Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)

Jay Berkenbilt
1 parent a9bdeeb0
Showing 6 changed files with 17 additions and 6 deletions
ChangeLog
fuzz/qpdf_extra/28262.fuzz
libqpdf/Pl_AES_PDF.cc
libqpdf/Pl_ASCII85Decoder.cc
libqpdf/Pl_ASCIIHexDecoder.cc
libqpdf/Pl_Count.cc
+2021-01-04  Jay Berkenbilt  <ejb@ql.org>
+
+	* Move getNext()->write() calls in some pipelines to ensure that
+	state gates properly reset even if the next pipeline's write
+	throws an exception (fuzz issue 28262).
+
 2021-01-03  Jay Berkenbilt  <ejb@ql.org>
 	* Don't include -o nospace with zsh completion setup so file
@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
 	    }
 	}
     }
-    getNext()->write(this->outbuf, bytes);
     this->offset = 0;
+    getNext()->write(this->outbuf, bytes);
 }
@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
     QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
 	    (this->pos == 5) ? 0 : 1);
-    getNext()->write(outbuf, this->pos - 1);
-
+    // Reset before calling getNext()->write in case that throws an
+    // exception.
+    auto t = this->pos - 1;
     this->pos = 0;
     memset(this->inbuf, 117, 5);
+
+    getNext()->write(outbuf, t);
 }
 void
@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
     QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
 	    (this->pos == 2) ? 0 : 1);
-    getNext()->write(&ch, 1);
-
+    // Reset before calling getNext()->write in case that throws an
+    // exception.
     this->pos = 0;
     this->inbuf[0] = '0';
     this->inbuf[1] = '0';
     this->inbuf[2] = '\0';
+
+    getNext()->write(&ch, 1);
 }
 void
@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
     if (len)
     {
 	this->m->count += QIntC::to_offset(len);
-	getNext()->write(buf, len);
 	this->m->last_char = buf[len - 1];
+	getNext()->write(buf, len);
     }
 }