octoleo/qpdf
2
1
Fork 0
mirror of https://github.com/qpdf/qpdf.git synced 2024-09-22 10:09:06 +00:00
Code Issues Releases Wiki Activity

Add sanity check on trailer /Size entry

Browse Source
This commit is contained in:
m-holger 2024-09-20 14:20:34 +01:00
parent 44a1395194
commit 21f176d374
5 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libqpdf/QPDF.cc
View File

@ -1057,7 +1057,10 @@ QPDF::Xref_table::process_section(qpdf_offset_t xref_offset)
QTC::TC("qpdf", "QPDF trailer size not integer");
throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is not an integer");
}
if (sz >= static_cast<unsigned int>(max_id_)) {
QTC::TC("qpdf", "QPDF trailer size impossibly large");
throw qpdf.damagedPDF("trailer", "/Size key in trailer dictionary is impossibly large");
}
table.resize(sz);
}

1
qpdf/qpdf.testcov
View File

@ -55,6 +55,7 @@ QPDF invalid xref entry 0
QPDF missing trailer 0
QPDF trailer lacks size 0
QPDF trailer size not integer 0
QPDF trailer size impossibly large 0
QPDF trailer prev not integer 0
QPDFParser bad brace 0
QPDFParser bad brace in parseRemainder 0

19
qpdf/qtest/qpdf/issue-fuzz.out Normal file
View File

@ -0,0 +1,19 @@
WARNING: issue-fuzz.pdf: can't find PDF header
WARNING: issue-fuzz.pdf (xref table, offset 19): accepting invalid xref table entry
WARNING: issue-fuzz.pdf (trailer, offset 36): unknown token while reading object; treating as string
WARNING: issue-fuzz.pdf (trailer, offset 53): unexpected >
WARNING: issue-fuzz.pdf (trailer, offset 54): unknown token while reading object; treating as string
WARNING: issue-fuzz.pdf (trailer, offset 58): unknown token while reading object; treating as string
WARNING: issue-fuzz.pdf (trailer, offset 72): unknown token while reading object; treating as string
WARNING: issue-fuzz.pdf (trailer, offset 36): dictionary ended prematurely; using null as value for last key
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake1
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake2
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake3
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake4
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake5
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake6
WARNING: issue-fuzz.pdf (trailer, offset 36): expected dictionary key but found non-name object; inserting key /QPDFFake7
WARNING: issue-fuzz.pdf: file is damaged
WARNING: issue-fuzz.pdf (trailer, offset 32): /Size key in trailer dictionary is impossibly large
WARNING: issue-fuzz.pdf: Attempting to reconstruct cross-reference table
qpdf: issue-fuzz.pdf: unable to find /Root dictionary

BIN
qpdf/qtest/qpdf/issue-fuzz.pdf Normal file
View File

Binary file not shown.

1
qpdf/qtest/specific-bugs.test
View File

@ -38,6 +38,7 @@ my @bug_tests = (
["263", "empty xref stream", 2],
["335a", "ozz-fuzz-12152", 2],
["335b", "ozz-fuzz-14845", 2],
["fuzz", "impossibly large trailer /Size"],
# ["fuzz-16214", "stream in object stream", 3, "--preserve-unreferenced"],
# When adding to this list, consider adding to CORPUS_FROM_TEST in
# fuzz/CMakeLists.txt and updating the count in