Merge pull request #1231 from m-holger/fuzz

In QPDF::processXRefIndex check number of objects in subsection is > 0

Merge pull request #1231 from m-holger/fuzz
In QPDF::processXRefIndex check number of objects in subsection is > 0
m-holger · GitHub
2 parents ce2deaf1 c1cd3ec8
Showing 4 changed files with 7 additions and 1 deletions
fuzz/CMakeLists.txt
fuzz/qpdf_extra/70055.fuzz
fuzz/qtest/fuzz.test
libqpdf/QPDF.cc
@@ -122,6 +122,7 @@ set(CORPUS_OTHER
   69913.fuzz
   69969.fuzz
   69977.fuzz
+  70055.fuzz
 )
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
@@ -21,7 +21,7 @@ my @fuzzers = (
     ['pngpredictor' => 1],
     ['runlength' => 6],
     ['tiffpredictor' => 2],
-    ['qpdf' => 64],             # increment when adding new files
+    ['qpdf' => 65],             # increment when adding new files
     );
 my $n_tests = 0;
@@ -1129,6 +1129,11 @@ QPDF::processXRefIndex(
             if (val.isInteger()) {
                 if (i % 2) {
                     auto count = val.getIntValue();
+                    if (count <= 0) {
+                        throw damaged(
+                            "Cross-reference stream section claims to contain " +
+                            std::to_string(count) + " entries");
+                    }
                     // We are guarding against the possibility of num_entries * entry_size
                     // overflowing. We are not checking that entries are in ascending order as
                     // required by the spec, which probably should generate a warning. We are also