mirror of
https://github.com/qpdf/qpdf.git
synced 2024-12-22 10:58:58 +00:00
In qpdf_fuzzer add a memory limit for Pl_Flate
This commit is contained in:
parent
bc68003cb3
commit
2bb9e06d1e
@ -2,6 +2,7 @@
|
|||||||
#include <qpdf/BufferInputSource.hh>
|
#include <qpdf/BufferInputSource.hh>
|
||||||
#include <qpdf/Pl_DCT.hh>
|
#include <qpdf/Pl_DCT.hh>
|
||||||
#include <qpdf/Pl_Discard.hh>
|
#include <qpdf/Pl_Discard.hh>
|
||||||
|
#include <qpdf/Pl_Flate.hh>
|
||||||
#include <qpdf/Pl_PNGFilter.hh>
|
#include <qpdf/Pl_PNGFilter.hh>
|
||||||
#include <qpdf/Pl_TIFFPredictor.hh>
|
#include <qpdf/Pl_TIFFPredictor.hh>
|
||||||
#include <qpdf/QPDF.hh>
|
#include <qpdf/QPDF.hh>
|
||||||
@ -183,6 +184,7 @@ FuzzHelper::doChecks()
|
|||||||
|
|
||||||
Pl_PNGFilter::setMemoryLimit(1'000'000);
|
Pl_PNGFilter::setMemoryLimit(1'000'000);
|
||||||
Pl_TIFFPredictor::setMemoryLimit(1'000'000);
|
Pl_TIFFPredictor::setMemoryLimit(1'000'000);
|
||||||
|
Pl_Flate::setMemoryLimit(10'000'000);
|
||||||
|
|
||||||
// Do not decompress corrupt data. This may cause extended runtime within jpeglib without
|
// Do not decompress corrupt data. This may cause extended runtime within jpeglib without
|
||||||
// exercising additional code paths in qpdf, and potentially causing counterproductive timeouts.
|
// exercising additional code paths in qpdf, and potentially causing counterproductive timeouts.
|
||||||
|
@ -42,6 +42,11 @@ class QPDF_DLL_CLASS Pl_Flate: public Pipeline
|
|||||||
QPDF_DLL
|
QPDF_DLL
|
||||||
~Pl_Flate() override;
|
~Pl_Flate() override;
|
||||||
|
|
||||||
|
// Limit the memory used.
|
||||||
|
// NB This is a static option affecting all Pl_PNGFilter instances.
|
||||||
|
QPDF_DLL
|
||||||
|
static void setMemoryLimit(unsigned long long limit);
|
||||||
|
|
||||||
QPDF_DLL
|
QPDF_DLL
|
||||||
void write(unsigned char const* data, size_t len) override;
|
void write(unsigned char const* data, size_t len) override;
|
||||||
QPDF_DLL
|
QPDF_DLL
|
||||||
@ -87,6 +92,7 @@ class QPDF_DLL_CLASS Pl_Flate: public Pipeline
|
|||||||
action_e action;
|
action_e action;
|
||||||
bool initialized;
|
bool initialized;
|
||||||
void* zdata;
|
void* zdata;
|
||||||
|
unsigned long long written{0};
|
||||||
std::function<void(char const*, int)> callback;
|
std::function<void(char const*, int)> callback;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -7,6 +7,11 @@
|
|||||||
#include <qpdf/QIntC.hh>
|
#include <qpdf/QIntC.hh>
|
||||||
#include <qpdf/QUtil.hh>
|
#include <qpdf/QUtil.hh>
|
||||||
|
|
||||||
|
namespace
|
||||||
|
{
|
||||||
|
unsigned long long memory_limit{0};
|
||||||
|
} // namespace
|
||||||
|
|
||||||
int Pl_Flate::compression_level = Z_DEFAULT_COMPRESSION;
|
int Pl_Flate::compression_level = Z_DEFAULT_COMPRESSION;
|
||||||
|
|
||||||
Pl_Flate::Members::Members(size_t out_bufsize, action_e action) :
|
Pl_Flate::Members::Members(size_t out_bufsize, action_e action) :
|
||||||
@ -63,6 +68,12 @@ Pl_Flate::~Pl_Flate() // NOLINT (modernize-use-equals-default)
|
|||||||
// Must be explicit and not inline -- see QPDF_DLL_CLASS in README-maintainer
|
// Must be explicit and not inline -- see QPDF_DLL_CLASS in README-maintainer
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
Pl_Flate::setMemoryLimit(unsigned long long limit)
|
||||||
|
{
|
||||||
|
memory_limit = limit;
|
||||||
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
Pl_Flate::setWarnCallback(std::function<void(char const*, int)> callback)
|
Pl_Flate::setWarnCallback(std::function<void(char const*, int)> callback)
|
||||||
{
|
{
|
||||||
@ -170,6 +181,12 @@ Pl_Flate::handleData(unsigned char const* data, size_t len, int flush)
|
|||||||
}
|
}
|
||||||
uLong ready = QIntC::to_ulong(m->out_bufsize - zstream.avail_out);
|
uLong ready = QIntC::to_ulong(m->out_bufsize - zstream.avail_out);
|
||||||
if (ready > 0) {
|
if (ready > 0) {
|
||||||
|
if (memory_limit) {
|
||||||
|
m->written += ready;
|
||||||
|
if (m->written > memory_limit) {
|
||||||
|
throw std::runtime_error("PL_Flate memory limit exceeded");
|
||||||
|
}
|
||||||
|
}
|
||||||
this->getNext()->write(m->outbuf.get(), ready);
|
this->getNext()->write(m->outbuf.get(), ready);
|
||||||
zstream.next_out = m->outbuf.get();
|
zstream.next_out = m->outbuf.get();
|
||||||
zstream.avail_out = QIntC::to_uint(m->out_bufsize);
|
zstream.avail_out = QIntC::to_uint(m->out_bufsize);
|
||||||
|
Loading…
Reference in New Issue
Block a user