Merge pull request #1294 from m-holger/fuzz

Add additional xref and object stream sanity checks

fuzz/CMakeLists.txt

@@ -146,6 +146,9 @@ set(CORPUS_OTHER
   99999b.fuzz
   99999c.fuzz
   99999d.fuzz
+  99999e.fuzz
+  369662293.fuzz
+  369662293a.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)

fuzz/qtest/fuzz.test

@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 83;       # increment when adding new files
+my $n_qpdf_files = 86;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],

libqpdf/QPDF.cc

@@ -1295,6 +1295,9 @@ QPDF::Xref_table::process_stream(qpdf_offset_t xref_offset, QPDFObjectHandle& xr
 
     if (!trailer_) {
         trailer_ = dict;
+        if (size > toS(max_id_)) {
+            throw damaged("Cross-reference stream /Size entry is impossibly large");
+        }
         table.resize(size);
     }
 
@@ -2061,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
             (m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
             bp.get()));
 
+    qpdf_offset_t last_offset = -1;
     for (int i = 0; i < n; ++i) {
         QPDFTokenizer::Token tnum = readToken(*input);
         QPDFTokenizer::Token toffset = readToken(*input);
@@ -2086,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
                 "object stream claims to contain itself"));
             continue;
         }
+        if (offset <= last_offset) {
+            throw damagedPDF(
+                *input,
+                m->last_object_description,
+                input->getLastOffset(),
+                "expected offsets in object stream to be increasing");
+        }
+        last_offset = offset;
+
         offsets[num] = toI(offset + first);
     }