diff options
author | Jay Berkenbilt <ejb@ql.org> | 2019-09-18 01:48:27 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2019-09-18 01:48:47 +0200 |
commit | bb83e65193684b5a7521fa77ffb87ad82e49564c (patch) | |
tree | 8189870286f2f24cb252c490f0f46b3730a2ed3c | |
parent | 17d431dfd5c695eec5f8ff6e023b847b46d9d521 (diff) | |
download | qpdf-bb83e65193684b5a7521fa77ffb87ad82e49564c.tar.zst |
Fix fuzz issue 16953 (overflow checking in xref stream index)
-rw-r--r-- | fuzz/qpdf_extra/16953.fuzz | 1 | ||||
-rw-r--r-- | libqpdf/QPDF.cc | 12 |
2 files changed, 12 insertions, 1 deletions
diff --git a/fuzz/qpdf_extra/16953.fuzz b/fuzz/qpdf_extra/16953.fuzz new file mode 100644 index 00000000..56d2295a --- /dev/null +++ b/fuzz/qpdf_extra/16953.fuzz @@ -0,0 +1 @@ + 5 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/Fl/Index[2147483641 13]/Size 0/Type/XRef/W[1 2 1]>>stream hÞbd`²D endstream startxref 6
\ No newline at end of file diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 511081a8..a484fdc4 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -5,6 +5,7 @@ #include <map> #include <algorithm> #include <limits> +#include <sstream> #include <stdlib.h> #include <string.h> #include <memory.h> @@ -1202,7 +1203,16 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj) // based on /Index. The generation number is 0 unless this is // an uncompressed object record, in which case the generation // number appears as the third field. - int obj = toI(indx.at(cur_chunk)) + chunk_count; + int obj = toI(indx.at(cur_chunk)); + if ((std::numeric_limits<int>::max() - obj) < chunk_count) + { + std::ostringstream msg; + msg << "adding " << chunk_count << " to " << obj + << " while computing index in xref stream would cause" + << " an integer overflow"; + throw std::range_error(msg.str()); + } + obj += chunk_count; ++chunk_count; if (chunk_count >= indx.at(cur_chunk + 1)) { |