diff options
author | Jay Berkenbilt <ejb@ql.org> | 2021-11-04 18:52:47 +0100 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2021-11-04 19:03:24 +0100 |
commit | a84a0b248768dcbab7fc007bb22a258cac9e4131 (patch) | |
tree | 2d05c81cf62adef6192e5038c5a41639bb65730d | |
parent | ec09b914434b8dbc23bf6043b13ee5d5ecf4c2a6 (diff) | |
download | qpdf-a84a0b248768dcbab7fc007bb22a258cac9e4131.tar.zst |
Add range check in QPDFNumberTreeObjectHelper (fuzz issue 37740)
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | fuzz/qpdf_extra/37740.fuzz | bin | 0 -> 12948 bytes | |||
-rw-r--r-- | libqpdf/QPDFNumberTreeObjectHelper.cc | 2 |
3 files changed, 4 insertions, 0 deletions
@@ -1,5 +1,7 @@ 2021-11-04 Jay Berkenbilt <ejb@ql.org> + * Add range check in QPDFNumberTreeObjectHelper (fuzz issue 37740). + * Add QIntC::range_check_substract to do range checking on subtraction, which has different boundary conditions from addition. diff --git a/fuzz/qpdf_extra/37740.fuzz b/fuzz/qpdf_extra/37740.fuzz Binary files differnew file mode 100644 index 00000000..64189f69 --- /dev/null +++ b/fuzz/qpdf_extra/37740.fuzz diff --git a/libqpdf/QPDFNumberTreeObjectHelper.cc b/libqpdf/QPDFNumberTreeObjectHelper.cc index be2f2f16..7f510497 100644 --- a/libqpdf/QPDFNumberTreeObjectHelper.cc +++ b/libqpdf/QPDFNumberTreeObjectHelper.cc @@ -1,5 +1,6 @@ #include <qpdf/QPDFNumberTreeObjectHelper.hh> #include <qpdf/NNTree.hh> +#include <qpdf/QIntC.hh> class NumberTreeDetails: public NNTreeDetails { @@ -235,6 +236,7 @@ QPDFNumberTreeObjectHelper::findObjectAtOrBelow( return false; } oh = i->second; + QIntC::range_check_substract(idx, i->first); offset = idx - i->first; return true; } |