mirror of
https://github.com/qpdf/qpdf.git
synced 2024-12-22 10:58:58 +00:00
Fix QPDF::tableSize
Apply temporary fix to deal with fuzz case 68915. (Error is an integer overflow which would immediately cause a runtime error as a result of a call to QInitCQIntC::to_size.)
This commit is contained in:
parent
973edb4f2d
commit
8cd50e0e3e
@ -2391,6 +2391,13 @@ QPDF::tableSize()
|
|||||||
// objects.
|
// objects.
|
||||||
auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0;
|
auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0;
|
||||||
auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0;
|
auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0;
|
||||||
|
auto max_id = std::numeric_limits<int>::max() - 1;
|
||||||
|
if (max_obj >= max_id || max_xref >= max_id) {
|
||||||
|
// Temporary fix. Long-term solution is
|
||||||
|
// - QPDFObjGen to enforce objgens are valid and sensible
|
||||||
|
// - xref table and obj cache to protect against insertion of impossibly large obj ids
|
||||||
|
stopOnError("Impossibly large object id encountered.");
|
||||||
|
}
|
||||||
if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) {
|
if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) {
|
||||||
return toS(++max_obj);
|
return toS(++max_obj);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user