OpenSystemsDevelopment / qpdf

Commit c012dc294734a43e32de784a8a1fd0e2ddfc0f2c

Authored by m-holger
1 parent 51fa3b52

Refactor QPDFFormFieldObjectHelper ValueSetter::writeAppearance 

Adjusting for under/overflow by repeated incrementing/decrementing can
cause excessive runtime with invalid BBox coordinates.

Fixes oss-fuzz issue 409905355.
Inline Side-by-side
Showing 4 changed files with 9 additions and 9 deletions
fuzz/CMakeLists.txt
  View file @c012dc2
... ... @@ -156,6 +156,7 @@ set(CORPUS_OTHER
156 156 394129398.fuzz
157 157 394463491.fuzz
158 158 398060137.fuzz
  159 + 409905355.fuzz
159 160 )
160 161  
161 162 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
... ...
fuzz/qpdf_extra/409905355.fuzz 0 → 100644
View file @c012dc2
No preview for this file type
fuzz/qtest/fuzz.test
  View file @c012dc2
... ... @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
11 11  
12 12 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
13 13  
14   -my $n_qpdf_files = 93; # increment when adding new files
  14 +my $n_qpdf_files = 94; # increment when adding new files
15 15  
16 16 my @fuzzers = (
17 17 ['ascii85' => 1],
... ...
libqpdf/QPDFFormFieldObjectHelper.cc
  View file @c012dc2
... ... @@ -585,17 +585,16 @@ ValueSetter::writeAppearance()
585 585 int wanted_first = QIntC::to_int(found_idx) - 1;
586 586 int wanted_last = QIntC::to_int(found_idx + max_rows) - 2;
587 587 QTC::TC("qpdf", "QPDFFormFieldObjectHelper list found");
588   - while (wanted_first < 0) {
  588 + if (wanted_first < 0) {
589 589 QTC::TC("qpdf", "QPDFFormFieldObjectHelper list first too low");
590   - ++wanted_first;
591   - ++wanted_last;
  590 + wanted_last -= wanted_first;
  591 + wanted_first = 0;
592 592 }
593   - while (wanted_last >= QIntC::to_int(nopt)) {
  593 + if (wanted_last >= QIntC::to_int(nopt)) {
594 594 QTC::TC("qpdf", "QPDFFormFieldObjectHelper list last too high");
595   - if (wanted_first > 0) {
596   - --wanted_first;
597   - }
598   - --wanted_last;
  595 + auto diff = wanted_last - QIntC::to_int(nopt) + 1;
  596 + wanted_first = std::max(0, wanted_first - diff);
  597 + wanted_last -= diff;
599 598 }
600 599 highlight = true;
601 600 highlight_idx = found_idx - QIntC::to_size(wanted_first);
... ...