From a84a0b248768dcbab7fc007bb22a258cac9e4131 Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Thu, 4 Nov 2021 13:52:47 -0400 Subject: [PATCH] Add range check in QPDFNumberTreeObjectHelper (fuzz issue 37740) --- ChangeLog | 2 ++ fuzz/qpdf_extra/37740.fuzz | Bin 0 -> 12948 bytes libqpdf/QPDFNumberTreeObjectHelper.cc | 2 ++ 3 files changed, 4 insertions(+) create mode 100644 fuzz/qpdf_extra/37740.fuzz diff --git a/ChangeLog b/ChangeLog index 56a2be61..45b70fea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2021-11-04 Jay Berkenbilt + * Add range check in QPDFNumberTreeObjectHelper (fuzz issue 37740). + * Add QIntC::range_check_substract to do range checking on subtraction, which has different boundary conditions from addition. diff --git a/fuzz/qpdf_extra/37740.fuzz b/fuzz/qpdf_extra/37740.fuzz new file mode 100644 index 0000000000000000000000000000000000000000..64189f69c1d59a3f3d3b136de2ceb6db9b38c587 GIT binary patch literal 12948 zcmeHOOK%*x5q5IquV4ZQuz}1rUrlx=f&ss@yNK6Tq{-9pp`~egXLmH?O!pYxy)5>a ze-Y%5G^kBk2lVtDj|N7g% z$=+}5S4Ie@jIK_;A^ZD;(&VssQ$8wfCiOPjkdCvTMGa8ZiM`+)Z^HEp9eBY;bb}oEp5$HB= zG)wdFQu<+zsWfmS2E@|3!{uuX?H z&m5&$Xv@PBXYC_u-pvR|hDX^xwuE>~iMOP9ON(ce-@A8l;U{bIwdf%;jKqq16U)~6*d8rwHH03!Yi3^?Fawh%UpB{^KLPLE5_ zwujWdXsilWqT|ttmfSRlf-9pksg<#a4OlHn$D;T4DEbkq3F@eIE-msNi;pZ-^5|W; zoUbQ{)#m)=$zuNJ4XnkFqKv47hM?)iB=m-QO$l3b`&34!(^PsUucJ&w&`M*X`gL|q zQ9o!ADJC)@wax|0Wu~-*|I#SUjFQ~wOmMDJznrKK0avcHsB%++__PuyQ}p&|*;UNi zIYB?xb`RDry?^@@0Qr^mfwBvNo;W6qx0xLhMiN9NCX5dpU12`RK0gxt8L@#n!m^67 z{K>q>8JD^A4xZy5xZZCC@0;)mCiZgTO1c`j&8~3!?AIlFa?`6 zzQuK=JLtN&BzEr|GqxM`1ig^@lY8Xn&6&v^i7-e;W27SX{16dG@1iS6i9G|w#Mwnx zpb4DgqK;bcqAM_jZ`q#fU33K*v1jR+vE3e5aP7k(&xy?kM8q+-#}#~!36kr?9l;3X zG@@(A?4TJX@{lTTJmo(i25!MSET@-_&1I z=?XcpbE@ifS)7x{Q`ksh9Ym=8v-0eWu~agqIebd^D8@|Am|%>Z872$KSo!*_hfcM|56Me`2mKysLA7;k`v%9?&KmxMMc9@6OOhL*V6!}}=c{E!h!qcoRyx%2Y=Nf*;&D-xw(yXA zQ7+z<_58Fz1fDHVSF`!@4NZPOUp`t^bKih3Uliw9uHg85yg8|Dc@a<4w#6N-anA11 z+7^$HES6~#sPf{kY5Be;uLEmPkQu8^5S#yRIrge^g|(>awu8m{V4=!=fm8Z3We2Pg zN4ZbhC=&+ST4~_Vms@=)732i0=Ig4adC2%D&kOwSeK-_nZ9P?Y5wpF+v`x9Knbm?f zuNNh~|7G=$3JQ;thcx{qP5$u5Khfo8v1orhuz0&lU{lovh8#VG?_PisT2?%(4qbTd zI1TRkX$g$Kaz)!1IjB5>N<5}k!mDMNuFJQ@w@|1ADYzFyYigiIBI5!auFH2Vph?4) z%?lhkzWn$BM_$YBB7rm3F{+Qwi{-4K{4Lc z6~c|WT`um9o9*uZ4x2k{{+DgTo!xA=n{HqX&fLY75dFL}4+lsa4mk_`oioQPH^G3K}`@6&WZny!W_Lw6u7mayc20W_u&Rm!+qG! z2LcU=?8+@fC$2Tr!emV>bJwS?-W$Na`O?@HN1_R6`G3Qx)oBR7o=pqNb=dSDpv!isBPYIjUSA%-yF$g3Az1Cw2G!dV%+QhP0z&c;~q6AhPkaa^s- z_v`YEFj&}z!10i=U*Qjmcb`&vMqL}z8t*6AH%s5f6rS-0Z5d`+`fae-fVDxJP~(0| zb^2+UWq{sbScV1new$!=G?frojT`h+P&ARk=$r--gf`&72K};ZG*+@4mTbSD6sUng zTZ-O!&}QuAfk0Ej#jLiE)|jR4k5F<9tV-2L0eIVRG&Ub2lyW`dK9zvOfNq+a5%;OV zd~Bb;6t62cZ9jMe;dtKa_k)y$!aJ-%^q3Xt3=dBIfso!9O(yT4WgR5%p!II(=B!r0 zb(vt>F`I?x78VL6hQp2fp`{BmZj+D>vX1JXfBo?r?-WL<`FsAV9{MvKPi zt~;IxGhW~Z+uS1UU*p#%?+&(%Lk3capNW=e#>Va|gKMTkIpJ1x2MIS9-c23#OWAlV zq(C9d6a>vQ{1pPu#s&P9#b5?53?|d?AC7>pZYZZ|3c&;ZDkEo**)(tkHU;_u(o)zh zQ%W19n30Bo2j#je0_r);Xdk##a;P^BB6cX(>tenr*Y1XUa #include +#include class NumberTreeDetails: public NNTreeDetails { @@ -235,6 +236,7 @@ QPDFNumberTreeObjectHelper::findObjectAtOrBelow( return false; } oh = i->second; + QIntC::range_check_substract(idx, i->first); offset = idx - i->first; return true; }