mirror of
https://github.com/qpdf/qpdf.git
synced 2025-01-05 08:02:11 +00:00
Limit memory used by Pl_PNGFilter and Pl_TIFFPredictor during fuzzing
This commit is contained in:
parent
fe1fffe8db
commit
34729e37e0
@ -2,6 +2,8 @@
|
|||||||
#include <qpdf/BufferInputSource.hh>
|
#include <qpdf/BufferInputSource.hh>
|
||||||
#include <qpdf/Pl_DCT.hh>
|
#include <qpdf/Pl_DCT.hh>
|
||||||
#include <qpdf/Pl_Discard.hh>
|
#include <qpdf/Pl_Discard.hh>
|
||||||
|
#include <qpdf/Pl_PNGFilter.hh>
|
||||||
|
#include <qpdf/Pl_TIFFPredictor.hh>
|
||||||
#include <qpdf/QPDF.hh>
|
#include <qpdf/QPDF.hh>
|
||||||
#include <qpdf/QPDFAcroFormDocumentHelper.hh>
|
#include <qpdf/QPDFAcroFormDocumentHelper.hh>
|
||||||
#include <qpdf/QPDFOutlineDocumentHelper.hh>
|
#include <qpdf/QPDFOutlineDocumentHelper.hh>
|
||||||
@ -179,6 +181,9 @@ FuzzHelper::doChecks()
|
|||||||
// occur legitimately and therefore must be allowed during normal operations.
|
// occur legitimately and therefore must be allowed during normal operations.
|
||||||
Pl_DCT::setMemoryLimit(1'000'000'000);
|
Pl_DCT::setMemoryLimit(1'000'000'000);
|
||||||
|
|
||||||
|
Pl_PNGFilter::setMemoryLimit(1'000'000'000);
|
||||||
|
Pl_TIFFPredictor::setMemoryLimit(1'000'000'000);
|
||||||
|
|
||||||
// Do not decompress corrupt data. This may cause extended runtime within jpeglib without
|
// Do not decompress corrupt data. This may cause extended runtime within jpeglib without
|
||||||
// exercising additional code paths in qpdf, and potentially causing counterproductive timeouts.
|
// exercising additional code paths in qpdf, and potentially causing counterproductive timeouts.
|
||||||
Pl_DCT::setThrowOnCorruptData(true);
|
Pl_DCT::setThrowOnCorruptData(true);
|
||||||
|
@ -7,6 +7,11 @@
|
|||||||
#include <cstring>
|
#include <cstring>
|
||||||
#include <stdexcept>
|
#include <stdexcept>
|
||||||
|
|
||||||
|
namespace
|
||||||
|
{
|
||||||
|
unsigned long long memory_limit{0};
|
||||||
|
} // namespace
|
||||||
|
|
||||||
static int
|
static int
|
||||||
abs_diff(int a, int b)
|
abs_diff(int a, int b)
|
||||||
{
|
{
|
||||||
@ -41,6 +46,9 @@ Pl_PNGFilter::Pl_PNGFilter(
|
|||||||
if ((bpr == 0) || (bpr > (UINT_MAX - 1))) {
|
if ((bpr == 0) || (bpr > (UINT_MAX - 1))) {
|
||||||
throw std::runtime_error("PNGFilter created with invalid columns value");
|
throw std::runtime_error("PNGFilter created with invalid columns value");
|
||||||
}
|
}
|
||||||
|
if (memory_limit > 0 && bpr > (memory_limit / 2U)) {
|
||||||
|
throw std::runtime_error("PNGFilter memory limit exceeded");
|
||||||
|
}
|
||||||
this->bytes_per_row = bpr & UINT_MAX;
|
this->bytes_per_row = bpr & UINT_MAX;
|
||||||
this->buf1 = QUtil::make_shared_array<unsigned char>(this->bytes_per_row + 1);
|
this->buf1 = QUtil::make_shared_array<unsigned char>(this->bytes_per_row + 1);
|
||||||
this->buf2 = QUtil::make_shared_array<unsigned char>(this->bytes_per_row + 1);
|
this->buf2 = QUtil::make_shared_array<unsigned char>(this->bytes_per_row + 1);
|
||||||
@ -53,6 +61,12 @@ Pl_PNGFilter::Pl_PNGFilter(
|
|||||||
this->incoming = (action == a_encode ? this->bytes_per_row : this->bytes_per_row + 1);
|
