2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-12-22 02:49:00 +00:00

Merge pull request #1294 from m-holger/fuzz

Add additional xref and object stream sanity checks
This commit is contained in:
m-holger 2024-09-28 01:02:32 +01:00 committed by GitHub
commit 2cb2412fbf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 17 additions and 1 deletions

View File

@ -146,6 +146,9 @@ set(CORPUS_OTHER
99999b.fuzz
99999c.fuzz
99999d.fuzz
99999e.fuzz
369662293.fuzz
369662293a.fuzz
)
set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)

Binary file not shown.

Binary file not shown.

BIN
fuzz/qpdf_extra/99999e.fuzz Normal file

Binary file not shown.

View File

@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
my $n_qpdf_files = 83; # increment when adding new files
my $n_qpdf_files = 86; # increment when adding new files
my @fuzzers = (
['ascii85' => 1],

View File

@ -1295,6 +1295,9 @@ QPDF::Xref_table::process_stream(qpdf_offset_t xref_offset, QPDFObjectHandle& xr
if (!trailer_) {
trailer_ = dict;
if (size > toS(max_id_)) {
throw damaged("Cross-reference stream /Size entry is impossibly large");
}
table.resize(size);
}
@ -2061,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
(m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
bp.get()));
qpdf_offset_t last_offset = -1;
for (int i = 0; i < n; ++i) {
QPDFTokenizer::Token tnum = readToken(*input);
QPDFTokenizer::Token toffset = readToken(*input);
@ -2086,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
"object stream claims to contain itself"));
continue;
}
if (offset <= last_offset) {
throw damagedPDF(
*input,
m->last_object_description,
input->getLastOffset(),
"expected offsets in object stream to be increasing");
}
last_offset = offset;
offsets[num] = toI(offset + first);
}