Guard against object id == std::numeric_limits<int> in QPDF::insertReconstructedXrefEntry

2024-12-22 10:58:58 +00:00 · 2024-04-30 10:58:31 +01:00 · 2024-04-30 10:58:31 +01:00 · e85b98b7e8
commit e85b98b7e8
parent 60c7d594b8
4 changed files with 5 additions and 2 deletions
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@ -114,6 +114,7 @@ set(CORPUS_OTHER
  65681.fuzz
  65773.fuzz
  65777.fuzz
+  68374.fuzz
  68377.fuzz
 )

--- a/fuzz/qpdf_extra/68374.fuzz
+++ b/fuzz/qpdf_extra/68374.fuzz
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@ -21,7 +21,7 @@ my @fuzzers = (
    ['pngpredictor' => 1],
    ['runlength' => 6],
    ['tiffpredictor' => 2],
-    ['qpdf' => 57],             # increment when adding new files
+    ['qpdf' => 58],             # increment when adding new files
    );

 my $n_tests = 0;
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@ -1195,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og)
 void
 QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2)
 {
-    if (!(obj > 0 && 0 <= f2 && f2 < 65535)) {
+    // Various tables are indexed by object id, with potential size id + 1
+    constexpr static int max_id = std::numeric_limits<int>::max() - 1;
+    if (!(obj > 0 && obj <= max_id && 0 <= f2 && f2 < 65535)) {
        QTC::TC("qpdf", "QPDF xref overwrite invalid objgen");
        return;
    }