2
1
mirror of https://github.com/qpdf/qpdf.git synced 2025-01-08 17:24:06 +00:00

Fix fuzz issue 15442 (overflow checking in BufferInputSource)

This commit is contained in:
Jay Berkenbilt 2019-08-27 10:46:06 -04:00
parent 9a095c5c76
commit ad8081daf5
3 changed files with 27 additions and 11 deletions

View File

@ -0,0 +1 @@
trailer<</Length 9223372036854775807>>stream

View File

@ -54,7 +54,7 @@ class BufferInputSource: public InputSource
virtual void unreadCh(char ch); virtual void unreadCh(char ch);
private: private:
qpdf_offset_t const bufSizeAsOffset() const; static void range_check(qpdf_offset_t cur, qpdf_offset_t delta);
class Members class Members
{ {
@ -72,6 +72,7 @@ class BufferInputSource: public InputSource
std::string description; std::string description;
Buffer* buf; Buffer* buf;
qpdf_offset_t cur_offset; qpdf_offset_t cur_offset;
qpdf_offset_t max_offset;
}; };
PointerHolder<Members> m; PointerHolder<Members> m;

View File

@ -3,6 +3,8 @@
#include <string.h> #include <string.h>
#include <stdexcept> #include <stdexcept>
#include <algorithm> #include <algorithm>
#include <limits>
#include <sstream>
BufferInputSource::Members::Members(bool own_memory, BufferInputSource::Members::Members(bool own_memory,
std::string const& description, std::string const& description,
@ -10,7 +12,8 @@ BufferInputSource::Members::Members(bool own_memory,
own_memory(own_memory), own_memory(own_memory),
description(description), description(description),
buf(buf), buf(buf),
cur_offset(0) cur_offset(0),
max_offset(buf ? QIntC::to_offset(buf->getSize()) : 0)
{ {
} }
@ -29,6 +32,7 @@ BufferInputSource::BufferInputSource(std::string const& description,
m(new Members(true, description, 0)) m(new Members(true, description, 0))
{ {
this->m->buf = new Buffer(contents.length()); this->m->buf = new Buffer(contents.length());
this->m->max_offset = QIntC::to_offset(this->m->buf->getSize());
unsigned char* bp = this->m->buf->getBuffer(); unsigned char* bp = this->m->buf->getBuffer();
memcpy(bp, contents.c_str(), contents.length()); memcpy(bp, contents.c_str(), contents.length());
} }
@ -41,12 +45,6 @@ BufferInputSource::~BufferInputSource()
} }
} }
qpdf_offset_t const
BufferInputSource::bufSizeAsOffset() const
{
return QIntC::to_offset(this->m->buf->getSize());
}
qpdf_offset_t qpdf_offset_t
BufferInputSource::findAndSkipNextEOL() BufferInputSource::findAndSkipNextEOL()
{ {
@ -54,7 +52,7 @@ BufferInputSource::findAndSkipNextEOL()
{ {
throw std::logic_error("INTERNAL ERROR: BufferInputSource offset < 0"); throw std::logic_error("INTERNAL ERROR: BufferInputSource offset < 0");
} }
qpdf_offset_t end_pos = bufSizeAsOffset(); qpdf_offset_t end_pos = this->m->max_offset;
if (this->m->cur_offset >= end_pos) if (this->m->cur_offset >= end_pos)
{ {
this->last_offset = end_pos; this->last_offset = end_pos;
@ -102,6 +100,20 @@ BufferInputSource::tell()
return this->m->cur_offset; return this->m->cur_offset;
} }
void
BufferInputSource::range_check(qpdf_offset_t cur, qpdf_offset_t delta)
{
if ((delta > 0) &&
((std::numeric_limits<qpdf_offset_t>::max() - cur) < delta))
{
std::ostringstream msg;
msg << "seeking forward from " << cur
<< " by " << delta
<< " would cause an overflow of the offset type";
throw std::range_error(msg.str());
}
}
void void
BufferInputSource::seek(qpdf_offset_t offset, int whence) BufferInputSource::seek(qpdf_offset_t offset, int whence)
{ {
@ -112,10 +124,12 @@ BufferInputSource::seek(qpdf_offset_t offset, int whence)
break; break;
case SEEK_END: case SEEK_END:
this->m->cur_offset = bufSizeAsOffset() + offset; range_check(this->m->max_offset, offset);
this->m->cur_offset = this->m->max_offset + offset;
break; break;
case SEEK_CUR: case SEEK_CUR:
range_check(this->m->cur_offset, offset);
this->m->cur_offset += offset; this->m->cur_offset += offset;
break; break;
@ -145,7 +159,7 @@ BufferInputSource::read(char* buffer, size_t length)
{ {
throw std::logic_error("INTERNAL ERROR: BufferInputSource offset < 0"); throw std::logic_error("INTERNAL ERROR: BufferInputSource offset < 0");
} }
qpdf_offset_t end_pos = bufSizeAsOffset(); qpdf_offset_t end_pos = this->m->max_offset;
if (this->m->cur_offset >= end_pos) if (this->m->cur_offset >= end_pos)
{ {
this->last_offset = end_pos; this->last_offset = end_pos;