From e85b98b7e8b8b330614fc31825c411260fc2eaef Mon Sep 17 00:00:00 2001 From: m-holger Date: Tue, 30 Apr 2024 10:58:31 +0100 Subject: [PATCH] Guard against object id == std::numeric_limits in QPDF::insertReconstructedXrefEntry --- fuzz/CMakeLists.txt | 1 + fuzz/qpdf_extra/68374.fuzz | Bin 0 -> 392 bytes fuzz/qtest/fuzz.test | 2 +- libqpdf/QPDF.cc | 4 +++- 4 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 fuzz/qpdf_extra/68374.fuzz diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt index 73ecced1..233a4571 100644 --- a/fuzz/CMakeLists.txt +++ b/fuzz/CMakeLists.txt @@ -114,6 +114,7 @@ set(CORPUS_OTHER 65681.fuzz 65773.fuzz 65777.fuzz + 68374.fuzz 68377.fuzz ) diff --git a/fuzz/qpdf_extra/68374.fuzz b/fuzz/qpdf_extra/68374.fuzz new file mode 100644 index 0000000000000000000000000000000000000000..748bad9283ec7892e530020df9441fc001c6f4f9 GIT binary patch literal 392 zcmcC9u(L6+)75uzbIVROH{~iRO3chjE#l&`vEkAW%Fi!RFjX*62;$Pu;kUEn%1Yn@ zar2Y16o3jCfPjmE!G?ha$oRif-zPOMy(B|U!N3Tt1*pE*wxlREF_)L?E0 1], ['runlength' => 6], ['tiffpredictor' => 2], - ['qpdf' => 57], # increment when adding new files + ['qpdf' => 58], # increment when adding new files ); my $n_tests = 0; diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index d5e9c7c8..ed32b386 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -1195,7 +1195,9 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og) void QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2) { - if (!(obj > 0 && 0 <= f2 && f2 < 65535)) { + // Various tables are indexed by object id, with potential size id + 1 + constexpr static int max_id = std::numeric_limits::max() - 1; + if (!(obj > 0 && obj <= max_id && 0 <= f2 && f2 < 65535)) { QTC::TC("qpdf", "QPDF xref overwrite invalid objgen"); return; }