From dcf111a9bcc0dc7dcc96eb7884b48355c2d5eb1e Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Wed, 18 Sep 2024 00:12:44 +0100
Subject: [PATCH] Apply fuzzer Pl_Flate memory limit only when inflating

---
 fuzz/CMakeLists.txt        | 1 +
 fuzz/qpdf_extra/71689.fuzz | Bin 0 -> 205987 bytes
 fuzz/qpdf_fuzzer.cc        | 7 -------
 fuzz/qtest/fuzz.test       | 2 +-
 libqpdf/Pl_Flate.cc        | 4 ++--
 5 files changed, 4 insertions(+), 10 deletions(-)
 create mode 100644 fuzz/qpdf_extra/71689.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 89cfd81..73d886c 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -141,6 +141,7 @@ set(CORPUS_OTHER
   70306a.fuzz
   70306b.fuzz
   71624.fuzz
+  71689.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
diff --git a/fuzz/qpdf_extra/71689.fuzz b/fuzz/qpdf_extra/71689.fuzz
new file mode 100644
index 0000000..81911b9
Binary files /dev/null and b/fuzz/qpdf_extra/71689.fuzz differ
diff --git a/fuzz/qpdf_fuzzer.cc b/fuzz/qpdf_fuzzer.cc
index 490caea..602983b 100644
--- a/fuzz/qpdf_fuzzer.cc
+++ b/fuzz/qpdf_fuzzer.cc
@@ -93,13 +93,6 @@ FuzzHelper::testWrite()
     w->setDeterministicID(true);
     w->setQDFMode(true);
     doWrite(w);
-
-    q = getQpdf();
-    w = getWriter(q);
-    w->setStaticID(true);
-    w->setLinearization(true);
-    w->setR6EncryptionParameters("u", "o", true, true, true, true, true, true, qpdf_r3p_full, true);
-    doWrite(w);
 }
 
 void
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index eebc3c1..02dbc98 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 78;       # increment when adding new files
+my $n_qpdf_files = 79;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/Pl_Flate.cc b/libqpdf/Pl_Flate.cc
index b9ad8a0..ad68049 100644
--- a/libqpdf/Pl_Flate.cc
+++ b/libqpdf/Pl_Flate.cc
@@ -181,7 +181,7 @@ Pl_Flate::handleData(unsigned char const* data, size_t len, int flush)
                 }
                 uLong ready = QIntC::to_ulong(m->out_bufsize - zstream.avail_out);
                 if (ready > 0) {
-                    if (memory_limit) {
+                    if (memory_limit && m->action != a_deflate) {
                         m->written += ready;
                         if (m->written > memory_limit) {
                             throw std::runtime_error("PL_Flate memory limit exceeded");
@@ -205,7 +205,7 @@ void
 Pl_Flate::finish()
 {
     if (m->written > memory_limit) {
-        return;
+        throw std::runtime_error("PL_Flate memory limit exceeded");
     }
     try {
         if (m->outbuf.get()) {
--
libgit2 0.21.4