Seek in two stages to avoid overflow

When seeing to a position based on a value read from the input, we are prone to integer overflow (fuzz issue 15442). Seek in two stages to move the overflow check into the input source code.

Seek in two stages to avoid overflow
When seeing to a position based on a value read from the input, we are prone to integer overflow (fuzz issue 15442). Seek in two stages to move the overflow check into the input source code.
Jay Berkenbilt
1 parent ac5e6de2
Showing 1 changed file with 3 additions and 1 deletions
libqpdf/QPDF.cc
@@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder&lt;InputSource&gt; input,
                 }
  
                 length = toS(length_obj.getUIntValue());
-                input->seek(stream_offset + toO(length), SEEK_SET);
+                // Seek in two steps to avoid potential integer overflow
+                input->seek(stream_offset, SEEK_SET);
+                input->seek(toO(length), SEEK_CUR);
                 if (! (readToken(input) ==
                        QPDFTokenizer::Token(
                            QPDFTokenizer::tt_word, "endstream")))