Merge pull request #1194 from m-holger/fuzz

Fix bugs in #1161
2024-12-22 10:58:58 +00:00 · 2024-04-30 09:05:22 -04:00 · 2024-04-30 09:05:22 -04:00 · 6ae439f180
commit 6ae439f180
parent 8f792b7e2e e85b98b7e8
7 changed files with 27 additions and 14 deletions
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@ -114,6 +114,8 @@ set(CORPUS_OTHER
  65681.fuzz
  65773.fuzz
  65777.fuzz
+  68374.fuzz
+  68377.fuzz
 )

 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
--- a/fuzz/qpdf_extra/68374.fuzz
+++ b/fuzz/qpdf_extra/68374.fuzz
--- a/fuzz/qpdf_extra/68377.fuzz
+++ b/fuzz/qpdf_extra/68377.fuzz
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@ -21,7 +21,7 @@ my @fuzzers = (
    ['pngpredictor' => 1],
    ['runlength' => 6],
    ['tiffpredictor' => 2],
-    ['qpdf' => 56],             # increment when adding new files
+    ['qpdf' => 58],             # increment when adding new files
    );

 my $n_tests = 0;
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@ -1117,8 +1117,7 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
        if (obj == 0) {
            // This is needed by checkLinearization()
            m->first_xref_item_offset = xref_offset;
-        }
-        if (fields[0] == 0) {
+        } else if (fields[0] == 0) {
            // Ignore fields[2], which we don't care about in this case. This works around the issue
            // of some PDF files that put invalid values, like -1, here for deleted objects.
            insertFreeXrefEntry(QPDFObjGen(obj, 0));
@ -1196,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og)
 void
 QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2)
 {
-    if (!(obj > 0 && 0 <= f2 && f2 < 65535)) {
+    // Various tables are indexed by object id, with potential size id + 1
+    constexpr static int max_id = std::numeric_limits<int>::max() - 1;
+    if (!(obj > 0 && obj <= max_id && 0 <= f2 && f2 < 65535)) {
        QTC::TC("qpdf", "QPDF xref overwrite invalid objgen");
        return;
    }
--- a/libqpdf/QPDF_optimization.cc
+++ b/libqpdf/QPDF_optimization.cc
@ -416,22 +416,26 @@ QPDF::filterCompressedObjects(QPDFWriter::ObjTable const& obj)
        ObjUser const& ou = i1.first;
        // Loop over objects.
        for (auto const& og: i1.second) {
-            if (auto const& i2 = obj[og].object_stream; i2 <= 0) {
-                t_obj_user_to_objects[ou].insert(og);
-            } else {
-                t_obj_user_to_objects[ou].insert(QPDFObjGen(i2, 0));
+            if (obj.contains(og)) {
+                if (auto const& i2 = obj[og].object_stream; i2 <= 0) {
+                    t_obj_user_to_objects[ou].insert(og);
+                } else {
+                    t_obj_user_to_objects[ou].insert(QPDFObjGen(i2, 0));
+                }
            }
        }
    }

    for (auto const& i1: m->object_to_obj_users) {
        QPDFObjGen const& og = i1.first;
-        // Loop over obj_users.
-        for (auto const& ou: i1.second) {
-            if (auto i2 = obj[og].object_stream; i2 <= 0) {
-                t_object_to_obj_users[og].insert(ou);
-            } else {
-                t_object_to_obj_users[QPDFObjGen(i2, 0)].insert(ou);
+        if (obj.contains(og)) {
+            // Loop over obj_users.
+            for (auto const& ou: i1.second) {
+                if (auto i2 = obj[og].object_stream; i2 <= 0) {
+                    t_object_to_obj_users[og].insert(ou);
+                } else {
+                    t_object_to_obj_users[QPDFObjGen(i2, 0)].insert(ou);
+                }
            }
        }
    }
--- a/libqpdf/qpdf/ObjTable.hh
+++ b/libqpdf/qpdf/ObjTable.hh
@ -62,6 +62,12 @@ class ObjTable: public std::vector<T>
        return idx < std::vector<T>::size() || sparse_elements.count(idx);
    }

+    inline bool
+    contains(QPDFObjGen og) const
+    {
+        return contains(static_cast<size_t>(og.getObj()));
+    }
+
    inline bool
    contains(QPDFObjectHandle oh) const
    {