Commit c012dc294734a43e32de784a8a1fd0e2ddfc0f2c
1 parent
51fa3b52
Refactor QPDFFormFieldObjectHelper ValueSetter::writeAppearance
Adjusting for under/overflow by repeated incrementing/decrementing can cause excessive runtime with invalid BBox coordinates. Fixes oss-fuzz issue 409905355.
Showing
4 changed files
with
9 additions
and
9 deletions
fuzz/CMakeLists.txt
| @@ -156,6 +156,7 @@ set(CORPUS_OTHER | @@ -156,6 +156,7 @@ set(CORPUS_OTHER | ||
| 156 | 394129398.fuzz | 156 | 394129398.fuzz |
| 157 | 394463491.fuzz | 157 | 394463491.fuzz |
| 158 | 398060137.fuzz | 158 | 398060137.fuzz |
| 159 | + 409905355.fuzz | ||
| 159 | ) | 160 | ) |
| 160 | 161 | ||
| 161 | set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) | 162 | set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) |
fuzz/qpdf_extra/409905355.fuzz
0 → 100644
No preview for this file type
fuzz/qtest/fuzz.test
| @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | ||
| 11 | 11 | ||
| 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; | 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; |
| 13 | 13 | ||
| 14 | -my $n_qpdf_files = 93; # increment when adding new files | 14 | +my $n_qpdf_files = 94; # increment when adding new files |
| 15 | 15 | ||
| 16 | my @fuzzers = ( | 16 | my @fuzzers = ( |
| 17 | ['ascii85' => 1], | 17 | ['ascii85' => 1], |
libqpdf/QPDFFormFieldObjectHelper.cc
| @@ -585,17 +585,16 @@ ValueSetter::writeAppearance() | @@ -585,17 +585,16 @@ ValueSetter::writeAppearance() | ||
| 585 | int wanted_first = QIntC::to_int(found_idx) - 1; | 585 | int wanted_first = QIntC::to_int(found_idx) - 1; |
| 586 | int wanted_last = QIntC::to_int(found_idx + max_rows) - 2; | 586 | int wanted_last = QIntC::to_int(found_idx + max_rows) - 2; |
| 587 | QTC::TC("qpdf", "QPDFFormFieldObjectHelper list found"); | 587 | QTC::TC("qpdf", "QPDFFormFieldObjectHelper list found"); |
| 588 | - while (wanted_first < 0) { | 588 | + if (wanted_first < 0) { |
| 589 | QTC::TC("qpdf", "QPDFFormFieldObjectHelper list first too low"); | 589 | QTC::TC("qpdf", "QPDFFormFieldObjectHelper list first too low"); |
| 590 | - ++wanted_first; | ||
| 591 | - ++wanted_last; | 590 | + wanted_last -= wanted_first; |
| 591 | + wanted_first = 0; | ||
| 592 | } | 592 | } |
| 593 | - while (wanted_last >= QIntC::to_int(nopt)) { | 593 | + if (wanted_last >= QIntC::to_int(nopt)) { |
| 594 | QTC::TC("qpdf", "QPDFFormFieldObjectHelper list last too high"); | 594 | QTC::TC("qpdf", "QPDFFormFieldObjectHelper list last too high"); |
| 595 | - if (wanted_first > 0) { | ||
| 596 | - --wanted_first; | ||
| 597 | - } | ||
| 598 | - --wanted_last; | 595 | + auto diff = wanted_last - QIntC::to_int(nopt) + 1; |
| 596 | + wanted_first = std::max(0, wanted_first - diff); | ||
| 597 | + wanted_last -= diff; | ||
| 599 | } | 598 | } |
| 600 | highlight = true; | 599 | highlight = true; |
| 601 | highlight_idx = found_idx - QIntC::to_size(wanted_first); | 600 | highlight_idx = found_idx - QIntC::to_size(wanted_first); |