Merge pull request #1288 from m-holger/fuzz

In QPDFParser add a limit on total number of errors in one object
2024-12-22 02:49:00 +00:00 · 2024-09-19 23:58:26 +01:00 · 2024-09-19 23:58:26 +01:00 · 7d34b89a69
commit 7d34b89a69
parent ff2a78f579 06a2d955fc
2 changed files with 11 additions and 8 deletions
--- a/libqpdf/QPDFParser.cc
+++ b/libqpdf/QPDFParser.cc
@ -469,13 +469,14 @@ QPDFParser::fixMissingKeys()
 bool
 QPDFParser::tooManyBadTokens()
 {
-    if (good_count <= 4) {
-        if (++bad_count > 5) {
-            warn("too many errors; giving up on reading object");
-            return true;
-        }
-    } else {
+    if (--max_bad_count > 0 && good_count > 4) {
+        good_count = 0;
        bad_count = 1;
+        return false;
+    }
+    if (++bad_count > 5) {
+        warn("too many errors; giving up on reading object");
+        return true;
    }
    good_count = 0;
    return false;
--- a/libqpdf/qpdf/QPDFParser.hh
+++ b/libqpdf/qpdf/QPDFParser.hh
@ -83,9 +83,11 @@ class QPDFParser
    std::vector<StackFrame> stack;
    StackFrame* frame;
    // Number of recent bad tokens.
-    int bad_count = 0;
+    int bad_count{0};
+    // Number of bad tokens (remaining) before giving up.
+    int max_bad_count{15};
    // Number of good tokens since last bad token. Irrelevant if bad_count == 0.
-    int good_count = 0;
+    int good_count{0};
    // Start offset including any leading whitespace.
    qpdf_offset_t start;
    // Number of successive integer tokens.