From edf3509b7859d359f997b198ea6915e361c941d4 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Thu, 4 Jul 2024 15:08:11 +0100
Subject: [PATCH] Treat corrupt JPEG streams as unfilterable

---
 ChangeLog              | 35 ++++++++++++++++++++++++++++++-----
 include/qpdf/Pl_DCT.hh |  4 +++-
 libqpdf/Pl_DCT.cc      |  2 +-
 3 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1eb89d74..2b31f8c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,13 +1,38 @@
+2024-07-04  M Holger  <m.holger@qpdf.org>
+
+	* Treat corrupt JPEG streams as unfilterable. This avoids them 
+	getting uncompressed when writing PDF files with decode level all.
+
 2024-07-02  Jay Berkenbilt  <ejb@ql.org>
 
 	* Add QPDF::setMaxWarnings to set the maximum of warnings before
 	warning suppression.
 
-	* Add additional options to Pl_DCT construction to limit sizes and
-	memory usage of compression. These are generally exposed but are
-	primarily intended to support fuzz tests, which have explicit
-	memory limits that are smaller than what is commonly seen in the
-	wild with PDF files.
+	* Add static option to Pl_DCT to limit memory usage of 
+	decompression. The option is generally exposed but is primarily
+	intended to support fuzz tests, which have explicit memory limits
+	that are smaller than what is commonly seen in the wild with PDF
+	files.
+
+	* Add static option to Pl_DCT to control whether decompression of
+	corrupt JPEG data is attempted.
+
+2024-06-29  M Holger  <m.holger@qpdf.org>
+
+	* Bug fix: in QPDFOutlineObjectHelper detect loops in the list of 
+	direct children of an outline item.
+
+2024-06-27  M Holger  <m.holger@qpdf.org>
+
+	* Add sanity check in QPDF xref table reconstruction to reject 
+	objects with impossibly large object id in order to improve
+	handling of severely damaged PDF files.
+
+2024-06-25  M Holger  <m.holger@qpdf.org>
+
+	* Detect severely damaged PDF files early. After parsing the xref
+	table in QPDF throw a damagedPDF exception if the root of the pages
+	tree is not a dictionary.
 
 2024-06-07  Jay Berkenbilt  <ejb@ql.org>
 
diff --git a/include/qpdf/Pl_DCT.hh b/include/qpdf/Pl_DCT.hh
index d6f05ce6..077a1f92 100644
--- a/include/qpdf/Pl_DCT.hh
+++ b/include/qpdf/Pl_DCT.hh
@@ -39,7 +39,9 @@ class QPDF_DLL_CLASS Pl_DCT: public Pipeline
     QPDF_DLL
     static void setMemoryLimit(long limit);
 
-    // Treat corrupt data as a runtime error rather than attempting to decompress regardless.
+    // Treat corrupt data as a runtime error rather than attempting to decompress regardless. This
+    // is the qpdf default behaviour. To attempt to decompress corrupt data set 'treat_as_error' to
+    // false.
     // NB This is a static option affecting all Pl_DCT instances.
     QPDF_DLL
     static void setThrowOnCorruptData(bool treat_as_error);
diff --git a/libqpdf/Pl_DCT.cc b/libqpdf/Pl_DCT.cc
index 2944a684..0597fd09 100644
--- a/libqpdf/Pl_DCT.cc
+++ b/libqpdf/Pl_DCT.cc
@@ -22,7 +22,7 @@ namespace
     };
 
     long memory_limit{0};
-    bool throw_on_corrupt_data{false};
+    bool throw_on_corrupt_data{true};
 } // namespace
 
 static void