this->incoming = (action == a_encode ? this->bytes_per_row : this->bytes_per_row + 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
Pl_PNGFilter::setMemoryLimit(unsigned long long limit)
|
||||||
|
{
|
||||||
|
memory_limit = limit;
|
||||||
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
Pl_PNGFilter::write(unsigned char const* data, size_t len)
|
Pl_PNGFilter::write(unsigned char const* data, size_t len)
|
||||||
{
|
{
|
||||||
|
@ -7,6 +7,11 @@
|
|||||||
#include <climits>
|
#include <climits>
|
||||||
#include <stdexcept>
|
#include <stdexcept>
|
||||||
|
|
||||||
|
namespace
|
||||||
|
{
|
||||||
|
unsigned long long memory_limit{0};
|
||||||
|
} // namespace
|
||||||
|
|
||||||
Pl_TIFFPredictor::Pl_TIFFPredictor(
|
Pl_TIFFPredictor::Pl_TIFFPredictor(
|
||||||
char const* identifier,
|
char const* identifier,
|
||||||
Pipeline* next,
|
Pipeline* next,
|
||||||
@ -31,9 +36,18 @@ Pl_TIFFPredictor::Pl_TIFFPredictor(
|
|||||||
if ((bpr == 0) || (bpr > (UINT_MAX - 1))) {
|
if ((bpr == 0) || (bpr > (UINT_MAX - 1))) {
|
||||||
throw std::runtime_error("TIFFPredictor created with invalid columns value");
|
throw std::runtime_error("TIFFPredictor created with invalid columns value");
|
||||||
}
|
}
|
||||||
|
if (memory_limit > 0 && bpr > (memory_limit / 2U)) {
|
||||||
|
throw std::runtime_error("TIFFPredictor memory limit exceeded");
|
||||||
|
}
|
||||||
this->bytes_per_row = bpr & UINT_MAX;
|
this->bytes_per_row = bpr & UINT_MAX;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
Pl_TIFFPredictor::setMemoryLimit(unsigned long long limit)
|
||||||
|
{
|
||||||
|
memory_limit = limit;
|
||||||
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
Pl_TIFFPredictor::write(unsigned char const* data, size_t len)
|
Pl_TIFFPredictor::write(unsigned char const* data, size_t len)
|
||||||
{
|
{
|
||||||
|
@ -24,6 +24,10 @@ class Pl_PNGFilter: public Pipeline
|
|||||||
unsigned int bits_per_sample = 8);
|
unsigned int bits_per_sample = 8);
|
||||||
~Pl_PNGFilter() override = default;
|
~Pl_PNGFilter() override = default;
|
||||||
|
|
||||||
|
// Limit the memory used.
|
||||||
|
// NB This is a static option affecting all Pl_PNGFilter instances.
|
||||||
|
static void setMemoryLimit(unsigned long long limit);
|
||||||
|
|
||||||
void write(unsigned char const* data, size_t len) override;
|
void write(unsigned char const* data, size_t len) override;
|
||||||
void finish() override;
|
void finish() override;
|
||||||
|
|
||||||
|
@ -22,6 +22,10 @@ class Pl_TIFFPredictor: public Pipeline
|
|||||||
unsigned int bits_per_sample = 8);
|
unsigned int bits_per_sample = 8);
|
||||||
~Pl_TIFFPredictor() override = default;
|
~Pl_TIFFPredictor() override = default;
|
||||||
|
|
||||||
|
// Limit the memory used.
|
||||||
|
// NB This is a static option affecting all Pl_TIFFPredictor instances.
|
||||||
|
static void setMemoryLimit(unsigned long long limit);
|
||||||
|
|
||||||
void write(unsigned char const* data, size_t len) override;
|
void write(unsigned char const* data, size_t len) override;
|
||||||
void finish() override;
|
void finish() override;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user