Commit ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e
1 parent
6bc4cc3d
Fix fuzz issue 15387 (overflow checking xref size)
Showing
5 changed files
with
8 additions
and
6 deletions
fuzz/qpdf_extra/15387.fuzz
0 → 100644
libqpdf/QPDF.cc
| ... | ... | @@ -672,14 +672,14 @@ QPDF::read_xref(qpdf_offset_t xref_offset) |
| 672 | 672 | { |
| 673 | 673 | max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); |
| 674 | 674 | } |
| 675 | - if (size != max_obj + 1) | |
| 675 | + if (size - 1 != max_obj) | |
| 676 | 676 | { |
| 677 | 677 | QTC::TC("qpdf", "QPDF xref size mismatch"); |
| 678 | 678 | warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, |
| 679 | 679 | std::string("reported number of objects (") + |
| 680 | 680 | QUtil::int_to_string(size) + |
| 681 | - ") inconsistent with actual number of objects (" + | |
| 682 | - QUtil::int_to_string(max_obj + 1) + ")")); | |
| 681 | + ") is not one plus the highest object number (" + | |
| 682 | + QUtil::int_to_string(max_obj) + ")")); | |
| 683 | 683 | } |
| 684 | 684 | |
| 685 | 685 | // We no longer need the deleted_objects table, so go ahead and | ... | ... |
qpdf/qtest/qpdf/bad12-recover.out
qpdf/qtest/qpdf/bad12.out
qpdf/qtest/qpdf/issue-51.out
| 1 | 1 | WARNING: issue-51.pdf: can't find PDF header |
| 2 | -WARNING: issue-51.pdf: reported number of objects (0) inconsistent with actual number of objects (9) | |
| 2 | +WARNING: issue-51.pdf: reported number of objects (0) is not one plus the highest object number (8) | |
| 3 | 3 | WARNING: issue-51.pdf (object 7 0, offset 553): expected endobj |
| 4 | 4 | WARNING: issue-51.pdf (object 1 0, offset 359): expected endobj |
| 5 | 5 | WARNING: issue-51.pdf (offset 70): loop detected resolving object 2 0 | ... | ... |