.pdf (object 1 0, offset 84): attempting to recover stream len | @@ -15,6 +15,4 @@ WARNING: issue-143.pdf (object 1 0, offset 84): attempting to recover stream len | ||
| 15 | WARNING: issue-143.pdf (object 1 0, offset 84): recovered stream length: 606 | 15 | WARNING: issue-143.pdf (object 1 0, offset 84): recovered stream length: 606 |
| 16 | WARNING: issue-143.pdf object stream 1 (object 2 0, offset 33): expected dictionary key but found non-name object; inserting key /QPDFFake1 | 16 | WARNING: issue-143.pdf object stream 1 (object 2 0, offset 33): expected dictionary key but found non-name object; inserting key /QPDFFake1 |
| 17 | WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream | 17 | WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream |
| 18 | -WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream | ||
| 19 | -WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream | ||
| 20 | qpdf: operation succeeded with warnings; resulting file may have some problems | 18 | qpdf: operation succeeded with warnings; resulting file may have some problems |