Refine QPDFParser error handling

Fail if a bad token is encountered while parsing an array or dictionary with more than 100,000 elements. Fixes oss-fuzz case 388571629.
2025-02-14 09:40:22 +00:00 · 2025-02-04 15:06:39 +00:00 · 2025-02-04 15:06:39 +00:00 · 43fa1b2755
commit 43fa1b2755
parent 671b6e2ecf
4 changed files with 7 additions and 1 deletions
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@ -149,6 +149,7 @@ set(CORPUS_OTHER
  376305073.fuzz
  376305073a.fuzz
  377977949.fuzz
+  388571629.fuzz
  389339260.fuzz
  389974979.fuzz
  391974927.fuzz
--- a/fuzz/qpdf_extra/388571629.fuzz
+++ b/fuzz/qpdf_extra/388571629.fuzz
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');

 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";

-my $n_qpdf_files = 90;       # increment when adding new files
+my $n_qpdf_files = 91;       # increment when adding new files

 my @fuzzers = (
    ['ascii85' => 1],
--- a/libqpdf/QPDFParser.cc
+++ b/libqpdf/QPDFParser.cc
@ -470,6 +470,11 @@ bool
 QPDFParser::tooManyBadTokens()
 {
    if (--max_bad_count > 0 && good_count > 4) {
+        if (frame->olist.size() > 100'000 || frame->dict.size() > 100'000) {
+            warn("encountered errors while parsing an array or dictionary with more than 100000 "
+                 "elements; giving up on reading object");
+            return true;
+        }
        good_count = 0;
        bad_count = 1;
        return false;