From c1cd3ec8a03ef81a43f6c3de8135dff351adbdf5 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Sat, 6 Jul 2024 16:09:50 +0100
Subject: [PATCH] In QPDF::processXRefIndex check number of objects in subsection is > 0

---
 fuzz/CMakeLists.txt        | 1 +
 fuzz/qpdf_extra/70055.fuzz | Bin 0 -> 4336 bytes
 fuzz/qtest/fuzz.test       | 2 +-
 libqpdf/QPDF.cc            | 5 +++++
 4 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 fuzz/qpdf_extra/70055.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 98c980d..f5680a2 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -122,6 +122,7 @@ set(CORPUS_OTHER
   69913.fuzz
   69969.fuzz
   69977.fuzz
+  70055.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
diff --git a/fuzz/qpdf_extra/70055.fuzz b/fuzz/qpdf_extra/70055.fuzz
new file mode 100644
index 0000000..078b236
Binary files /dev/null and b/fuzz/qpdf_extra/70055.fuzz differ
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 49ae52d..7370c84 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -21,7 +21,7 @@ my @fuzzers = (
     ['pngpredictor' => 1],
     ['runlength' => 6],
     ['tiffpredictor' => 2],
-    ['qpdf' => 64],             # increment when adding new files
+    ['qpdf' => 65],             # increment when adding new files
     );
 
 my $n_tests = 0;
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 451cdf7..e11e300 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -1129,6 +1129,11 @@ QPDF::processXRefIndex(
             if (val.isInteger()) {
                 if (i % 2) {
                     auto count = val.getIntValue();
+                    if (count <= 0) {
+                        throw damaged(
+                            "Cross-reference stream section claims to contain " +
+                            std::to_string(count) + " entries");
+                    }
                     // We are guarding against the possibility of num_entries * entry_size
                     // overflowing. We are not checking that entries are in ascending order as
                     // required by the spec, which probably should generate a warning. We are also
--
libgit2 0.21.4