Commit bb83e65193684b5a7521fa77ffb87ad82e49564c
1 parent
17d431df
Fix fuzz issue 16953 (overflow checking in xref stream index)
Showing
2 changed files
with
12 additions
and
1 deletions
fuzz/qpdf_extra/16953.fuzz
0 → 100644
No preview for this file type
libqpdf/QPDF.cc
| ... | ... | @@ -5,6 +5,7 @@ |
| 5 | 5 | #include <map> |
| 6 | 6 | #include <algorithm> |
| 7 | 7 | #include <limits> |
| 8 | +#include <sstream> | |
| 8 | 9 | #include <stdlib.h> |
| 9 | 10 | #include <string.h> |
| 10 | 11 | #include <memory.h> |
| ... | ... | @@ -1202,7 +1203,16 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj) |
| 1202 | 1203 | // based on /Index. The generation number is 0 unless this is |
| 1203 | 1204 | // an uncompressed object record, in which case the generation |
| 1204 | 1205 | // number appears as the third field. |
| 1205 | - int obj = toI(indx.at(cur_chunk)) + chunk_count; | |
| 1206 | + int obj = toI(indx.at(cur_chunk)); | |
| 1207 | + if ((std::numeric_limits<int>::max() - obj) < chunk_count) | |
| 1208 | + { | |
| 1209 | + std::ostringstream msg; | |
| 1210 | + msg << "adding " << chunk_count << " to " << obj | |
| 1211 | + << " while computing index in xref stream would cause" | |
| 1212 | + << " an integer overflow"; | |
| 1213 | + throw std::range_error(msg.str()); | |
| 1214 | + } | |
| 1215 | + obj += chunk_count; | |
| 1206 | 1216 | ++chunk_count; |
| 1207 | 1217 | if (chunk_count >= indx.at(cur_chunk + 1)) |
| 1208 | 1218 | { | ... | ... |