Commit 9094fb1f8eed9f869d2bf90d99e7ab9ac913d76c
1 parent
c590dbc3
Fix two additional fuzz test cases
Showing
3 changed files
with
3 additions
and
2 deletions
fuzz/qpdf_extra/18241.fuzz
0 → 100644
No preview for this file type
fuzz/qpdf_extra/18247.fuzz
0 → 100644
No preview for this file type
libqpdf/QPDF.cc
| @@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset) | @@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset) | ||
| 688 | { | 688 | { |
| 689 | max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); | 689 | max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); |
| 690 | } | 690 | } |
| 691 | - if (size - 1 != max_obj) | 691 | + if ((size < 1) || (size - 1 != max_obj)) |
| 692 | { | 692 | { |
| 693 | QTC::TC("qpdf", "QPDF xref size mismatch"); | 693 | QTC::TC("qpdf", "QPDF xref size mismatch"); |
| 694 | warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, | 694 | warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, |
| @@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj) | @@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj) | ||
| 1206 | // an uncompressed object record, in which case the generation | 1206 | // an uncompressed object record, in which case the generation |
| 1207 | // number appears as the third field. | 1207 | // number appears as the third field. |
| 1208 | int obj = toI(indx.at(cur_chunk)); | 1208 | int obj = toI(indx.at(cur_chunk)); |
| 1209 | - if ((std::numeric_limits<int>::max() - obj) < chunk_count) | 1209 | + if ((obj < 0) || |
| 1210 | + ((std::numeric_limits<int>::max() - obj) < chunk_count)) | ||
| 1210 | { | 1211 | { |
| 1211 | std::ostringstream msg; | 1212 | std::ostringstream msg; |
| 1212 | msg << "adding " << chunk_count << " to " << obj | 1213 | msg << "adding " << chunk_count << " to " << obj |