From 6971f78ff6fb87a7e6da6ee57e8e28ded4fe1a26 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sat, 31 Oct 2020 13:10:39 -0400
Subject: [PATCH] Fix stack overflow on direct root (fuzz issue 26761)

---
 ChangeLog                  |   4 ++++
 fuzz/qpdf_extra/26761.fuzz | Bin 0 -> 793 bytes
 libqpdf/QPDFWriter.cc      |   3 ++-
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 fuzz/qpdf_extra/26761.fuzz

diff --git a/ChangeLog b/ChangeLog
index cdd64ee3..4c8c61b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2020-10-31  Jay Berkenbilt  <ejb@ql.org>
 
+	* Don't enter extension initialization in QPDFWriter on a direct
+	object. Fixes stack overflow in pathological case of /Root being a
+	direct object (fuzz issue 26761).
+
 	* My previous fix to #449 (handling foreign streams with indirect
 	objects in /Filter and/or /DecodeParms) was incorrect and caused
 	other problems. There is a now a correct fix to the original
diff --git a/fuzz/qpdf_extra/26761.fuzz b/fuzz/qpdf_extra/26761.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..c565895cddac589f725ebde6740051c443ac9316
GIT binary patch
literal 793
zcmZ8fO^Xvj5M9xW4J(4+QR<*a?Vco)-9Q+~=N{bPGAmgmEYitTvZJ%zp{Em)^(><Q
zK`){w5%l26AD|w*>s|0S2n$xvY$mHUedwuv{p!`LHq06sCuj!eHgmbjn=++^9W~NX
ztR`mgdLxel$TsVB#zU>`Exu!Lc`TJpu-9*TAV3cvv3ebNXJJvLu~sR#-$uLH$u^F=
zkH(z<_wH<+L+;`n6WE3zaEtHB38qjY&Jg(h<rIOpq?L)D0G+n<Oj+=N-;JXb22jp$
zhbv@$IS3f4$Vqa?D`_pQNSjTel5_Vkie*zTh(*v>5(0byM71Xk;Z_ntO!dr+NRw-*
zOC<Tm13%+AlbtJd^{I<hc~@yweizlm9znH2BynQNT<9j!VjIcv>{4nC%47E7!Rf<a
z7p^{id;9UrH>2;LGv9Mg-q?{wo_H<<C)K>oh{&u*vj$IDD8OlPSF@oL`Y;GEM`xLj
z;ic=%8?O$&{k(i-nm&Jb`sLHJCtq*YmM;z}CqJ&SjX&?17>epxAd2b`y$CB9p@&GL
z=#v5KR=0{)8Q-^2t4kB55wgHyVTa4;i@)iiFy5Hiqt4v<%-ec&Z;FcXR<}n_rnBEK
uF@9!Oxs>V8r@1gVW&&zV6aiJ=FZ(ctBInUqT!1QaUYV@=Ket``C-)bcw%;rO

literal 0
HcmV?d00001

diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
index ba19cbb9..fcf272f6 100644
--- a/libqpdf/QPDFWriter.cc
+++ b/libqpdf/QPDFWriter.cc
@@ -1537,7 +1537,8 @@ QPDFWriter::unparseObject(QPDFObjectHandle object, int level,
         bool have_extensions_adbe = false;
 
         QPDFObjectHandle extensions;
-        if (old_og == this->m->pdf.getRoot().getObjGen())
+        if ((old_og.getObj() != 0) &&
+            (old_og == this->m->pdf.getRoot().getObjGen()))
         {
             is_root = true;
             if (object.hasKey("/Extensions") &&