Commit 9a095c5c76cdc14379a65f0e50dcccea30d425aa
1 parent
ac5e6de2
Seek in two stages to avoid overflow
When seeing to a position based on a value read from the input, we are prone to integer overflow (fuzz issue 15442). Seek in two stages to move the overflow check into the input source code.
Showing
1 changed file
with
3 additions
and
1 deletions
libqpdf/QPDF.cc
| @@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input, | @@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input, | ||
| 1632 | } | 1632 | } |
| 1633 | 1633 | ||
| 1634 | length = toS(length_obj.getUIntValue()); | 1634 | length = toS(length_obj.getUIntValue()); |
| 1635 | - input->seek(stream_offset + toO(length), SEEK_SET); | 1635 | + // Seek in two steps to avoid potential integer overflow |
| 1636 | + input->seek(stream_offset, SEEK_SET); | ||
| 1637 | + input->seek(toO(length), SEEK_CUR); | ||
| 1636 | if (! (readToken(input) == | 1638 | if (! (readToken(input) == |
| 1637 | QPDFTokenizer::Token( | 1639 | QPDFTokenizer::Token( |
| 1638 | QPDFTokenizer::tt_word, "endstream"))) | 1640 | QPDFTokenizer::tt_word, "endstream"))) |