mirror of
https://github.com/qpdf/qpdf.git
synced 2025-01-05 16:12:13 +00:00
Seek in two stages to avoid overflow
When seeing to a position based on a value read from the input, we are prone to integer overflow (fuzz issue 15442). Seek in two stages to move the overflow check into the input source code.
This commit is contained in:
parent
ac5e6de2e8
commit
9a095c5c76
@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input,
|
|||||||
}
|
}
|
||||||
|
|
||||||
length = toS(length_obj.getUIntValue());
|
length = toS(length_obj.getUIntValue());
|
||||||
input->seek(stream_offset + toO(length), SEEK_SET);
|
// Seek in two steps to avoid potential integer overflow
|
||||||
|
input->seek(stream_offset, SEEK_SET);
|
||||||
|
input->seek(toO(length), SEEK_CUR);
|
||||||
if (! (readToken(input) ==
|
if (! (readToken(input) ==
|
||||||
QPDFTokenizer::Token(
|
QPDFTokenizer::Token(
|
||||||
QPDFTokenizer::tt_word, "endstream")))
|
QPDFTokenizer::tt_word, "endstream")))
|
||||||
|
Loading…
Reference in New Issue
Block a user