octoleo/qpdf
2
1
Fork 0
mirror of https://github.com/qpdf/qpdf.git synced 2024-11-09 23:00:57 +00:00
Code Issues Releases Wiki Activity

Fix #1170

Browse Source 
In QPDF::read_xrefEntry add buffer overflow test for first eol character.
Overlong f1 or f2 entries consisting only of zeros could cause a buffer
overflow.

Add fuzz testcase 69913.
This commit is contained in:
m-holger 2024-06-26 12:20:46 +01:00
parent 3d569e2171
commit 8ae3ef28ac
4 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzz/CMakeLists.txt
View File

@ -119,6 +119,7 @@ set(CORPUS_OTHER
68668.fuzz 68668.fuzz
68915.fuzz 68915.fuzz
69857.fuzz 69857.fuzz
69913.fuzz
) )
set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)

BIN
fuzz/qpdf_extra/69913.fuzz Normal file
View File

Binary file not shown.

2
fuzz/qtest/fuzz.test
View File

@ -21,7 +21,7 @@ my @fuzzers = (
['pngpredictor' => 1], ['pngpredictor' => 1],
['runlength' => 6], ['runlength' => 6],
['tiffpredictor' => 2], ['tiffpredictor' => 2],
['qpdf' => 61], # increment when adding new files ['qpdf' => 62], # increment when adding new files
); );
my $n_tests = 0; my $n_tests = 0;

5
libqpdf/QPDF.cc
View File

@ -905,9 +905,8 @@ QPDF::read_xrefEntry(qpdf_offset_t& f1, int& f2, char& type)
if (QUtil::is_space(*p++) && (*p == 'f' || *p == 'n')) { if (QUtil::is_space(*p++) && (*p == 'f' || *p == 'n')) {
// C++20: [[likely]] // C++20: [[likely]]
type = *p; type = *p;
++p; // No test for valid line[19].
++p; // No test for valid line[19]. if (*(++p) && *(++p) && (*p == '\n' || *p == '\r') && f1_len == 10 && f2_len == 5) {
if ((*p == '\n' || *p == '\r') && f1_len == 10 && f2_len == 5) {
// C++20: [[likely]] // C++20: [[likely]]
return true; return true;
} }