-
Fixes oss-fuzz case 394129398. Issue arose from chaining multiple runlength filters and inflating a compressed stream of ~100 bytes to several gigabytes. There is no obvious fix without imposing an arbitrary implementation limit and therefore potentially excluding valid PDF files.
-
Also, tidy pipeline constructors and make subclasses final where possible.
-
Buffer output locally. Add qpdf_fuzzer test case.
-
Using search and replace.
-
Run this: for i in **/*.cc **/*.c **/*.h **/*.hh; do clang-format < $i >| $i.new && mv $i.new $i done
-
Have classes contain only a single private member of type PointerHolder<Members>. This makes it safe to change the structure of the Members class without breaking binary compatibility. Many of the classes already follow this pattern quite successfully. This brings in the rest of the class that are part of the public API.
-
This makes all integer type conversions that have potential data loss explicit with calls that do range checks and raise an exception. After this commit, qpdf builds with no warnings when -Wsign-conversion -Wconversion is used with gcc or clang or when -W3 -Wd4800 is used with MSVC. This significantly reduces the likelihood of potential crashes from bogus integer values. There are some parts of the code that take int when they should take size_t or an offset. Such places would make qpdf not support files with more than 2^31 of something that usually wouldn't be so large. In the event that such a file shows up and is valid, at least qpdf would raise an error in the right spot so the issue could be legitimately addressed rather than failing in some weird way because of a silent overflow condition.