Add extra sanity check on pages tree

Reject non-dictionary Page and Pages objects. Also add additional qpdf_fuzzer test cases.
2024-12-22 10:58:58 +00:00 · 2024-07-10 18:00:36 +01:00 · 2024-07-10 18:00:36 +01:00 · c2c1618e08
commit c2c1618e08
parent 2b6500ea17
6 changed files with 8 additions and 1 deletions
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@ -124,7 +124,10 @@ set(CORPUS_OTHER
  69969.fuzz
  69977.fuzz
  69977a.fuzz
  69977b.fuzz
  69977c.fuzz
  70055.fuzz
  4599089157701632.fuzz
 )
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
--- a/fuzz/qpdf_extra/4599089157701632.fuzz
+++ b/fuzz/qpdf_extra/4599089157701632.fuzz
--- a/fuzz/qpdf_extra/69977b.fuzz
+++ b/fuzz/qpdf_extra/69977b.fuzz
--- a/fuzz/qpdf_extra/69977c.fuzz
+++ b/fuzz/qpdf_extra/69977c.fuzz
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@ -21,7 +21,7 @@ my @fuzzers = (
    ['pngpredictor' => 1],
    ['runlength' => 6],
    ['tiffpredictor' => 2],
-    ['qpdf' => 67],             # increment when adding new files
+    ['qpdf' => 70],             # increment when adding new files
    );
 my $n_tests = 0;
--- a/libqpdf/QPDF_pages.cc
+++ b/libqpdf/QPDF_pages.cc
@ -98,6 +98,10 @@ QPDF::getAllPagesInternal(
    int n = kids.getArrayNItems();
    for (int i = 0; i < n; ++i) {
        auto kid = kids.getArrayItem(i);
        if (!kid.isDictionary()) {
            kid.warnIfPossible("Pages tree includes non-dictionary object; removing");
            continue;
        }
        if (kid.hasKey("/Kids")) {
            getAllPagesInternal(kid, visited, seen, media_box);
        } else {