2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-12-22 10:58:58 +00:00

Further limit size of uncompressed JPEG for fuzzing

Try a  limit of 50MB. For very large limits processing time before
damage is encountered may exceed oss-fuzz limits.
Add further test cases.
This commit is contained in:
m-holger 2024-07-11 13:27:50 +01:00
parent e914bbbbbc
commit 722148de3d
5 changed files with 7 additions and 6 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 862 KiB

View File

@ -13,7 +13,7 @@ my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
my @fuzzers = (
['ascii85' => 1],
['dct' => 2],
['dct' => 4],
['flate' => 1],
['hex' => 1],
['json' => 40],

View File

@ -335,10 +335,11 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b)
(void)jpeg_calc_output_dimensions(cinfo);
unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components);
if (memory_limit > 0 &&
width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) {
// Even if jpeglib does not run out of memory, qpdf will while buffering thye data before
// writing it.
throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit");
width > (static_cast<unsigned long>(memory_limit) / (20U * cinfo->output_height))) {
// Even if jpeglib does not run out of memory, qpdf will while buffering the data before
// writing it. Furthermore, for very large images runtime can be significant before the
// first warning is encountered causing a timeout in oss-fuzz.
throw std::runtime_error("Pl_DCT::decompress: JPEG data large - may be too slow");
}
JSAMPARRAY buffer =
(*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1);

View File

@ -99,7 +99,7 @@ QPDF::getAllPagesInternal(
for (int i = 0; i < n; ++i) {
auto kid = kids.getArrayItem(i);
if (!kid.isDictionary()) {
kid.warnIfPossible("Pages tree includes non-dictionary object; removing");
kid.warnIfPossible("Pages tree includes non-dictionary object; ignoring");
continue;
}
if (kid.hasKey("/Kids")) {