Avoid leak by resolving object streams more than once (fuzz issue 23642)

2025-02-02 03:48:24 +00:00 · 2020-10-22 15:19:48 -04:00 · 2020-10-22 15:19:48 -04:00 · 8a11feacc3
commit 8a11feacc3
parent 30bb4c64ee
7 changed files with 182 additions and 10 deletions
--- a/6
+++ b/6
@ -1,9 +1,6 @@
 Candidates for upcoming release
 ===============================

-* Fuzz crashes
-  * See "New" below
-
 * Open "next" issues
  * bugs
    * #473: zsh completion with directories
@ -64,9 +61,6 @@ Fuzz Errors

 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N>

-* New:
-  * 23642: leak: https://oss-fuzz.com/testcase-detail/4906569690251264
-
 * Ignoring these:
  * Problems inside the jpeg library: 15470, 15751, 18633, 18732,
    18745, 20391, 23581
--- a/fuzz/qpdf_extra/23642-mod.fuzz
+++ b/fuzz/qpdf_extra/23642-mod.fuzz
--- a/fuzz/qpdf_extra/23642.fuzz
+++ b/fuzz/qpdf_extra/23642.fuzz
--- a/include/qpdf/QPDF.hh
+++ b/include/qpdf/QPDF.hh
@ -1403,6 +1403,7 @@ class QPDF
        bool immediate_copy_from;
        bool in_parse;
        bool parsed;
+        std::set<int> resolved_object_streams;

        // Linearization data
        qpdf_offset_t first_xref_item_offset; // actual value from file
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@ -2082,6 +2082,11 @@ QPDF::resolve(int objid, int generation)
 void
 QPDF::resolveObjectsInStream(int obj_stream_number)
 {
+    if (this->m->resolved_object_streams.count(obj_stream_number))
+    {
+        return;
+    }
+    this->m->resolved_object_streams.insert(obj_stream_number);
    // Force resolution of object stream
    QPDFObjectHandle obj_stream = getObjectByID(obj_stream_number, 0);
    if (! obj_stream.isStream())
--- a/qpdf/qtest/qpdf/fuzz-16214.out
+++ b/qpdf/qtest/qpdf/fuzz-16214.out
@ -11,8 +11,6 @@ WARNING: fuzz-16214.pdf (object 1 0, offset 7189): expected n n obj
 WARNING: fuzz-16214.pdf: Attempting to reconstruct cross-reference table
 WARNING: fuzz-16214.pdf (offset 7207): error decoding stream data for object 2 0: stream inflate: inflate: data: invalid code lengths set
 WARNING: fuzz-16214.pdf (offset 7207): getStreamData called on unfilterable stream
-WARNING: fuzz-16214.pdf (offset 7207): error decoding stream data for object 2 0: stream inflate: inflate: data: invalid code lengths set
-WARNING: fuzz-16214.pdf (offset 7207): getStreamData called on unfilterable stream
 WARNING: fuzz-16214.pdf (object 11 0, offset 11551): supposed object stream 5 has wrong type
 WARNING: fuzz-16214.pdf (object 21 0, offset 3639): expected endstream
 WARNING: fuzz-16214.pdf (object 21 0, offset 3112): attempting to recover stream length
--- a/qpdf/qtest/qpdf/issue-143.out
+++ b/qpdf/qtest/qpdf/issue-143.out
@ -15,6 +15,4 @@ WARNING: issue-143.pdf (object 1 0, offset 84): attempting to recover stream len
 WARNING: issue-143.pdf (object 1 0, offset 84): recovered stream length: 606
 WARNING: issue-143.pdf object stream 1 (object 2 0, offset 33): expected dictionary key but found non-name object; inserting key /QPDFFake1
 WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream
-WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream
-WARNING: issue-143.pdf (object 2 0, offset 84): supposed object stream 12336 is not a stream
 qpdf: operation succeeded with warnings; resulting file may have some problems