Detect shared /Kids arrays in pages tree

In QPDF::getAllPagesInternal include the /Kids array in the visited set for loop detection. Fixes oss-fuzz issue 411312393

Detect shared /Kids arrays in pages tree
In QPDF::getAllPagesInternal include the /Kids array in the visited set for loop detection. Fixes oss-fuzz issue 411312393
m-holger
1 parent ac94437a
Showing 4 changed files with 10 additions and 1 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/411312393.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDF_pages.cc
@@ -157,6 +157,7 @@ set(CORPUS_OTHER
   394463491.fuzz
   398060137.fuzz
   409905355.fuzz
+  411312393.fuzz
 )
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
@@ -11,7 +11,7 @@ my $td = new TestDriver(&#39;fuzz&#39;);
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
-my $n_qpdf_files = 94;       # increment when adding new files
+my $n_qpdf_files = 95;       # increment when adding new files
 my @fuzzers = (
     ['ascii85' => 1],
@@ -109,6 +109,14 @@ QPDF::getAllPagesInternal(
         QTC::TC("qpdf", "QPDF inherit mediabox", media_box ? 0 : 1);
     }
     auto kids = cur_node.getKey("/Kids");
+    if (!visited.add(kids)) {
+        throw QPDFExc(
+            qpdf_e_pages,
+            m->file->getName(),
+            "object " + cur_node.getObjGen().unparse(' '),
+            0,
+            "Loop detected in /Pages structure (getAllPages)");
+    }
     int i = -1;
     for (auto& kid: kids.as_array()) {
         ++i;