Fix fuzz issues 15316 and 15390

author: Jay Berkenbilt <ejb@ql.org> 2019-08-27 23:57:38 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2019-08-28 02:39:06 +0200
commit: dadf8307c83706c3b097bc4b1fe7b24defbebb8e (patch)
tree: f41f7efea70be70dccb5d9c08681e6d41b25e6b4
parent: 456c285b0277315537c0a402a8d35dff3bec3c10 (diff)
download: qpdf-dadf8307c83706c3b097bc4b1fe7b24defbebb8e.tar.zst
3 files changed, 9 insertions, 0 deletions
diff --git a/fuzz/qpdf_extra/15316.fuzz b/fuzz/qpdf_extra/15316.fuzz
new file mode 100644
index 00000000..0c29ddc2
--- /dev/null
+++ b/fuzz/qpdf_extra/15316.fuzz
@@ -0,0 +1,3 @@
+ 1 0 obj<<2147483647 0 R>>
+endobj
+trailer<</Root 1 0 R>>
+\ No newline at end of file
diff --git a/fuzz/qpdf_extra/15390.fuzz b/fuzz/qpdf_extra/15390.fuzz
new file mode 100644
index 00000000..e8233c9a
--- /dev/null
+++ b/fuzz/qpdf_extra/15390.fuzz
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index f6d16e4d..a774bd42 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -4,6 +4,7 @@
 #include <vector>
 #include <map>
 #include <algorithm>
+#include <limits>
 #include <stdlib.h>
 #include <string.h>
 #include <memory.h>
@@ -2151,6 +2152,11 @@ QPDFObjectHandle
 QPDF::makeIndirectObject(QPDFObjectHandle oh)
 {
     int max_objid = toI(getObjectCount());
+    if (max_objid == std::numeric_limits<int>::max())
+    {
+        throw std::range_error(
+            "max object id is too high to create new objects");
+    }
     QPDFObjGen next(max_objid + 1, 0);
     this->m->obj_cache[next] =
 	ObjCache(QPDFObjectHandle::ObjAccessor::getObject(oh), -1, -1);
author	Jay Berkenbilt <ejb@ql.org>	2019-08-27 23:57:38 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2019-08-28 02:39:06 +0200
commit	dadf8307c83706c3b097bc4b1fe7b24defbebb8e (patch)
tree	f41f7efea70be70dccb5d9c08681e6d41b25e6b4
parent	456c285b0277315537c0a402a8d35dff3bec3c10 (diff)
download	qpdf-dadf8307c83706c3b097bc4b1fe7b24defbebb8e.tar.zst