Merge pull request #1273 from m-holger/fuzz

In QPDF::readObjectAtOffset fail early on 'expect n n obj'

Merge pull request #1273 from m-holger/fuzz
In QPDF::readObjectAtOffset fail early on 'expect n n obj'
m-holger · GitHub
2 parents 0b3debaf ef492916
Showing 1 changed file with 18 additions and 14 deletions
libqpdf/QPDF.cc
@@ -1727,24 +1727,28 @@ QPDF::readObjectAtOffset(
     }
  
     m->file->seek(offset, SEEK_SET);
-
-    QPDFTokenizer::Token tobjid = readToken(m->file);
-    QPDFTokenizer::Token tgen = readToken(m->file);
-    QPDFTokenizer::Token tobj = readToken(m->file);
-
-    bool objidok = tobjid.isInteger();
-    bool genok = tgen.isInteger();
-    bool objok = tobj.isWord("obj");
-
-    QTC::TC("qpdf", "QPDF check objid", objidok ? 1 : 0);
-    QTC::TC("qpdf", "QPDF check generation", genok ? 1 : 0);
-    QTC::TC("qpdf", "QPDF check obj", objok ? 1 : 0);
-
     try {
-        if (!(objidok && genok && objok)) {
+        QPDFTokenizer::Token tobjid = readToken(m->file);
+        bool objidok = tobjid.isInteger();
+        QTC::TC("qpdf", "QPDF check objid", objidok ? 1 : 0);
+        if (!objidok) {
             QTC::TC("qpdf", "QPDF expected n n obj");
             throw damagedPDF(offset, "expected n n obj");
         }
+        QPDFTokenizer::Token tgen = readToken(m->file);
+        bool genok = tgen.isInteger();
+        QTC::TC("qpdf", "QPDF check generation", genok ? 1 : 0);
+        if (!genok) {
+            throw damagedPDF(offset, "expected n n obj");
+        }
+        QPDFTokenizer::Token tobj = readToken(m->file);
+
+        bool objok = tobj.isWord("obj");
+        QTC::TC("qpdf", "QPDF check obj", objok ? 1 : 0);
+
+        if (!objok) {
+            throw damagedPDF(offset, "expected n n obj");
+        }
         int objid = QUtil::string_to_int(tobjid.getValue().c_str());
         int generation = QUtil::string_to_int(tgen.getValue().c_str());
         og = QPDFObjGen(objid, generation);