2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-12-22 10:58:58 +00:00

Fix QPDF::tableSize

Apply temporary fix to deal with fuzz case 68915.

(Error is an integer overflow which would immediately cause a runtime error
as a result of a call to QInitCQIntC::to_size.)
This commit is contained in:
m-holger 2024-05-21 12:50:19 +01:00
parent 973edb4f2d
commit 8cd50e0e3e

View File

@ -2391,6 +2391,13 @@ QPDF::tableSize()
// objects. // objects.
auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0; auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0;
auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0; auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0;
auto max_id = std::numeric_limits<int>::max() - 1;
if (max_obj >= max_id || max_xref >= max_id) {
// Temporary fix. Long-term solution is
// - QPDFObjGen to enforce objgens are valid and sensible
// - xref table and obj cache to protect against insertion of impossibly large obj ids
stopOnError("Impossibly large object id encountered.");
}
if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) { if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) {
return toS(++max_obj); return toS(++max_obj);
} }