Fix #1170

In QPDF::read_xrefEntry add buffer overflow test for first eol character. Overlong f1 or f2 entries consisting only of zeros could cause a buffer overflow. Add fuzz testcase 69913.

Fix #1170
In QPDF::read_xrefEntry add buffer overflow test for first eol character. Overlong f1 or f2 entries consisting only of zeros could cause a buffer overflow. Add fuzz testcase 69913.
m-holger
1 parent 3d569e21
Showing 4 changed files with 4 additions and 4 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/69913.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDF.cc
@@ -119,6 +119,7 @@ set(CORPUS_OTHER
   68668.fuzz
   68915.fuzz
   69857.fuzz
+  69913.fuzz
 )
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
@@ -21,7 +21,7 @@ my @fuzzers = (
     ['pngpredictor' => 1],
     ['runlength' => 6],
     ['tiffpredictor' => 2],
-    ['qpdf' => 61],             # increment when adding new files
+    ['qpdf' => 62],             # increment when adding new files
     );
 my $n_tests = 0;
@@ -905,9 +905,8 @@ QPDF::read_xrefEntry(qpdf_offset_t&amp; f1, int&amp; f2, char&amp; type)
     if (QUtil::is_space(*p++) && (*p == 'f' || *p == 'n')) {
         // C++20: [[likely]]
         type = *p;
-        ++p;
-        ++p; // No test for valid line[19].
-        if ((*p == '\n' || *p == '\r') && f1_len == 10 && f2_len == 5) {
+        // No test for valid line[19].
+        if (*(++p) && *(++p) && (*p == '\n' || *p == '\r') && f1_len == 10 && f2_len == 5) {
             // C++20: [[likely]]
             return true;
         }