diff options
author | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 16:20:14 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 17:26:25 +0200 |
commit | 9a095c5c76cdc14379a65f0e50dcccea30d425aa (patch) | |
tree | 6c72bfc3cbf72bf88a15878d627f422a0d889461 | |
parent | ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e (diff) | |
download | qpdf-9a095c5c76cdc14379a65f0e50dcccea30d425aa.tar.zst |
Seek in two stages to avoid overflow
When seeing to a position based on a value read from the input, we are
prone to integer overflow (fuzz issue 15442). Seek in two stages to
move the overflow check into the input source code.
-rw-r--r-- | libqpdf/QPDF.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 28af689a..f6d16e4d 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input, } length = toS(length_obj.getUIntValue()); - input->seek(stream_offset + toO(length), SEEK_SET); + // Seek in two steps to avoid potential integer overflow + input->seek(stream_offset, SEEK_SET); + input->seek(toO(length), SEEK_CUR); if (! (readToken(input) == QPDFTokenizer::Token( QPDFTokenizer::tt_word, "endstream"))) |