Fix fuzz issue 16953 (overflow checking in xref stream index)

2019-09-17 19:48:27 -04:00 · 2019-09-17 19:48:27 -04:00 · bb83e65193
parent 17d431dfd5
commit bb83e65193
2 changed files with 12 additions and 1 deletions
--- a/fuzz/qpdf_extra/16953.fuzz
+++ b/fuzz/qpdf_extra/16953.fuzz
@ -0,0 +1 @@
+                5 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/Fl/Index[2147483641 13]/Size 0/Type/XRef/W[1 2 1]>>stream hÞbd`²D endstream startxref  6
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@ -5,6 +5,7 @@
 #include <map>
 #include <algorithm>
 #include <limits>
+#include <sstream>
 #include <stdlib.h>
 #include <string.h>
 #include <memory.h>
@ -1202,7 +1203,16 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
 	// based on /Index.  The generation number is 0 unless this is
 	// an uncompressed object record, in which case the generation
 	// number appears as the third field.
-	int obj = toI(indx.at(cur_chunk)) + chunk_count;
+	int obj = toI(indx.at(cur_chunk));
+        if ((std::numeric_limits<int>::max() - obj) < chunk_count)
+        {
+            std::ostringstream msg;
+            msg << "adding " << chunk_count << " to " << obj
+                << " while computing index in xref stream would cause"
+                << " an integer overflow";
+            throw std::range_error(msg.str());
+        }
+        obj += chunk_count;
 	++chunk_count;
 	if (chunk_count >= indx.at(cur_chunk + 1))
 	{
				`@ -0,0 +1 @@`
				5 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/Fl/Index[2147483641 13]/Size 0/Type/XRef/W[1 2 1]>>stream hÞbd`²D endstream startxref 6