From c1684eae9144129027642f5069a0fd97f0559ec8 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Thu, 22 Oct 2020 05:45:01 -0400
Subject: [PATCH] Check for overflow in page labels (fuzz issue 23599)

---
 TODO                                   |   1 -
 fuzz/qpdf_extra/23599.fuzz             | Bin 0 -> 369 bytes
 libqpdf/QPDFPageLabelDocumentHelper.cc |   1 +
 3 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 fuzz/qpdf_extra/23599.fuzz

diff --git a/TODO b/TODO
index a2854a2e..092dfe1f 100644
--- a/TODO
+++ b/TODO
@@ -65,7 +65,6 @@ Fuzz Errors
 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N>
 
 * New:
-  * 23599: integer overflow: https://oss-fuzz.com/testcase?key=6290807920525312
   * 23642: leak: https://oss-fuzz.com/testcase-detail/4906569690251264
 
 * Ignoring these:
diff --git a/fuzz/qpdf_extra/23599.fuzz b/fuzz/qpdf_extra/23599.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..cd290b1a04fa366717a3bcc93df4b29cf854c618
GIT binary patch
literal 369
zcmX|-J5R$f6ona>ko+IcQVAy8aU3U7l%;}&SCugEP={18RZxgg;v&JX=h{v2;`{JD
z=kpap$W&@UN2)?01Og+w@Kf6lc4B48c+>w{NTYe}oQKpJ0yP-lO!ga9_09xaT|WZs
z*mAoM8Vmh)Z|~Zj9cEC@9}b^0-pUFlrW;&dRTYYuG~g3><547uQYH~9%XMmu&V?Zh
zl9u$&vlSWLFz7TCx3Lp#X2OyS*3-|I1z)$m9o&AwxOW}Zo?l)wn%;s1Njr7{RSKHp
ybVq@I__aHX9!ikFZQl_%Ib^}%{0yQ-N@3hX4U<IUd|3;r^CLp||Gape(EkAKz*a>7

literal 0
HcmV?d00001

diff --git a/libqpdf/QPDFPageLabelDocumentHelper.cc b/libqpdf/QPDFPageLabelDocumentHelper.cc
index a650fa9c..4be9073f 100644
--- a/libqpdf/QPDFPageLabelDocumentHelper.cc
+++ b/libqpdf/QPDFPageLabelDocumentHelper.cc
@@ -53,6 +53,7 @@ QPDFPageLabelDocumentHelper::getLabelForPage(long long page_idx)
     {
         start = St.getIntValue();
     }
+    QIntC::range_check(start, offset);
     start += offset;
     result = QPDFObjectHandle::newDictionary();
     result.replaceOrRemoveKey("/S", S);