diff options
author | Jay Berkenbilt <ejb@ql.org> | 2019-11-04 00:54:39 +0100 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2019-11-04 00:59:12 +0100 |
commit | 9094fb1f8eed9f869d2bf90d99e7ab9ac913d76c (patch) | |
tree | 9c9ae0ec8b2682038e8c7576339e083ad4f70f82 | |
parent | c590dbc38e367131e116cc527d73ac0c4cb5fe16 (diff) | |
download | qpdf-9094fb1f8eed9f869d2bf90d99e7ab9ac913d76c.tar.zst |
Fix two additional fuzz test cases
-rw-r--r-- | fuzz/qpdf_extra/18241.fuzz | bin | 0 -> 73 bytes | |||
-rw-r--r-- | fuzz/qpdf_extra/18247.fuzz | bin | 0 -> 569 bytes | |||
-rw-r--r-- | libqpdf/QPDF.cc | 5 |
3 files changed, 3 insertions, 2 deletions
diff --git a/fuzz/qpdf_extra/18241.fuzz b/fuzz/qpdf_extra/18241.fuzz Binary files differnew file mode 100644 index 00000000..c18cfe6c --- /dev/null +++ b/fuzz/qpdf_extra/18241.fuzz diff --git a/fuzz/qpdf_extra/18247.fuzz b/fuzz/qpdf_extra/18247.fuzz Binary files differnew file mode 100644 index 00000000..35881392 --- /dev/null +++ b/fuzz/qpdf_extra/18247.fuzz diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 864ac2d5..09de87e3 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset) { max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); } - if (size - 1 != max_obj) + if ((size < 1) || (size - 1 != max_obj)) { QTC::TC("qpdf", "QPDF xref size mismatch"); warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, @@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj) // an uncompressed object record, in which case the generation // number appears as the third field. int obj = toI(indx.at(cur_chunk)); - if ((std::numeric_limits<int>::max() - obj) < chunk_count) + if ((obj < 0) || + ((std::numeric_limits<int>::max() - obj) < chunk_count)) { std::ostringstream msg; msg << "adding " << chunk_count << " to " << obj |