Handle negative numbers in QIntC::range_check (fuzz issue 26994)

Jay Berkenbilt
1 parent 4b4b31bf
Showing 5 changed files with 72 additions and 0 deletions
ChangeLog
fuzz/qpdf_extra/26994.fuzz
include/qpdf/QIntC.hh
libtests/qintc.cc
libtests/qtest/qintc/qintc.out
+2020-11-21  Jay Berkenbilt  <ejb@ql.org>
+
+	* Fix QIntC::range_check to handle negative numbers properly (fuzz
+	issue 26994).
+
 2020-11-11  Jay Berkenbilt  <ejb@ql.org>
 	* Treat a direct page object as a runtime error rather than a
@@ -226,6 +226,11 @@ namespace QIntC // QIntC = qpdf Integer Conversion
     template <typename T>
     void range_check(T const& cur, T const& delta)
     {
+        if ((delta > 0) != (cur > 0))
+        {
+            return;
+        }
+
         if ((delta > 0) &&
             ((std::numeric_limits<T>::max() - cur) < delta))
         {
@@ -235,6 +240,15 @@ namespace QIntC // QIntC = qpdf Integer Conversion
                 << " would cause an integer overflow";
             throw std::range_error(msg.str());
         }
+        else if ((delta < 0) &&
+            ((std::numeric_limits<T>::min() - cur) > delta))
+        {
+            std::ostringstream msg;
+            msg.imbue(std::locale::classic());
+            msg << "adding " << delta << " to " << cur
+                << " would cause an integer underflow";
+            throw std::range_error(msg.str());
+        }
     }
 };
@@ -25,6 +25,29 @@ static void try_convert_real(
     std::cout << ((passed == exp_pass) ? " PASSED" : " FAILED") << std::endl;
 }
+#define try_range_check(exp_pass, a, b) \
+    try_range_check_real(#a " + " #b, exp_pass, a, b)
+
+template <typename T>
+static void try_range_check_real(
+    char const* description, bool exp_pass,
+    T const& a, T const& b)
+{
+    bool passed = false;
+    try
+    {
+        QIntC::range_check(a, b);
+        std::cout << description << ": okay";
+        passed = true;
+    }
+    catch (std::range_error& e)
+    {
+        std::cout << description << ": " << e.what();
+        passed = false;
+    }
+    std::cout << ((passed == exp_pass) ? " PASSED" : " FAILED") << std::endl;
+}
+
 int main()
 {
     uint32_t u1 = 3141592653U;      // Too big for signed type
@@ -56,5 +79,22 @@ int main()
     try_convert(true,  QIntC::to_uchar<char>, c2);
     try_convert(true,  QIntC::to_char<char>, c2);
+    auto constexpr max_ll = std::numeric_limits<long long>::max();
+    auto constexpr max_ull = std::numeric_limits<unsigned long long>::max();
+    auto constexpr min_ll = std::numeric_limits<long long>::min();
+    auto constexpr max_sc = std::numeric_limits<signed char>::max();
+    try_range_check(true, 1, 2);
+    try_range_check(true, -1, 2);
+    try_range_check(true, -100, -200);
+    try_range_check(true, max_ll, 0LL);
+    try_range_check(false, max_ll, 1LL);
+    try_range_check(true, max_ll, 0LL);
+    try_range_check(false, max_ll, 1LL);
+    try_range_check(true, max_ull, 0ULL);
+    try_range_check(false, max_ull, 1ULL);
+    try_range_check(true, min_ll, 0LL);
+    try_range_check(false, min_ll, -1LL);
+    try_range_check(false, max_sc, max_sc);
+    try_range_check(true, '!', '#');
     return 0;
 }