Fix loop detection error (fuzz issue 23172)

2020-10-22 05:11:58 -04:00 · 2020-10-22 05:11:58 -04:00 · 24196c08cb
parent 6cc9489fd8
commit 24196c08cb
5 changed files with 17 additions and 9 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2020-10-22  Jay Berkenbilt  <ejb@ql.org>
+
+	* Fix loop detection problem when traversing page thumbnails
+	during optimization (fuzz issue 23172).
+
 2020-10-21  Jay Berkenbilt  <ejb@ql.org>

 	* Bug fix: properly handle copying foreign streams that have
--- a/1
+++ b/1
@ -65,7 +65,6 @@ Fuzz Errors
 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N>

 * New:
-  * 23172: stack overflow (https://oss-fuzz.com/testcase-detail/5719543787028480)
  * 23599: integer overflow: https://oss-fuzz.com/testcase?key=6290807920525312
  * 23642: leak: https://oss-fuzz.com/testcase-detail/4906569690251264

--- a/fuzz/qpdf_extra/23172.fuzz
+++ b/fuzz/qpdf_extra/23172.fuzz
--- a/include/qpdf/QPDF.hh
+++ b/include/qpdf/QPDF.hh
@ -1341,7 +1341,8 @@ class QPDF
        std::set<QPDFObjGen>& visited);
    void updateObjectMaps(ObjUser const& ou, QPDFObjectHandle oh);
    void updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
-				  std::set<QPDFObjGen>& visited, bool top);
+				  std::set<QPDFObjGen>& visited, bool top,
+                                  int depth);
    void filterCompressedObjects(std::map<int, int> const& object_stream_data);

    // Type conversion helper methods
--- a/libqpdf/QPDF_optimization.cc
+++ b/libqpdf/QPDF_optimization.cc
@ -354,12 +354,13 @@ void
 QPDF::updateObjectMaps(ObjUser const& ou, QPDFObjectHandle oh)
 {
    std::set<QPDFObjGen> visited;
-    updateObjectMapsInternal(ou, oh, visited, true);
+    updateObjectMapsInternal(ou, oh, visited, true, 0);
 }

 void
 QPDF::updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
-			       std::set<QPDFObjGen>& visited, bool top)
+			       std::set<QPDFObjGen>& visited, bool top,
+                               int depth)
 {
    // Traverse the object tree from this point taking care to avoid
    // crossing page boundaries.
@ -397,7 +398,8 @@ QPDF::updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
 	int n = oh.getArrayNItems();
 	for (int i = 0; i < n; ++i)
 	{
-	    updateObjectMapsInternal(ou, oh.getArrayItem(i), visited, false);
+	    updateObjectMapsInternal(
+                ou, oh.getArrayItem(i), visited, false, 1 + depth);
 	}
    }
    else if (oh.isDictionary() || oh.isStream())
@ -417,8 +419,9 @@ QPDF::updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
 	    {
 		// Traverse page thumbnail dictionaries as a special
 		// case.
-		updateObjectMaps(ObjUser(ObjUser::ou_thumb, ou.pageno),
-				 dict.getKey(key));
+		updateObjectMapsInternal(
+                    ObjUser(ObjUser::ou_thumb, ou.pageno),
+                    dict.getKey(key), visited, false, 1 + depth);
 	    }
 	    else if (is_page_node && (key == "/Parent"))
 	    {
@ -426,8 +429,8 @@ QPDF::updateObjectMapsInternal(ObjUser const& ou, QPDFObjectHandle oh,
 	    }
 	    else
 	    {
-		updateObjectMapsInternal(ou, dict.getKey(key),
-					 visited, false);
+		updateObjectMapsInternal(
+                    ou, dict.getKey(key), visited, false, 1 + depth);
 	    }
 	}
    }