Commit 8cd50e0e3e20166b91226caf49ed4eb42cd9778d
1 parent
973edb4f
Fix QPDF::tableSize
Apply temporary fix to deal with fuzz case 68915. (Error is an integer overflow which would immediately cause a runtime error as a result of a call to QInitCQIntC::to_size.)
Showing
1 changed file
with
7 additions
and
0 deletions
libqpdf/QPDF.cc
| @@ -2391,6 +2391,13 @@ QPDF::tableSize() | @@ -2391,6 +2391,13 @@ QPDF::tableSize() | ||
| 2391 | // objects. | 2391 | // objects. |
| 2392 | auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0; | 2392 | auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0; |
| 2393 | auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0; | 2393 | auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0; |
| 2394 | + auto max_id = std::numeric_limits<int>::max() - 1; | ||
| 2395 | + if (max_obj >= max_id || max_xref >= max_id) { | ||
| 2396 | + // Temporary fix. Long-term solution is | ||
| 2397 | + // - QPDFObjGen to enforce objgens are valid and sensible | ||
| 2398 | + // - xref table and obj cache to protect against insertion of impossibly large obj ids | ||
| 2399 | + stopOnError("Impossibly large object id encountered."); | ||
| 2400 | + } | ||
| 2394 | if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) { | 2401 | if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) { |
| 2395 | return toS(++max_obj); | 2402 | return toS(++max_obj); |
| 2396 | } | 2403 | } |