aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJay Berkenbilt <ejb@ql.org>2019-08-26 03:23:19 +0200
committerJay Berkenbilt <ejb@ql.org>2019-08-26 04:52:25 +0200
commit6bc4cc3d48dd2216c9415215967e46d429b7f6b1 (patch)
tree97d2a2d84951b0fd09abba81691d86edd367242f
parent94e86e252843e500fe3ef750203bfa7d31cab4ce (diff)
downloadqpdf-6bc4cc3d48dd2216c9415215967e46d429b7f6b1.tar.zst
Fix fuzz issue 15475
-rw-r--r--fuzz/lzw_fuzzer_seed_corpus/a19f987b885f5a96069f4bc7f12b9e84ceba7dfa1
-rw-r--r--fuzz/qtest/fuzz.test2
-rw-r--r--libqpdf/Pl_LZWDecoder.cc16
3 files changed, 13 insertions, 6 deletions
diff --git a/fuzz/lzw_fuzzer_seed_corpus/a19f987b885f5a96069f4bc7f12b9e84ceba7dfa b/fuzz/lzw_fuzzer_seed_corpus/a19f987b885f5a96069f4bc7f12b9e84ceba7dfa
new file mode 100644
index 00000000..f96c401f
--- /dev/null
+++ b/fuzz/lzw_fuzzer_seed_corpus/a19f987b885f5a96069f4bc7f12b9e84ceba7dfa
@@ -0,0 +1 @@
+ÿÿ \ No newline at end of file
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 83756de4..26ae4f10 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -23,7 +23,7 @@ my @fuzzers = (
['dct' => 1],
['flate' => 1],
['hex' => 1],
- ['lzw' => 1],
+ ['lzw' => 2],
['pngpredictor' => 1],
['runlength' => 6],
['tiffpredictor' => 1],
diff --git a/libqpdf/Pl_LZWDecoder.cc b/libqpdf/Pl_LZWDecoder.cc
index 6cc87048..81069da6 100644
--- a/libqpdf/Pl_LZWDecoder.cc
+++ b/libqpdf/Pl_LZWDecoder.cc
@@ -107,7 +107,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code)
unsigned int idx = code - 258;
if (idx >= table.size())
{
- throw std::logic_error(
+ throw std::runtime_error(
"Pl_LZWDecoder::getFirstChar: table overflow");
}
Buffer& b = table.at(idx);
@@ -115,7 +115,7 @@ Pl_LZWDecoder::getFirstChar(unsigned int code)
}
else
{
- throw std::logic_error(
+ throw std::runtime_error(
"Pl_LZWDecoder::getFirstChar called with invalid code (" +
QUtil::int_to_string(code) + ")");
}
@@ -140,7 +140,7 @@ Pl_LZWDecoder::addToTable(unsigned char next)
unsigned int idx = this->last_code - 258;
if (idx >= table.size())
{
- throw std::logic_error(
+ throw std::runtime_error(
"Pl_LZWDecoder::addToTable: table overflow");
}
Buffer& b = table.at(idx);
@@ -149,7 +149,7 @@ Pl_LZWDecoder::addToTable(unsigned char next)
}
else
{
- throw std::logic_error(
+ throw std::runtime_error(
"Pl_LZWDecoder::addToTable called with invalid code (" +
QUtil::int_to_string(this->last_code) + ")");
}
@@ -239,7 +239,13 @@ Pl_LZWDecoder::handleCode(unsigned int code)
}
else
{
- Buffer& b = table.at(code - 258);
+ unsigned int idx = code - 258;
+ if (idx >= table.size())
+ {
+ throw std::runtime_error(
+ "Pl_LZWDecoder::handleCode: table overflow");
+ }
+ Buffer& b = table.at(idx);
getNext()->write(b.getBuffer(), b.getSize());
}
}