octoleo
/
qpdf
mirror of https://github.com/qpdf/qpdf.git
2
1
Fork 0
Code Issues Releases Wiki Activity

Fix two additional fuzz test cases

This commit is contained in:
Jay Berkenbilt 2019-11-03 18:54:39 -05:00
parent c590dbc38e
commit 9094fb1f8e
3 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
fuzz/qpdf_extra/18241.fuzz Normal file
View File

Binary file not shown.

BIN
fuzz/qpdf_extra/18247.fuzz Normal file
View File

Binary file not shown.

5
libqpdf/QPDF.cc
View File

@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
{
max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin()));
}
if (size - 1 != max_obj)
if ((size < 1) || (size - 1 != max_obj))
{
QTC::TC("qpdf", "QPDF xref size mismatch");
warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0,
@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
// an uncompressed object record, in which case the generation
// number appears as the third field.
int obj = toI(indx.at(cur_chunk));
if ((std::numeric_limits<int>::max() - obj) < chunk_count)
if ((obj < 0) ||
((std::numeric_limits<int>::max() - obj) < chunk_count))
{
std::ostringstream msg;
msg << "adding " << chunk_count << " to " << obj