diff options
| author | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 16:20:14 +0200 |
|---|---|---|
| committer | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 17:26:25 +0200 |
| commit | 9a095c5c76cdc14379a65f0e50dcccea30d425aa (patch) | |
| tree | 6c72bfc3cbf72bf88a15878d627f422a0d889461 | |
| parent | ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e (diff) | |
| download | qpdf-9a095c5c76cdc14379a65f0e50dcccea30d425aa.tar.zst | |
Seek in two stages to avoid overflow
When seeing to a position based on a value read from the input, we are
prone to integer overflow (fuzz issue 15442). Seek in two stages to
move the overflow check into the input source code.
| -rw-r--r-- | libqpdf/QPDF.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 28af689a..f6d16e4d 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input, } length = toS(length_obj.getUIntValue()); - input->seek(stream_offset + toO(length), SEEK_SET); + // Seek in two steps to avoid potential integer overflow + input->seek(stream_offset, SEEK_SET); + input->seek(toO(length), SEEK_CUR); if (! (readToken(input) == QPDFTokenizer::Token( QPDFTokenizer::tt_word, "endstream"))) |