From 8abb42e314ccdc9c93518acbd6aab03d8384cb2a Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Wed, 27 Aug 2025 20:47:06 +0100
Subject: [PATCH] Fix #1527

---
 fuzz/CMakeLists.txt            | 2 ++
 fuzz/qpdf_extra/440599107.fuzz | Bin 0 -> 2909 bytes
 fuzz/qpdf_extra/440747125.fuzz | Bin 0 -> 16086 bytes
 fuzz/qtest/fuzz.test           | 2 +-
 libqpdf/NNTree.cc              | 4 +++-
 5 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 fuzz/qpdf_extra/440599107.fuzz
 create mode 100644 fuzz/qpdf_extra/440747125.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index c1ce4b7..a437cc7 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -159,6 +159,8 @@ set(CORPUS_OTHER
   409905355.fuzz
   411312393.fuzz
   433311400.fuzz
+  440599107.fuzz
+  440747125.fuzz
   4720043549327360.fuzz
   5109284021272576.fuzz
   6489005569146880.fuzz
diff --git a/fuzz/qpdf_extra/440599107.fuzz b/fuzz/qpdf_extra/440599107.fuzz
new file mode 100644
index 0000000..272e7d3
Binary files /dev/null and b/fuzz/qpdf_extra/440599107.fuzz differ
diff --git a/fuzz/qpdf_extra/440747125.fuzz b/fuzz/qpdf_extra/440747125.fuzz
new file mode 100644
index 0000000..394ce25
Binary files /dev/null and b/fuzz/qpdf_extra/440747125.fuzz differ
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 2fee3de..d141db7 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 99;       # increment when adding new files
+my $n_qpdf_files = 101;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/NNTree.cc b/libqpdf/NNTree.cc
index d1da166..751bd72 100644
--- a/libqpdf/NNTree.cc
+++ b/libqpdf/NNTree.cc
@@ -103,10 +103,12 @@ NNTreeIterator::getNextKid(PathElement& pe, bool backward)
     }
 }
 
+// iterator can be incremented or decremented, or dereferenced. This does not imply that it points
+// to a valid item.
 bool
 NNTreeIterator::valid() const
 {
-    return item_number >= 0 && ivalue.first && ivalue.second;
+    return item_number >= 0;
 }
 
 void
--
libgit2 0.21.4