Commit e85b98b7e8b8b330614fc31825c411260fc2eaef

Authored by m-holger
1 parent 60c7d594

Guard against object id == std::numeric_limits<int> in QPDF::insertReconstructedXrefEntry

fuzz/CMakeLists.txt
@@ -114,6 +114,7 @@ set(CORPUS_OTHER @@ -114,6 +114,7 @@ set(CORPUS_OTHER
114 65681.fuzz 114 65681.fuzz
115 65773.fuzz 115 65773.fuzz
116 65777.fuzz 116 65777.fuzz
  117 + 68374.fuzz
117 68377.fuzz 118 68377.fuzz
118 ) 119 )
119 120
fuzz/qpdf_extra/68374.fuzz 0 → 100644
No preview for this file type
fuzz/qtest/fuzz.test
@@ -21,7 +21,7 @@ my @fuzzers = ( @@ -21,7 +21,7 @@ my @fuzzers = (
21 ['pngpredictor' => 1], 21 ['pngpredictor' => 1],
22 ['runlength' => 6], 22 ['runlength' => 6],
23 ['tiffpredictor' => 2], 23 ['tiffpredictor' => 2],
24 - ['qpdf' => 57], # increment when adding new files 24 + ['qpdf' => 58], # increment when adding new files
25 ); 25 );
26 26
27 my $n_tests = 0; 27 my $n_tests = 0;
libqpdf/QPDF.cc
@@ -1195,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og) @@ -1195,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og)
1195 void 1195 void
1196 QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2) 1196 QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2)
1197 { 1197 {
1198 - if (!(obj > 0 && 0 <= f2 && f2 < 65535)) { 1198 + // Various tables are indexed by object id, with potential size id + 1
  1199 + constexpr static int max_id = std::numeric_limits<int>::max() - 1;
  1200 + if (!(obj > 0 && obj <= max_id && 0 <= f2 && f2 < 65535)) {
1199 QTC::TC("qpdf", "QPDF xref overwrite invalid objgen"); 1201 QTC::TC("qpdf", "QPDF xref overwrite invalid objgen");
1200 return; 1202 return;
1201 } 1203 }