2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-11-14 00:34:03 +00:00

In QPDF::processXRefIndex check number of objects in subsection is > 0

Fixes oss-fuzz 70055
This commit is contained in:
m-holger 2024-07-06 16:09:50 +01:00
parent ce2deaf185
commit c1cd3ec8a0
4 changed files with 7 additions and 1 deletions

View File

@ -122,6 +122,7 @@ set(CORPUS_OTHER
69913.fuzz 69913.fuzz
69969.fuzz 69969.fuzz
69977.fuzz 69977.fuzz
70055.fuzz
) )
set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)

BIN
fuzz/qpdf_extra/70055.fuzz Normal file

Binary file not shown.

View File

@ -21,7 +21,7 @@ my @fuzzers = (
['pngpredictor' => 1], ['pngpredictor' => 1],
['runlength' => 6], ['runlength' => 6],
['tiffpredictor' => 2], ['tiffpredictor' => 2],
['qpdf' => 64], # increment when adding new files ['qpdf' => 65], # increment when adding new files
); );
my $n_tests = 0; my $n_tests = 0;

View File

@ -1129,6 +1129,11 @@ QPDF::processXRefIndex(
if (val.isInteger()) { if (val.isInteger()) {
if (i % 2) { if (i % 2) {
auto count = val.getIntValue(); auto count = val.getIntValue();
if (count <= 0) {
throw damaged(
"Cross-reference stream section claims to contain " +
std::to_string(count) + " entries");
}
// We are guarding against the possibility of num_entries * entry_size // We are guarding against the possibility of num_entries * entry_size
// overflowing. We are not checking that entries are in ascending order as // overflowing. We are not checking that entries are in ascending order as
// required by the spec, which probably should generate a warning. We are also // required by the spec, which probably should generate a warning. We are also