2
1
mirror of https://github.com/qpdf/qpdf.git synced 2025-01-05 16:12:13 +00:00

Seek in two stages to avoid overflow

When seeing to a position based on a value read from the input, we are
prone to integer overflow (fuzz issue 15442). Seek in two stages to
move the overflow check into the input source code.
This commit is contained in:
Jay Berkenbilt 2019-08-27 10:20:14 -04:00
parent ac5e6de2e8
commit 9a095c5c76

View File

@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input,
} }
length = toS(length_obj.getUIntValue()); length = toS(length_obj.getUIntValue());
input->seek(stream_offset + toO(length), SEEK_SET); // Seek in two steps to avoid potential integer overflow
input->seek(stream_offset, SEEK_SET);
input->seek(toO(length), SEEK_CUR);
if (! (readToken(input) == if (! (readToken(input) ==
QPDFTokenizer::Token( QPDFTokenizer::Token(
QPDFTokenizer::tt_word, "endstream"))) QPDFTokenizer::tt_word, "endstream")))