OpenSystemsDevelopment / qpdf

Commit ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e

Authored by Jay Berkenbilt
1 parent 6bc4cc3d

Fix fuzz issue 15387 (overflow checking xref size)

Inline Side-by-side
Showing 5 changed files with 8 additions and 6 deletions
fuzz/qpdf_extra/15387.fuzz 0 → 100644
  View file @ac5e6de
  1 + xref 2147483647 1 1 5 fstartxref 2
  2 +trailer<</Size 0>>
0 \ No newline at end of file 3 \ No newline at end of file
libqpdf/QPDF.cc
  View file @ac5e6de
@@ -672,14 +672,14 @@ QPDF::read_xref(qpdf_offset_t xref_offset) @@ -672,14 +672,14 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
672 { 672 {
673 max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); 673 max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin()));
674 } 674 }
675 - if (size != max_obj + 1) 675 + if (size - 1 != max_obj)
676 { 676 {
677 QTC::TC("qpdf", "QPDF xref size mismatch"); 677 QTC::TC("qpdf", "QPDF xref size mismatch");
678 warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, 678 warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0,
679 std::string("reported number of objects (") + 679 std::string("reported number of objects (") +
680 QUtil::int_to_string(size) + 680 QUtil::int_to_string(size) +
681 - ") inconsistent with actual number of objects (" +  
682 - QUtil::int_to_string(max_obj + 1) + ")")); 681 + ") is not one plus the highest object number (" +
  682 + QUtil::int_to_string(max_obj) + ")"));
683 } 683 }
684 684
685 // We no longer need the deleted_objects table, so go ahead and 685 // We no longer need the deleted_objects table, so go ahead and
qpdf/qtest/qpdf/bad12-recover.out
  View file @ac5e6de
1 -WARNING: bad12.pdf: reported number of objects (9) inconsistent with actual number of objects (8) 1 +WARNING: bad12.pdf: reported number of objects (9) is not one plus the highest object number (7)
2 /QTest is implicit 2 /QTest is implicit
3 /QTest is direct and has type null (2) 3 /QTest is direct and has type null (2)
4 /QTest is null 4 /QTest is null
qpdf/qtest/qpdf/bad12.out
  View file @ac5e6de
1 -WARNING: bad12.pdf: reported number of objects (9) inconsistent with actual number of objects (8) 1 +WARNING: bad12.pdf: reported number of objects (9) is not one plus the highest object number (7)
2 /QTest is implicit 2 /QTest is implicit
3 /QTest is direct and has type null (2) 3 /QTest is direct and has type null (2)
4 /QTest is null 4 /QTest is null
qpdf/qtest/qpdf/issue-51.out
  View file @ac5e6de
1 WARNING: issue-51.pdf: can't find PDF header 1 WARNING: issue-51.pdf: can't find PDF header
2 -WARNING: issue-51.pdf: reported number of objects (0) inconsistent with actual number of objects (9) 2 +WARNING: issue-51.pdf: reported number of objects (0) is not one plus the highest object number (8)
3 WARNING: issue-51.pdf (object 7 0, offset 553): expected endobj 3 WARNING: issue-51.pdf (object 7 0, offset 553): expected endobj
4 WARNING: issue-51.pdf (object 1 0, offset 359): expected endobj 4 WARNING: issue-51.pdf (object 1 0, offset 359): expected endobj
5 WARNING: issue-51.pdf (offset 70): loop detected resolving object 2 0 5 WARNING: issue-51.pdf (offset 70): loop detected resolving object 2 0