From 0aa6b67eea993fa75c8bb3c6548ec975f8383154 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Tue, 24 Sep 2024 01:32:32 +0100
Subject: [PATCH] In QPDFWordTokenFinder::check limit the token length

Tokens longer than the target cannot be a match and therefore there is no
need to read to the end of token.
---
 .idea/cmake.xml             |   1 -
 fuzz/CMakeLists.txt         |   1 +
 fuzz/qpdf_extra/99999d.fuzz | Bin 0 -> 5408 bytes
 fuzz/qtest/fuzz.test        |   2 +-
 libqpdf/QPDFTokenizer.cc    |   2 +-
 5 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 fuzz/qpdf_extra/99999d.fuzz

diff --git a/.idea/cmake.xml b/.idea/cmake.xml
index f0a93aba..5762463a 100644
--- a/.idea/cmake.xml
+++ b/.idea/cmake.xml
@@ -2,7 +2,6 @@
 <project version="4">
   <component name="CMakeSharedSettings">
     <configurations>
-      <configuration PROFILE_NAME="Debug" ENABLED="true" CONFIG_NAME="Debug" />
       <configuration PROFILE_NAME="Maintainer" ENABLED="true" CONFIG_NAME="RelWithDebInfo" GENERATION_OPTIONS="-DMAINTAINER_MODE=ON -DBUILD_STATIC_LIBS=OFF" />
       <configuration PROFILE_NAME="Windows" ENABLED="true" CONFIG_NAME="RelWithDebInfo" TOOLCHAIN_NAME="Visual Studio" GENERATION_OPTIONS="-DBUILD_SHARED_LIBS=OFF" />
     </configurations>
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index adb68cd4..a4af9256 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -145,6 +145,7 @@ set(CORPUS_OTHER
   99999a.fuzz
   99999b.fuzz
   99999c.fuzz
+  99999d.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
diff --git a/fuzz/qpdf_extra/99999d.fuzz b/fuzz/qpdf_extra/99999d.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..4504412f604a5fa072b153bf5f71488eabc137a8
GIT binary patch
literal 5408
zcmY#T_^%q^;-+h;XHpDfaH$@D)4zyIRn;@EEI&E1Br`wHN+G?tJTuSCBw0Z>#U-=2
zASbcXEx#x?vBcKU(!$)r0wElfTAZI#3ese2Xkr2sch1i(02-1sKPR)K(kHbnHAfj}
zn}Tkkf^L8=P(Ikv%{2%}`}zAjh6cL=Sx$~2&K?T7#V)R4uFkH?1u1FeMVTe3KoS4a
zl7i9_x6GVW<zVL^w;;#=qyR&`^prFt7iFTl$ezno!9XEDDT~X-M&BnjFTEr~!3-!8
zqz|;PB(+FE-z_JxB-JG~IX@-U&W@|Nq$o8pm#bpV+q<^iDv?#J4-8LbbQzwKC>F?^
za`D`;BjtA*3@3$he0AV<%Q+||b+D;w;$`JBG0v@lXU<D|@6Ws`E&0Cs^I~n~bGA3x
zQ$qBE^246nO^p<-{B&e?p>o~LsjgeKpZ~vc|NqC&wL5>G{~iBsb-=r4|6lL=@!#p@
z)ZP34RenEyxBl*bq4!tKT;t!?UBB)sod4A~Jmjy$|Ge(RIi2_a7yQ4=|9{i(_xt~y
zpZ|XU@5gyN{=d7sP7BEV+y8&Z>UaBR|699D|Nq~A?U~=NhVwsl{v*6^*Z<}6W&d}z
z@h{9Uers@dZ{-c!{9Dek;;Cv=``dSC{%+*AuMPiFs#f>?t9k$adv|jmEtKirb@Isk
z@4x*|DD%h0w!E2Nc|@H>{`aD{Me;xYaMxDcIC6ZO&MCX!;#RFsCiW}VRh~G$-@Wcx
zXe7U@?53~Z{pA&EHM$p6b%upr72CN#=!<DoXsm|T)$T2;POp*(S$}C2=SS|H_GJ~5
zGqaO|*<aSp*{^qL_bQE7cjT?smDdUuZJv1T_a>cNf6P@v@^3FXQ?I$ON}?-n+gTpp
z&^#;sfW#}CYGm5Bas2$r@oHh0uJbo1-jCdy#4ksb9bItwHWyid0R+g>NrWb46qEId
z&@nia2!KO{aJWE~*%&&yxH&pG8=06I8acWeyP7+j7`vI68@QTUm^hicnc6`W0;#JE
zEC>!2SjJQ^gEAvNy=7n^rT8MG7U&udqFe;Z8UKAk@ni~BVsnKyDBT(B;Z1$u#LW2t
zuNuOVIDPgH7%osr5EBG&s--|;v_wLRqajx!v3>jc70LaWOlZm&Es-EOh&m)NPzR<&
zGQwUWjaE-26o8}E6J{xaTLfpoj#f|5Km&&m?f|4rW{5YKN2@2C`3Fg2*px`vsweuj
zl957`>P(DW4DyzqejtW8K7o1U0rEWa>fE;PKke(;Q;+S9EX_-S4(g=lrGN&4K*K*E
z+R)I%*nkTp_?J?k5X7Yb1cu;|B?!|TG{^*DS|FH~5GK%e6R0bI!%`uY1*yRCjPz7}
z-_(@MM5p`;g=hnyw5g@3f`y4uEEiC+C^fG{!5FMtA2b?QT9lk>4AdJ?l%E`&S`w`f
z9Pm@n_sj*F;uOmT9LUml&d)0WYARL$4S)rKgrNQhnF1LQQvh470JghWLEk$wrC1>v
z?6M%PSOuU7r9ev!k+d4ZwL*0|Czd4U<fp@ofI84OwIne`9Vn#$2?d1RAU@b`1p^RJ
z$W!1dDM|zm{S^Vn=M?mVGpkY+EEIr)X8AyiLGA|nDK9Nw!3f0W()V;xh_*2$G`@hU
S0zBjZ4wB-M#G;alqErCFAmJbY

literal 0
HcmV?d00001

diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 51a35532..df5318cf 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 82;       # increment when adding new files
+my $n_qpdf_files = 83;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/QPDFTokenizer.cc b/libqpdf/QPDFTokenizer.cc
index d48abd3e..7f7c6d9e 100644
--- a/libqpdf/QPDFTokenizer.cc
+++ b/libqpdf/QPDFTokenizer.cc
@@ -47,7 +47,7 @@ QPDFWordTokenFinder::check()
     // Find a word token matching the given string, preceded by a delimiter, and followed by a
     // delimiter or EOF.
     QPDFTokenizer tokenizer;
-    QPDFTokenizer::Token t = tokenizer.readToken(is, "finder", true);
+    QPDFTokenizer::Token t = tokenizer.readToken(is, "finder", true, str.size() + 2);
     qpdf_offset_t pos = is.tell();
     if (!(t == QPDFTokenizer::Token(QPDFTokenizer::tt_word, str))) {
         QTC::TC("qpdf", "QPDFTokenizer finder found wrong word");