From c2c1618e08f07a831a8bacff8d65aa75793d91d4 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Wed, 10 Jul 2024 18:00:36 +0100
Subject: [PATCH] Add extra sanity check on pages tree

---
 fuzz/CMakeLists.txt                   | 3 +++
 fuzz/qpdf_extra/4599089157701632.fuzz | Bin 0 -> 262144 bytes
 fuzz/qpdf_extra/69977b.fuzz           | Bin 0 -> 52851 bytes
 fuzz/qpdf_extra/69977c.fuzz           | Bin 0 -> 92316 bytes
 fuzz/qtest/fuzz.test                  | 2 +-
 libqpdf/QPDF_pages.cc                 | 4 ++++
 6 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 fuzz/qpdf_extra/4599089157701632.fuzz
 create mode 100644 fuzz/qpdf_extra/69977b.fuzz
 create mode 100644 fuzz/qpdf_extra/69977c.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 2a74424..bb0f616 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -124,7 +124,10 @@ set(CORPUS_OTHER
   69969.fuzz
   69977.fuzz
   69977a.fuzz
+  69977b.fuzz
+  69977c.fuzz
   70055.fuzz
+  4599089157701632.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
diff --git a/fuzz/qpdf_extra/4599089157701632.fuzz b/fuzz/qpdf_extra/4599089157701632.fuzz
new file mode 100644
index 0000000..6a6c17f
Binary files /dev/null and b/fuzz/qpdf_extra/4599089157701632.fuzz differ
diff --git a/fuzz/qpdf_extra/69977b.fuzz b/fuzz/qpdf_extra/69977b.fuzz
new file mode 100644
index 0000000..648fcb3
Binary files /dev/null and b/fuzz/qpdf_extra/69977b.fuzz differ
diff --git a/fuzz/qpdf_extra/69977c.fuzz b/fuzz/qpdf_extra/69977c.fuzz
new file mode 100644
index 0000000..e279d0b
Binary files /dev/null and b/fuzz/qpdf_extra/69977c.fuzz differ
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index cd3f683..16da1d9 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -21,7 +21,7 @@ my @fuzzers = (
     ['pngpredictor' => 1],
     ['runlength' => 6],
     ['tiffpredictor' => 2],
-    ['qpdf' => 67],             # increment when adding new files
+    ['qpdf' => 70],             # increment when adding new files
     );
 
 my $n_tests = 0;
diff --git a/libqpdf/QPDF_pages.cc b/libqpdf/QPDF_pages.cc
index 4e3e77c..f5727d2 100644
--- a/libqpdf/QPDF_pages.cc
+++ b/libqpdf/QPDF_pages.cc
@@ -98,6 +98,10 @@ QPDF::getAllPagesInternal(
     int n = kids.getArrayNItems();
     for (int i = 0; i < n; ++i) {
         auto kid = kids.getArrayItem(i);
+        if (!kid.isDictionary()) {
+            kid.warnIfPossible("Pages tree includes non-dictionary object; removing");
+            continue;
+        }
         if (kid.hasKey("/Kids")) {
             getAllPagesInternal(kid, visited, seen, media_box);
         } else {
--
libgit2 0.21.4