OpenSystemsDevelopment / qpdf

Commit e85b98b7e8b8b330614fc31825c411260fc2eaef

Authored by m-holger
1 parent 60c7d594

Guard against object id == std::numeric_limits<int> in QPDF::insertReconstructedXrefEntry

Inline Side-by-side
Showing 4 changed files with 5 additions and 2 deletions
fuzz/CMakeLists.txt
  View file @e85b98b
... ... @@ -114,6 +114,7 @@ set(CORPUS_OTHER
114 114 65681.fuzz
115 115 65773.fuzz
116 116 65777.fuzz
  117 + 68374.fuzz
117 118 68377.fuzz
118 119 )
119 120  
... ...
fuzz/qpdf_extra/68374.fuzz 0 → 100644
View file @e85b98b
No preview for this file type
fuzz/qtest/fuzz.test
  View file @e85b98b
... ... @@ -21,7 +21,7 @@ my @fuzzers = (
21 21 ['pngpredictor' => 1],
22 22 ['runlength' => 6],
23 23 ['tiffpredictor' => 2],
24   - ['qpdf' => 57], # increment when adding new files
  24 + ['qpdf' => 58], # increment when adding new files
25 25 );
26 26  
27 27 my $n_tests = 0;
... ...
libqpdf/QPDF.cc
  View file @e85b98b
... ... @@ -1195,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og)
1195 1195 void
1196 1196 QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2)
1197 1197 {
1198   - if (!(obj > 0 && 0 <= f2 && f2 < 65535)) {
  1198 + // Various tables are indexed by object id, with potential size id + 1
  1199 + constexpr static int max_id = std::numeric_limits<int>::max() - 1;
  1200 + if (!(obj > 0 && obj <= max_id && 0 <= f2 && f2 < 65535)) {
1199 1201 QTC::TC("qpdf", "QPDF xref overwrite invalid objgen");
1200 1202 return;
1201 1203 }
... ...