In QPDF::processXRefIndex check number of objects in subsection is > 0

Fixes oss-fuzz 70055
2024-11-09 14:50:58 +00:00 · 2024-07-06 16:09:50 +01:00 · 2024-07-06 16:09:50 +01:00 · c1cd3ec8a0
commit c1cd3ec8a0
parent ce2deaf185
4 changed files with 7 additions and 1 deletions
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@ -122,6 +122,7 @@ set(CORPUS_OTHER
  69913.fuzz
  69969.fuzz
  69977.fuzz
+  70055.fuzz
 )

 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
--- a/fuzz/qpdf_extra/70055.fuzz
+++ b/fuzz/qpdf_extra/70055.fuzz
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@ -21,7 +21,7 @@ my @fuzzers = (
    ['pngpredictor' => 1],
    ['runlength' => 6],
    ['tiffpredictor' => 2],
-    ['qpdf' => 64],             # increment when adding new files
+    ['qpdf' => 65],             # increment when adding new files
    );

 my $n_tests = 0;
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@ -1129,6 +1129,11 @@ QPDF::processXRefIndex(
            if (val.isInteger()) {
                if (i % 2) {
                    auto count = val.getIntValue();
+                    if (count <= 0) {
+                        throw damaged(
+                            "Cross-reference stream section claims to contain " +
+                            std::to_string(count) + " entries");
+                    }
                    // We are guarding against the possibility of num_entries * entry_size
                    // overflowing. We are not checking that entries are in ascending order as
                    // required by the spec, which probably should generate a warning. We are also